The LINE Act prohibits the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services (HHS) from disclosing individually identifiable health information they obtain in connection with a person’s enrollment under a Medicaid state plan or waiver to any person for the purpose of enforcing immigration laws. The bill expressly invokes the definition of “individually identifiable health information” in 42 U.S.C. 1320d(6) and overrides the Privacy Act statutory framework (5 U.S.C. 552a) for these disclosures.
This is a narrow, agency-specific restraint: it applies only to data HHS/CMS hold that relate to Medicaid enrollment under Title XIX and bars disclosures tied to immigration enforcement. The measure leaves open many operational questions—how HHS will block downstream use, how it intersects with state Medicaid agencies and law enforcement subpoenas, and what enforcement remedies (if any) the statute creates—so practitioners should expect implementation guidance and litigation over boundaries.
At a Glance
What It Does
The bill forbids HHS and CMS from disclosing individually identifiable health information obtained in relation to enrollment under Title XIX (Medicaid) to any person when the disclosure is for enforcing immigration laws. It does so by overriding the Privacy Act’s disclosure permissions for that category of data.
Who It Affects
Federal agencies that maintain Medicaid enrollment records (HHS and CMS) are directly constrained; downstream federal partners that have sought eligibility or enrollment data (including ICE and other immigration-enforcement bodies) are the primary intended targets. Indirectly affected are state Medicaid agencies, contractors, data vendors, and health providers that rely on CMS-derived datasets or interfaces.
Why It Matters
The bill creates a statutory firewall between federal Medicaid enrollment records and immigration enforcement, changing how federal data custodians can respond to ICE requests. That shift could alter interagency data sharing, compliance practices for HHS contractors, and the advice compliance officers give to states about data flows.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The LINE Act draws a statutory line around a specific set of federal health records: individually identifiable health information that HHS and CMS obtain tied to a person’s enrollment in Medicaid under Title XIX, including enrollments processed under waivers. The statute uses the same definition of “individually identifiable health information” found in federal health-law definitions, so it covers the kinds of identifiers and health details HIPAA protects, but it is limited to information HHS/CMS obtained in relation to enrollment—not every Medicaid claim or clinical record by default.
Mechanically, the bill says “notwithstanding” the Privacy Act: even where federal disclosure rules might otherwise permit sharing, HHS and CMS must not disclose this enrollment-linked, identifiable health information to any person for purposes of enforcing immigration laws. The text names U.S. Immigration and Customs Enforcement as an example, but its language is broad (“any person”), which on its face bars disclosures to private parties, other agencies, or foreign entities when the purpose is immigration enforcement.Because the prohibition targets the federal custodians—HHS and CMS—it does not, by its terms, restrict state Medicaid agencies or non‑federal entities from making similar disclosures.
That creates a practical gap: states administer Medicaid and hold substantial enrollment databases, so HHS/CMS will need procedures to avoid enabling immigration-focused disclosures in federated systems or when providing data extracts to states, researchers, or vendors.The bill does not establish a new enforcement mechanism, civil remedy, or penalty for violations; instead it operates as a statutory restriction on agency behavior. Implementation will therefore rely on agency compliance, internal controls, and possibly litigation if the agencies or third parties challenge or seek clarification of the prohibition.
Compliance officers and policy teams should expect requests for implementing guidance addressing subpoenas, court orders, national-security exceptions, data-sharing contracts, and how to treat derivative datasets or linked identifiers.
The Five Things You Need to Know
The bill applies only to individually identifiable health information obtained by HHS or CMS in relation to enrollment under Title XIX (Medicaid) and waivers—other HHS-held health data (e.g.
Title XXI CHIP or Medicare enrollment) are not covered.
It overrides the Privacy Act (5 U.S.C. 552a) for these disclosures, meaning statutory Privacy Act exceptions can’t be used by HHS/CMS to disclose covered enrollment data for immigration enforcement.
The statutory definition invoked is 42 U.S.C. 1320d(6), the federal formulation of “individually identifiable health information” used in health privacy law frameworks.
The prohibition bars disclosure “to any person” for the purpose of enforcing immigration laws, explicitly naming ICE as an example, which suggests a broad recipient/purpose test rather than a targeted list of barred recipients.
