The Office of Personnel Management has asked health insurers to provide detailed medical data for millions of federal employees, retirees and their family members, according to a notice posted in December. The proposal would require 65 carriers that cover more than 8 million people — including federal workers, retired members of Congress and postal employees — to submit monthly reports to OPM that could include medical and pharmacy claims, encounter data and provider information.
The notice does not instruct insurers to remove identifying information. It states that carriers are allowed to disclose “protected health information” to OPM and frames the collection as part of oversight to ensure the provision of competitive, quality and affordable plans. OPM did not respond to requests for comment about the scope of the request or how it would protect the data.
Health policy experts, privacy lawyers, insurers and advocacy groups have expressed alarm, saying the language appears to seek individually identifiable claims data and raises significant HIPAA and security questions. Several analysts told KFF Health News they read the notice as seeking personally identifiable claims records that could include names, birthdays, diagnoses, treatments, visit details and provider identities.
Sharona Hoffman, a health law and ethics expert at Case Western Reserve University, warned the agency would receive “very detailed and granular” information under the proposal and cautioned about the potential for misuse, including politically motivated targeting. Michael Martinez, senior counsel at Democracy Forward and a former OPM official who filed a public comment opposing the plan, said the notice is vague about how OPM would handle and safeguard the data and flagged the risk that sensitive care — such as reproductive or gender-affirming treatments — could be used against employees amid current policy conflicts and state restrictions.
Former OPM adviser Jonathan Foley said there are legitimate uses for de-identified claims data, such as analyzing costs and encouraging lower-cost plan options, but he is troubled that this request seems to seek identifiable information without clear, strict protections. Foley also questioned whether OPM has the technical capacity to securely ingest and store highly detailed medical records.
Under HIPAA, covered entities like insurers may disclose protected health information without individual authorization only in limited situations and must limit disclosures to the minimum necessary. Several reviewers of the notice said OPM’s stated justification — broadly described as oversight activities — is not detailed enough to meet HIPAA’s minimum-necessary standard. Jodi Daniel, who helped develop HIPAA privacy rules, called the notice language “quite broad” and said it appears to encompass a large volume of potentially sensitive information without adequate explanation.
Major insurers that participate in federal employee plans, including the Blue Cross Blue Shield Association, Kaiser Permanente and UnitedHealthcare, declined to comment publicly about whether they will comply. CVS Health was the only carrier to submit a public comment; CVS executive Melissa Schulman urged OPM to reconsider, saying the request raises “substantial HIPAA compliance issues” and argues federal law permits oversight but not the wholesale collection of personal health data for vague purposes. She also warned that carriers could face liability for security breaches if they turn over personal health information.
Industry groups have pushed back as well. The Association of Federal Health Organizations, which represents CVS and many federal plan carriers, filed a 122-page comment opposing the notice. AFHO’s chair emphasized that carriers are bound by HIPAA and that federal law requires insurers to provide only “reasonable reports” OPM deems necessary, not detailed claims for every enrollee.
OPM has pursued data-sharing ideas before. AFHO noted negotiations dating back to a 2010 request and a 2019 discussion about sharing de-identified claims data that never produced a completed agreement. The group also warned that OPM has already collected detailed information in recent years that, if combined with new submissions, could make it possible to re-identify records intended to be de-identified.
The proposal has revived concerns about OPM’s data security. In 2015, personal records for roughly 22 million people were stolen in a breach of the agency’s systems, a high-profile incident that underscored OPM’s vulnerability to large-scale data theft.
OPM closed the public comment period in March and has not announced next steps. Any change that would require insurers to turn over claims data would need a published final decision before taking effect.
The request has prompted a broader debate about the balance between oversight of federal health benefits and the privacy and security of sensitive medical information for millions of Americans covered under federal plans.