What the shift to more data sharing across agencies means for fraud enforcement, compliance, and privacy.
Topics discussed:
- Understanding the "Information Silos" EO
- Benefits for fraud detection and law enforcement
- Challenges for data privacy and security
- Navigating conflicts between federal directives and state laws
- Practical guidance for businesses handling sensitive data
Content related to this discussion:
Transcript
The following transcript of this discussion was edited for clarity.
Allan Medina: Hello, everyone. My name is Allan Medina. I am a partner in Goodwin's Washington, DC, office, with a practice focus on government investigations.
I'm here with Liza Craig, who is also a partner in the DC office. We are talking about a topic we believe is going to be critical moving forward, specifically involving enforcement: a March 20, 2025, executive order (EO) titled "Stopping Waste, Fraud, and Abuse by Eliminating Information Silos."
This EO is important for a variety of reasons, starting with its history. Although the government and enforcement agencies can view greater access to data and information across agencies as a positive, there are some pitfalls and risks that are important for us to identify.
The March 20 executive order essentially provides full data access between federal agencies, state agencies, and, in many ways, third parties that maintain certain information. It's eliminating the barriers to sharing information among agencies. It's a big deal.
As I said, this can be seen as a positive for government. My old office, the Fraud Section of the Department of Justice, is a great example. The Health Care Fraud Unit has strived since 2006 to use data analytics and other data capabilities at its disposal to identify outlier fraud schemes and prevent waste, fraud, and abuse.
Over the years, it became very clear that different components and agencies had different information. The Federal Bureau of Investigation (FBI), Department of Health and Human Services Office of Inspector General (HHS-OIG), Internal Revenue Service (IRS), and the Centers for Medicare & Medicaid Services each had their own piece of the puzzle, if you will.
And the problem was, how are these agencies going to share the information? Ultimately, it was possible, but it required time and effort for the agencies to enter into agreements to do so.
Law enforcement now arguably doesn't have those barriers and can just ask for data and get it in real time. I can see this being a boon for healthcare enforcement. Like I said before, it relies on data to identify targets and potential schemes that law enforcement may have heard about but couldn't identify to start a focused investigation. This EO eliminates that problem.
But there are risks, especially when an order like this includes certain language that gives certain components access to data they traditionally have not had access to.
It is the job of federal agencies like the FBI, HHS-OIG, and IRS as well as state agencies to maintain private data. In the healthcare space, this means personally identifiable information, Social Security numbers, and dates of birth. Healthcare agencies are used to holding that data. Well, what about the Department of Government Efficiency (DOGE)? What about "others to be identified by the president"?
While the government might think, "Well, we're going to have new access to data, and we won't have the silos in place," there could be challenges as to how the data was maintained and who should or should not access it.
On March 20 — the same date this order came out — at least one court in the District of Maryland temporarily enjoined the access to or sharing of this information.
There are some hurdles here, but I turn it over to Liza. From your experience with your practice, you've seen the way sensitive data and information has been used and handled in enforcement. Can you share some of your views on whether this is a real issue or not? And are there other parties or players that may be impacted?
Liza Craig: Allan, I appreciate that. I'm a government contracts attorney who has spent a number of years in the federal government. My playground, so to speak, was the Department of Defense.
There's no question: Information sharing and the dissemination of information for enforcement purposes — whether it's law enforcement or efforts to root out fraud, waste, and abuse, whatever it is — are critical and challenging because the agencies are huge and there are a lot of different rules and regulations in place that dictate who can share what with whom and under what authority and so forth. There's no question that this executive order has been drafted in the spirit of streamlining communications and removing these silos. But you're right — there are some challenges here, and the litigation that you mentioned is just one of several lawsuits.
Everyone listening is probably aware of the fact that President Trump has issued more than 100 executive orders to date, and several of them have to do with information sharing. Many of them, including this one, have been challenged. We've got folks challenging whether DOGE and other delegates should have access to information.
But going back to your question, I think the concern that industry and companies are going to have involves third-party sharing. When the request for information comes in and the information is required to be shared with a third party, are those requests and directions going to conflict with state law and/or contractual obligations that require individuals and entities to protect sensitive information they've been entrusted with? I think that's where the rubber is going to hit the road here. And I think we're going to see more evolutions as we look to remove barriers to information sharing.
