President Trump Directs Federal Agencies to Eliminate Information Silos

Editor:  Patti Boozang and Amanda Eisenberg
Author: Julian Polaris and Carly Loughran

Click here to subscribe to receive more content like this!
Help shape The 80 Million: What should we write about next?

tl;dr

• In a March 20 executive order (EO) titled Stopping Waste, Fraud, and Abuse by Eliminating Information Silos, President Trump directed federal agencies to remove “unnecessary barriers to federal employees accessing government data” with the goals of “eliminating bureaucratic duplication” and “detecting overpayments and fraud.”

• Among other provisions, the EO instructs agency heads to take all necessary steps to ensure the federal government has “unfettered access to comprehensive data from all state programs that receive federal funding,” including data maintained in third-party databases.

• Although this EO does not create any new authority for the Centers for Medicare and Medicaid Services (CMS) to request data, it may signal future increased CMS data collection efforts from state Medicaid programs and their contractors, as well as increased inter-agency data sharing at the federal level in support of program oversight and more general law enforcement, potentially including immigration enforcement efforts.

The 80 Million Impact

Data sharing is the latest action item states should add to (or move up) their growing list of issues to watch in 2025. President Trump’s executive order, issued on March 20, aims to create “unfettered access to comprehensive data from all state programs that receive federal funding.”

Under federal law, however, CMS  already has the ability to request data and perform audits to ensure compliance with federal requirements — with respect to state Medicaid agencies and state contractors — such as managed care plans, pharmacy benefit managers or prior authorization vendors as well as providers participating in Medicare and Medicaid. Similar data access and audit rights are also typical for HHS grant programs. It’s not clear whether this latest EO signals a change in agency policy or simply a shift in the frequency or granularity of the data CMS requests from states and other stakeholders receiving federal funding.

These standards generally don’t require funding recipients to disclose information concerning their activities outside the scope of the program.

The EO focuses on the ability for federal agencies to collect and share data. It doesn’t address the federal confidentiality protections that govern states, providers or other recipients of federal funding. These non-federal stakeholders remain subject to confidentiality requirements under the Health Insurance Portability and Accountability Act and program-specific standards, such as the federal laws limiting the use and disclosure of the use Medicaid and Marketplace data to purposes connected with program administration.

States, subcontractors and providers should also keep in mind that federal reporting obligations do not attach to programs funded solely with state dollars, such as state-funded health programs for populations that do not qualify for Medicaid.

At the federal level, there’s a likelihood of increased interagency data sharing, potentially following publicly announced policy changes published in the Federal Register. The Privacy Act of 1974, which was enacted in the wake of the Watergate scandal, established default privacy protections for personal information that’s maintained in government systems. Subject to certain exceptions, federal agencies aren’t permitted to use or disclose personal data without the individual’s consent, except as expressly authorized by federal law or in accordance with agency-defined “routine uses” for which the records were originally developed.

In the early months of the second Trump administration, numerous lawsuits have challenged the Department of Government Efficiency’s (DOGE) access to federal data systems, including those maintained by the Treasury, Department of Education and Social Security Administration. Multiple federal judges have blocked DOGE’s access after concluding that the administration’s actions likely violated the Privacy Act.[1] While certain types of law enforcement activities are exempt from certain Privacy Act requirements, program-specific standards may limit the use of data for law enforcement purposes, particularly with respect to law enforcement activities unrelated to oversight of that particular program.

Similarly, there is a likelihood of increased intra-agency data sharing — and potentially without public notice. Compared to inter-agency data sharing, the Privacy Act is much more permissive with respect to data sharing within a federal agency. That includes data sharing among agency components — such as sharing among CMS, the Food and Drug Administration and Centers for Disease Control and Prevention, all of which are housed within HHS — in support of legitimate agency activities. Current restrictions on intra-agency data sharing likely arise either under federal statutes (in which case, the administration may lack the authority to remove them) or as a matter of current agency policy (in which case, the administration may be able to revise the policy).

Meanwhile, HHS has announced a significant agency reorganization that will consolidate or relocate several agencies with important grant programs or oversight responsibilities. These changes, too, may advance the administration’s goal of compiling and distributing information across agency lines.

The Bottom Line

The “eliminating data silos” EO does not create any new authority for HHS to request new types of information from states or other recipients of federal funding. However, it signals a possible increase in the volume or specificity of data that CMS and other agencies may request, and an increased likelihood that data may be shared across federal agencies to support law enforcement activities beyond program-specific oversight, potentially including immigration enforcement.

Certain executive actions flowing from this EO may be announced publicly, such as CMS guidance defining updated reporting requirements or Federal Register notices that update the agency’s Privacy Act policies. Other changes, however, may not become visible to the public until agencies present their evidence in new enforcement actions or policymaking activities.

¹ A federal judge issued a preliminary injunction holding that the Department of Education, Office of Personnel Management and Department of the Treasury likely violated the Privacy Act when they gave DOGE’s access to agency system records. American Federation of Teachers v. Bessent (District Court for MD); A federal judge issued a temporary restraining order and held that the DOGE Team’s access to SSA records likely does not fall within the need-to-know exception to the Privacy Act. American Federation of State, County and Municipal Employees, AFL-CIO v. SSA (District Court for MD).

Help shape The 80 Million: What should we write about next?