Making a Speed Bump out of a Roadblock: CMS, ICE, and Several States Battle Over Medicaid Data Privacy

In mid-June, the Department of Health and Human Services (HHS) ordered the Center for Medicare and Medicaid Services (CMS) to share the personal information of millions of Medicaid enrollees with the Department of Homeland Security to aid in the Trump administration’s immigration enforcement actions. Initially, this data sharing arrangement was limited to those jurisdictions that permit non-citizens to enroll in Medicaid for health coverage – including Connecticut, California, Washington, Illinois, and the District of Columbia. A few weeks later, CMS expanded its data sharing agreement, this time directly with Immigration and Customs Enforcement (ICE) under the DHS umbrella, to include the personal information of all 79 million Medicaid enrollees nationwide. Information shared for these enrollees includes names, addresses, birth dates, ethnic and racial information, and Social Security numbers.

Amid serious privacy concerns, a coalition of 20 state governments sued to block this data sharing arrangement in the Northern District of California. Earlier this week, the District Court granted the states a preliminary injunction. While the states prevailed in their suit, their victory is likely to be short-lived. The states argued against the data sharing plan on the following grounds: (1) the data sharing plan was “arbitrary and capricious” under the Administrative Procedure Act; (2) the data sharing plan constituted a “legislative rule” and required a notice and comment period prior to its implementation; and (3) the data sharing plan violated the Spending Clause of the Constitution. The states only succeeded in securing a preliminary injunction on the first ground. The court’s ruling explicitly rejected the second argument, and, although it did not reach the third one in its analysis, the court went out of its way to express its skepticism about it.

In its ruling, the court noted the long-standing CMS policy against data sharing for immigration enforcement purposes, and the extent to which states, providers, and enrollees alike have all relied on that policy heretofore. It further noted the upheaval inherent in the “bolt-from-the-blue reversal” on CMS’s public policy of using enrollees’ personal information solely for the purpose of running its health care programs. Nevertheless, in a practical sense, the court’s ruling likely only grants temporary relief to the states, until such time as CMS and ICE “carry out a reasoned decision making process” – requiring little more than demonstrating  consideration of the tradeoffs between privacy concerns, health care, and immigration enforcement as well as the impact such an about-face would have on those states, providers, and enrollees who relied on the previous policy for so long. Critically, the agencies “need not demonstrate…the new policy is better than the old one.”

Ultimately, however, the court itself acknowledged, “there does not appear to be anything categorically unlawful about DHS obtaining data from agencies like HHS for immigration purposes [and that] several federal statutes appear to permit, and sometimes even require, agencies to provide such information to DHS upon request.” CMS and ICE will certainly engage in the required reasoned decision making process and may limit the categories of data and data subjects being shared in order to clear the main obstacle identified by the court. Therefore, this week’s ruling likely represents more of a minor speed bump than a roadblock – slowing this change rather than stopping it.

Please contact the Health Law group at Shipman & Goodwin for assistance understanding how this ruling and the proposed data sharing plans will affect your clinical practices and operations, and, most importantly, how best to address the concerns of patients who have relied on the long-standing policies of CMS and HHS being reversed by the current administration.