On the newly installed Trump Administration's first day, the U.S. Department of Homeland Security (DHS) rescinded the Biden Administration's guidelines for immigration enforcement actions in or near protected areas, such as schools, hospitals and churches. The Jan. 20, 2025, rescission of the 2021 policy memo means that healthcare facilities are no longer considered protected areas from U.S. Immigration and Customs Enforcement (ICE) enforcement actions, including arrests. This change will likely lead to increased enforcement activities in these settings, potentially affecting both patients and healthcare providers.
In the healthcare industry, administrators face distinct challenges when navigating their organization's obligations and rights during a ICE action, specifically while balancing critical healthcare regulatory issues related to privacy and patient rights. This Holland & Knight alert explores the implications of the DHS rescission for healthcare systems and provides guidance on how to prepare for potential interactions with ICE while ensuring compliance with healthcare regulations.
Immigration Enforcement Considerations
Potential interactions with ICE are often unexpected and stressful. To effectively manage these situations, it is crucial to prepare in advance, develop a comprehensive response plan and ensure that all personnel who may interact with agents on-site – such as receptionists, healthcare providers and hospital administrators – are informed about their roles and whom to contact. Key considerations include:
- Public vs. Private Areas: Although ICE agents may enter public areas of a healthcare facility, they cannot access private areas such as examination rooms, offices and medical records areas without a valid warrant or consent from an authorized representative. Facility employees should understand which areas ICE agents may enter without a warrant to avoid inadvertently consenting to a search. It is helpful to have a clear written policy designating which areas are closed to the public. Similarly, facilities should consider whether it is possible to view computer screens, patient documents or other sensitive information from public areas.
- Warrants and Legal Compliance: Legal representatives should be advised of ICE actions immediately to verify the validity of any warrant presented and understand the legal obligations before complying. Identify who should be contacted in the event of an ICE action and make sure staff members understand that these individuals should be consulted before providing information or granting access to agents. Healthcare facilities are not required to provide information unless the request is pursuant to a valid warrant. Please see a discussion of HIPAA considerations related to compliance below.
- General ICE Enforcement Considerations: It is important to document any interactions with ICE agents, make copies of all documents from ICE, obtain receipts for any documents taken by ICE, and gather the name and contact information of the agent(s). ICE enforcement actions are not limited to arrests or seeking to obtain patient records. They also include compliance actions related to healthcare staff such as I-9 compliance audits and immigration fraud inspections.
Healthcare Regulatory Compliance
In addition to immigration enforcement considerations, healthcare systems must continue to comply with healthcare laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) Part 2 privacy protecting substance use disorder information and state laws regarding patient privacy and protected health information (PHI). They also must balance these privacy restrictions against the obligations not to block access to or exchange of electronic health information as required by the 21st Century Cures Act's information blocking rule. Given the fact that most patient records are maintained electronically, this additional regulatory disclosure requirement should be considered.
- Privacy and PHI: Ensure that all staff are trained on HIPAA regulations and the importance of maintaining patient confidentiality, especially in the context of potential ICE interactions. HIPAA permits disclosures to law enforcement in certain circumstances and is limited to necessary information "required by law." Staff should tie in legal resources to ensure that the request is "required by law." As defined by HIPAA, this is a mandate in a law that is enforceable in court and includes court orders, court-ordered warrants, subpoenas or summons issued by a court, grand jury, inspector general or an administrative body authorized to require production of the information, a civil or authorized investigative demand, and Medicare audits. Disclosure of limited information to identify or locate a suspect, fugitive, material witness or missing person is permitted, but not DNA, dental records, or typing, samples or analysis of body fluids or tissue. Disclosures are also permitted when related to judicial or administrative proceedings but under specific conditions. ICE may also request patient directory information. HIPAA permits disclosure of directory information, but patients have the right to opt out of inclusion of their information in the directory.
- State Laws: Be aware of any state-specific laws that may provide additional protections for patient information and rights. For example, many states have established protections specifically for certain types of reproductive health information, HIV and mental health information.
- Information Blocking: Information blocking requirements apply to electronic health information regardless of the format or manner of disclosure (i.e., oral or paper as opposed to electronic). Although HIPAA gives a covered entity the flexibility to decide not to respond to a request when disclosure is permitted without patient authorization, the information blocking rule requires immediate disclosure of electronic health information unless the disclosure is prohibited by law or an information blocking exception, such as the privacy or preventing harm exceptions, are met. For example, a consent to disclose Part 2 protected records or the reproductive health information attestation is a precondition. To the extent that a disclosure to ICE is denied or delayed based on a required restriction or precondition, providers should document such delay or denial for compliance with the information blocking exceptions.
- Substance Use Treatment: Facilities may also be subject to the additional privacy protections for substance use disorder treatment records found at 42 CFR Part 2. The Part 2 regulations are intended to encourage individuals to seek treatment by preventing disclosure of treatment records from resulting in employment discrimination or potential adverse consequences in civil or criminal proceedings. Records protected by the Part 2 regulations can be disclosed only in a criminal proceeding or investigation pursuant to a court order after notice and an opportunity for hearing.
Conclusion and Considerations
The rescission of the DHS protected areas policy presents new challenges for healthcare systems. By proactively preparing for potential interactions with ICE and ensuring compliance with healthcare regulations, healthcare providers can safeguard patient privacy and rights while minimizing legal risks. It is essential for healthcare systems to review their policies and training programs to adapt to this new enforcement environment.