OPM Proposal Seeks Expanded Access to Identifiable Health Data of Federal Workers

The administration of Donald Trump is advancing a proposal that could allow the Office of Personnel Management (OPM) to obtain detailed medical information for millions of federal employees, retirees, and their families. The plan, outlined in a notice issued in December, would require insurers participating in federal health benefit programs to submit regular reports containing healthcare-related data.

Under the proposal, 65 insurance companies covering more than 8 million individuals, including federal workers, retired members of Congress, mail carriers, and their immediate family members, would be required to provide monthly data submissions. The requested information includes medical claims, pharmacy claims, provider details, and records of healthcare services received. The notice does not specify that identifying information should be removed, and it states that insurers are permitted to share protected health information with OPM.

Experts in health law and policy have noted that the scope of the request suggests the inclusion of personally identifiable data. This could involve patient names, birth dates, diagnoses, treatments, visit durations, and provider information. In addition to claims data, the notice also references “encounter data,” which may include more detailed clinical records such as physician notes or summaries following medical visits.

Sharona Hoffman, a professor at Case Western Reserve University, said that access to this type of data could allow the agency to study healthcare costs and evaluate how medical services are delivered within federal health plans. However, she indicated that the level of detail being requested could extend across nearly all aspects of patient care. “But,” she said, “they are going to get very, very detailed and granular data about everything that happens. The concern here is that the more information they have, the more they could use it to discipline or target people who are not cooperating politically.”

At a minimum, reviewers of the proposal said the data collection would allow OPM to access identifiable medical and pharmaceutical claims. These records typically contain information about diagnoses, prescribed medications, treatments provided, and the healthcare professionals involved. The inclusion of encounter data could further expand the scope to encompass detailed clinical documentation.

Jonathan Foley, who previously advised OPM on the Federal Employees Health Benefits program, said the agency could feasibly begin collecting identifiable claims data from insurers. He also noted that broader access to de-identified claims data has previously enabled analysis of prescription drug costs and supported efforts to identify lower-cost treatment options within federal plans. However, he expressed concern that the current proposal appears to go beyond de-identified data.

The legal framework governing such data sharing is established by the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protecting identifiable health information. Under HIPAA, healthcare organizations and insurers may disclose such data without patient consent only in specific situations, and they are required to limit disclosures to the minimum necessary information. OPM has stated in its notice that the requested data would be used for oversight activities, including evaluating plan quality and affordability.

Jodi Daniel, who contributed to the development of HIPAA privacy rules, said the language in the proposal is broad and could encompass a large volume of health-related information while providing limited detail on the justification.

Concerns have also been raised by insurers and industry groups. In a public comment submitted in March, Melissa Schulman of CVS Health stated that the proposal raises compliance issues under HIPAA. She argued that while OPM may review certain records, collecting identifiable health data for general purposes could conflict with legal requirements and create risks related to data privacy and security.

The Association of Federal Health Organizations also opposed the proposal, stating that federal law requires insurers to provide reasonable reports rather than comprehensive individual claims data. The group noted that earlier discussions with OPM had focused on sharing de-identified information, but no final agreement was reached.

Past data security concerns have also been referenced in relation to the proposal. In 2015, OPM disclosed a data breach affecting approximately 22 million individuals, raising questions about the handling of sensitive information.

OPM has not issued further updates since the public comment period concluded in March. Any changes to data collection practices would require a finalized rule before taking effect.

OPM Seeks Expanded Health Data Collection

The OPM proposal would require insurers participating in federal health programs to submit detailed monthly reports containing medical and pharmacy claims data. Notably, the OPM request may include personally identifiable information such as diagnoses, prescriptions, and treatment histories.

This move could affect more than 8 million individuals, including federal employees, retirees, and their families covered under government health plans.

Privacy Concerns Surrounding OPM Plan

Critics argue that the OPM proposal raises serious privacy and legal concerns. Experts warn that the lack of clear requirements for de-identifying data could allow OPM to access highly sensitive personal health information.

Healthcare and legal analysts have questioned whether the OPM approach aligns with existing privacy laws, particularly regarding the handling of protected health information.