What Privacy and Protection Standards are in Place for Medicaid Enrollees’ Personal Data? 

According to the Associated Press, the Trump administration recently shared the personal and health data of millions of noncitizen Medicaid enrollees living in California, Illinois, Washington, and D.C. with immigration enforcement officials, despite concerns reportedly raised by some officials from the Centers for Medicare and Medicaid Services (CMS) about violations of data privacy protections. This policy watch discusses the data privacy protections in Medicaid and the implications of breaches or violations of those protections.

State Medicaid agencies collect and maintain personal and health information for applicants and beneficiaries to determine eligibility for coverage and provide care. This information includes personal identifying data, such as names, birth dates, and contact information; social security numbers; citizenship and immigration status; income; and health information. State Medicaid agencies cannot require applicants to provide information about the citizenship or immigration status of any family or household members not applying for coverage. Medicaid is jointly administered by the federal government and states, and states are required to share certain information with the federal government to administer the program.

Federal and state laws and regulations provide protections designed to safeguard applicant and enrollee data that limit the use and sharing of personal information for administering the program. For example, the Social Security Act and accompanying regulations require that the “the use or disclosure of information concerning applicants and beneficiaries” must be restricted to “purposes directly connected” with administering state health coverage programs and that states safeguard the information so that it is “protected against unauthorized disclosure for other purposes.” At a minimum, safeguarded information must include names and addresses, medical services provided, social and economic circumstances, agency evaluation of personal information, medical data, information for verifying eligibility and medical assistance payments, social security numbers, and any information received in connection with identification of legally liable third party resources. Consistent with these laws and regulations, prior guidance issued in 2013 clarified that Immigration and Customs Enforcement does not use these data to pursue civil immigration enforcement. Medicaid data are also subject to Health Insurance Portability and Accountability Act (HIPAA) standards that protect sensitive health information from disclosure without a patient’s consent. Some states also have their own data privacy laws that apply to Medicaid data.

Federal regulations also require states to publicize the confidential nature of information applicants and beneficiaries submit to them. Reflecting this requirement, many states have information on their websites specifying that data shared with the Medicaid agency will be protected. For example, the California Department of Health Care Services notes that, “When someone applies for state-funded benefits, their information is only used to determine if they qualify. State laws protect the privacy of their information.” Similarly, the Illinois Healthcare and Family Services indicates that, “Information you put on a Medicaid application will NOT be shared with U.S. Immigration and Customs Enforcement for any purpose.”

Breaches or sharing of Medicaid enrollees’ information for purposes other than the provision of health coverage and care pose risks for individuals and may jeopardize confidence in the security of data held by agencies. For example, data breaches may lead to identify theft and subsequent financial losses for individuals. Sharing of data with other entities for purposes other than administering the program without authorization may violate the privacy of individuals’ information and pose other risks. Specifically, the sharing of data with immigration enforcement officials may make individuals easier to identify for enforcement activity. Data breaches and/or privacy violations may also make individuals more reluctant to submit information to Medicaid agencies, particularly those who have immigration-related fears, which could contribute to individuals or their children going without coverage even if they are eligible.