By Amanda Seitz, Maia Rosenfeld
April 8, 2026 / 5:00 AM EDT / CBS News
The Trump administration is seeking broad access to medical records for millions of federal workers, retirees and their families through a brief notice from the Office of Personnel Management (OPM). The proposal would require 65 insurers that cover more than 8 million Americans — including federal employees, retired members of Congress, postal workers and their immediate family members — to submit monthly reports to OPM with health data that could include medical and pharmacy claims, encounter data and provider information.
The notice, posted in December and sent to insurers, does not instruct carriers to redact identifying information. It says insurers are permitted to disclose “protected health information” to OPM and frames the collection as necessary to “ensure they provide competitive, quality, and affordable plans.” OPM spokespeople did not respond to requests for comment.
Health policy and legal experts, insurers and advocacy groups have expressed alarm, saying the request appears to seek identifiable data and raises serious privacy and legal questions under HIPAA. Several experts told KFF Health News they interpreted the notice as asking for personally identifiable claims data that would include names, birth dates, diagnoses, treatments, visit details and provider information. “They are going to get very, very detailed and granular data about everything that happens,” said Sharona Hoffman, a health law ethicist at Case Western Reserve University, warning of potential misuse, including political targeting.
Democracy Forward senior counsel Michael Martinez, who previously worked at OPM and filed a public comment opposing the plan, said the proposal is vague about how OPM would handle and protect the data. He noted the risk that information about sensitive care — for example, abortions or transgender treatments — could be used against employees, especially amid ongoing policy fights and state-level restrictions. “You can anticipate a scenario where this information on 8 million Americans is now in the hands of OPM and there’s a real concern of how they use it,” he said.
Jonathan Foley, who advised OPM on the Federal Employees Health Benefits program under previous administrations, said OPM could benefit from de-identified claims data to analyze costs and encourage lower-cost options, but he is concerned the current proposal appears to request identifiable information without strict safeguards. He also questioned whether the agency has the capacity to securely ingest highly detailed medical records.
Under HIPAA, covered entities like insurers can disclose protected health information without patient consent only in specific, justified circumstances and must limit disclosures to the minimum necessary information. Several reviewers of the notice said OPM’s stated justification — oversight activities — appears broad and lacks sufficient detail to meet HIPAA’s standards. Jodi Daniel, a digital health strategist who helped develop the HIPAA privacy rules, described the notice language as “quite broad and encompasses potentially a lot of information” while offering little justification.
Major insurers that offer federal employee plans, including the Blue Cross Blue Shield Association, Kaiser Permanente and UnitedHealthcare, declined to comment publicly on compliance plans. CVS Health was the only insurer to file a public comment; Melissa Schulman, a CVS executive, urged OPM to reconsider, saying the request raises “substantial HIPAA compliance issues” and arguing that federal law allows oversight but not the wholesale collection of personal health data for “vague and broad general purposes.” She also warned carriers could be liable for security breaches if they provide personal health information.
Industry groups objected as well. The Association of Federal Health Organizations (AFHO), representing CVS and dozens of federal health plan carriers, filed a 122-page comment opposing the notice. AFHO Chair Kari Parsons emphasized that carriers are bound by HIPAA to safeguard personal health information and said federal law requires insurers to furnish only “reasonable reports” that OPM determines necessary — not individual claims for every enrollee.
OPM has previously explored detailed data collection. AFHO noted past negotiations dating to a 2010 request and a 2019 discussion about sharing de-identified data that never produced a final agreement. AFHO also warned that OPM has collected enough detailed information in recent years that, combined with the new request, it might be possible to re-identify records that were intended to be de-identified.
The proposal has reignited concerns about OPM’s data security. In 2015, the personal records of roughly 22 million people were stolen from the agency in a breach blamed on China, a breach that highlighted OPM’s vulnerability to large-scale data theft.
OPM closed the public comment period in March and has not announced next steps. The agency would need to publish a final decision before any changes take effect.
KFF Health News is a national newsroom producing in-depth journalism about health issues and is a core operating program of KFF, the independent source for health policy research, polling and journalism.