What are the legal pathways and restrictions for ICE to access Medicaid and HHS data for enforcement?

1. The formal legal pathways: interagency agreements, statutes, and notices

The principal administrative route is a documented Information Exchange Agreement between the Centers for Medicare & Medicaid Services (CMS) and the Department of Homeland Security (DHS) that gives ICE operational access to CMS-held Medicaid data for the stated purpose of “identification and location of aliens” ^{[2] [1]}. The Federal Register notice and ICE policy memoranda cite statutory authority for data exchanges—principally DHS/ICE authorities and cross‑agency compliance obligations under statutes Congress has enacted—and the Biden/Trump administration executive push for interagency data sharing ^[1].

2. What data ICE is seeking and the announced scope

Public reporting and leaked/published agreement text indicate CMS data made available includes basic enrollment fields—name, address, Medicaid ID, SSN, date of birth, phone, and recorded citizenship or immigration status—and that the program contemplates access to tens of millions (roughly 79–80 million) of Medicaid enrollees’ records for screening and locating individuals ^{[6] [2] [7]}. KFF and other analysts warn the agreement could enable ICE employees to query records for all Medicaid enrollees, not only undocumented immigrants, because the interface’s stated function is to locate “aliens in the United States” ^[8].

3. Judicial checks and state lawsuits: partial blocks and carveouts

Litigation by states produced a preliminary injunction in 2025 blocking HHS from sharing Medicaid data with ICE for plaintiff states, and judges have gone back and forth: a later ruling allowed sharing of basic biographical, contact and location data about unlawfully present aliens while maintaining injunctions against using or sharing sensitive medical records for enforcement ^{[4] [5] [3]}. The Northern District of California judge concluded DHS has broad statutory authority to request interagency data but limited the data ICE may obtain from plaintiff states to avoid disclosure of health records and lawful-resident/citizen information ^{[3] [5]}.

4. Operationalization and data tools: Palantir and ELITE

Reporting by the Electronic Frontier Foundation and 404 Media alleges ICE is integrating CMS/HHS-sourced location and biographical fields into a Palantir-built tool (ELITE) that plots potential targets, builds dossiers and assigns “confidence scores” to addresses—demonstrating how administrative access can be operationalized into surveillance products for enforcement ^[9]. Wired and others flagged parallel moves to pull tax and other federal datasets into DHS/ICE pipelines, pointing to a broader data-consolidation strategy ^[2].

5. Legal and privacy arguments on both sides

Administratively, ICE and DHS assert longstanding statutory authority to request non‑medical program data from other agencies and emphasize severability—i.e., that CMS can provide limited categories if courts disallow others ^[1]. Opponents—state AGs, civil‑liberties groups and public‑health advocates—contend the policies upend longstanding norms that insulated health program data from immigration enforcement, risk chilling care, and may violate HIPAA and other privacy laws; courts have so far been split on those statutory and privacy claims ^{[4] [3] [8]}.

6. Limits, uncertainties, and what reporting does not prove

The current legal architecture permits ICE access to basic identification and location fields for unlawfully present aliens in many jurisdictions, but sharing of detailed health records and data about citizens or lawfully present immigrants remains legally contested and in some cases enjoined; precise technical controls, auditing practices, extent of day‑to‑day access, and whether queries reach all states’ records depend on state participation and evolving court orders—areas where public reporting documents intent but not comprehensive operational practice ^{[1] [4] [6]}.