The bill contains no express enforcement provision, civil damages clause, or criminal penalty; it simply forbids HHS/CMS from making the specified disclosures, leaving compliance and legal enforcement pathways unclear.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title: ‘LINE Act’
This single-sentence section supplies the Act’s short title — the Limiting ICE’s Nationwide Encroachment Act (LINE Act). It has no operative effect on rights or obligations, but it signals legislative intent and frames the bill’s purpose for regulators and courts interpreting later provisions.
Privacy Act override
The operative prohibition begins with a 'notwithstanding section 552a of title 5' clause, which is a targeted statutory override. That language prevents HHS or CMS from relying on Privacy Act provisions that otherwise might permit or require disclosures of agency records. Practically, this narrows defenses agencies often invoke to justify interagency information sharing and forces HHS/CMS to treat covered enrollment data as specifically off-limits for immigration enforcement requests.
What information is protected and the statutory definition
The bill protects 'individually identifiable health information' as defined at 42 U.S.C. 1320d(6). By referencing that definition, the statute incorporates the established criteria for what makes health information 'identifiable' (names, numbers, geographic data, dates, and other identifiers). Importantly, the protection attaches only to information 'obtained in relation to such individual’s enrollment' under Title XIX or waiver — a narrower trigger than every health record HHS holds.
Who cannot receive the data and for what purpose
The statute bars HHS and CMS from disclosing the covered information 'to any person' when the purpose is 'enforcing the immigration laws' (with ICE cited as an example). That phrasing creates a recipient-agnostic, purpose-specific ban: disclosure would be unlawful regardless of whether the recipient is a federal agency, state official, contractor, or private party, so long as the underlying purpose is immigration enforcement.
This bill is one of many.
Codify tracks hundreds of bills on Immigration across all five countries.
Explore Immigration in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Medicaid enrollees, particularly immigrants and mixed-status households — by reducing the risk that enrollment information held by HHS/CMS will be used to locate or remove noncitizen family members, the bill strengthens privacy protections tied to federal enrollment records.
- Community health centers and safety-net providers — limiting federal data flows to immigration enforcement can reduce patient fear of enrollment-related data being used against them, potentially improving program participation and continuity of care.
- Immigrant advocacy organizations and legal services — the measure removes a federal pathway for immigration enforcement access to enrollment-linked health identifiers, supporting outreach and litigation strategies that rely on confidentiality guarantees.
Who Bears the Cost
- HHS and CMS — they will need to design and operate new access-control, auditing, and contracting safeguards to ensure enrollment-related identifiers are not disclosed for immigration enforcement purposes, increasing compliance and administrative costs.
- State Medicaid agencies and integrated data system operators — because the federal restriction applies only to HHS/CMS, states may face political or operational pressure to adopt parallel rules or face conflicting requests from local law enforcement and federal immigration authorities.
- Data contractors and vendors who process CMS datasets — existing data-sharing agreements, data-use agreements, and analytics pipelines may need renegotiation or redesign to segregate enrollment-linked, identifiable fields and prevent downstream uses that could be construed as immigration enforcement.
Key Issues
The Core Tension
The central dilemma is between protecting sensitive health- and enrollment-linked data of potentially vulnerable Medicaid enrollees from immigration enforcement uses, and preserving governmental capacity to share information for law enforcement, fraud detection, and public-safety purposes. Narrow statutory protection reduces the risk that enrollment data will be repurposed for immigration enforcement, but it also complicates legitimate interagency collaboration and leaves unresolved who bears the operational burden of segregating and policing data flows.
The bill is deliberately narrow in source and scope: it targets HHS/CMS disclosures of enrollment-related, identifiable health information under Title XIX. That narrowness reduces some exposure—for example, it does not on its face restrict state-held Medicaid data, CHIP, Medicare, or other HHS program records—yet it also creates practical gaps.
Federal agency systems frequently integrate enrollment, eligibility, claims, and provider files; separating out only 'information obtained in relation to enrollment' could be technically and legally complex and may require new definitions, data-tagging, and provenance tracking.
The text does not create an enforcement mechanism, civil right of action, or damages remedy for individuals whose data are disclosed in violation of the prohibition. Enforcement therefore depends on HHS/CMS internal compliance, oversight by Congress or inspector general channels, or private litigation asserting statutory violations.
Additionally, the statute’s interaction with other statutory obligations—court orders, subpoenas, national security exceptions, and information-sharing provisions in other federal statutes—will produce contested legal questions about precedence, conflicting duties, and permissible exceptions. Implementation guidance and likely litigation will be needed to settle those boundaries.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.