Allan Medina: Liza, you hear a lot about becoming leaner and more efficient. And I think the public hears things like that and would agree — everybody wants to be efficient. There's a cost to time. The problem is when you get outside the healthcare space, like my old office, in which people have become accustomed to using data appropriately over the course of more than a decade. In healthcare, they know what orders they need to obtain from a court to use the data appropriately. They know how to preserve and protect it. You now open it up, to your point, to a variety of issues: contractual obligations, state law, and federal law. I believe the District of Maryland found that this general idea of becoming lean, mean, and efficient wasn't legally appropriate. It didn't meet the standard because of the nature of this data.
Liza Craig: Even with the opinions that are coming out initially, we should expect the appeals process to refine protocols and procedures in this area. What may be the go-forward answer today is still evolving. Companies and individuals need to be aware of the rules of the road in terms of who has your data, what they can legally do with your data, and what recourse you will now have should you find that your data has been compromised as these information sharing protocols are changing and evolving.
Allan Medina: There's one thing people should be aware of if they're not already: Whenever a prosecutor in a criminal investigation wants to use tax information, they can't simply pick up the phone, call the IRS, and use it. There are statutes in place that spell out the information sharing process. And I just alluded to a District of Maryland court saying that just requesting this data to root out waste, fraud, and abuse didn't meet the mark.
Take a step back when you think about cases where a fraud is alleged and you want to identify companies that are in ownership of those companies. One of the best places to do so is tax returns.
This order seems to be focused on how to get the data to whoever wants it. But how you use it is another concern. And there's still statute 6103(i) in place, which requires a showing of why the information is needed. And I don't know if the administration has thought about how the data will be used once someone gets it and what challenges (again, safeguarding, etc.) could come up down the road. Because whatever inefficiencies this EO overcomes, it might cause more delay in the future because they may not look under every rock.
Liza Craig: That's right. Again, I think this is just the current state of evolution in this area. Things are changing rapidly. So, you're absolutely right. They may not have thought about it. They're going to have to think about it. And surely there'll be more to follow.
Allan Medina: Well, on that point, Liza, I know there are some takeaways that folks should be considering as of the date of this recording.
Liza Craig: For our listeners, we've talked sort of with the scholarly view of some of this stuff, but practically, if you're a business or a contractor at the state or federal level and you possess some of this data that now needs to be shared, what does all this mean for you? What do you need to do?
Well, we have some tips. First, you really need to assess your contracts to determine what your current data requirements are. Assess the sensitive information that you're receiving, processing, storing, creating, or sharing with others in performance of those contracts. You must understand your current requirements.
And now is really the time to make sure that your employees, those handling the data, and even your third-party service providers that may have a hand in that understand the contractual obligations. It's important to really understand them because they may be changing. You need to be on the lookout for any amendments to your contracts, which may change your obligations associated with this information, whether you're disclosing it, disseminating it, or sharing it. We've already seen many of the executive orders that President Trump has released result in changes to federal contracts. So, we expect more of the same. It will be important to watch for contractual obligations as they evolve.
If you're confused about what your obligations are, request clarification from the government or your prime contractor. That's going to be particularly important if there are legal conflicts that are created between applicable privacy laws and data sharing laws in each state, for example. Every state has a different set of laws with different nuances. So that's going to be a very real challenge for companies operating in a particular state if the changes based on this executive order drive modifications that put you in conflict with state law.
You really need to assess your obligations regarding data sharing and dissemination to understand the laws that apply to your organization. For example, do you understand the type of data you're collecting, the quantity of data, and — Allan, to your point — how that data is being used? What's the purpose of that data, and why are you holding it? And are your answers to these questions going to change based on the way things are evolving in this space? As I said, state laws differ with respect to the scope of application. And it may make it really challenging for businesses that are holding this data for the federal or state government when they are doing business across multiple states.
Finally, before I turn it over to you for the last word, Allan, as I like to say, the best advice we can probably give our listeners is CYA. It stands for "consult your attorney." Make sure that, as the legal landscape evolves, you are touching base with folks — whether it's in-house counsel or outside counsel or individuals that can help you understand the legal nuances — to ensure that the decisions you're making are well-documented. You can minimize risk that way. It's going to be really important.
Allan Medina: If you haven't considered data before, consider it now. Whether in-house or CYA, as Liza said. But on that point, Liza, thank you.
Liza Craig: Thank you.
Allan Medina: It's been a pleasure. Thanks, everybody, for listening. And if you have any questions, please ask them. We hope you have a great rest of your day.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
