The Trump administration is quietly seeking unprecedented access to medical records for millions of federal workers and retirees, and their families.
A brief notice from the Office of Personnel Management could dramatically change which personally identifiable medical information the agency obtains, giving it the power to see prescriptions employees had filled or what treatment they sought from doctors. The regulation would require 65 insurance companies that cover more than 8 million Americans — including federal workers, retired members of Congress, mail carriers, and their immediate family members — to provide monthly reports to OPM with identifiable health data on their members.
The proposal is prompting unease from insurers as well as health policy and legal experts, who are concerned about the legality of OPM acquiring such a sweeping database of sensitive health information, and the agency’s ability to safeguard it.
OPM could use the data to analyze costs and improve the system, said Sharona Hoffman, a health law ethicist at Case Western Reserve University in Ohio.
“But,” she said, “they are going to get very, very detailed and granular data about everything that happens. The concern here is the more information they have, they could use it to discipline or target people who are not cooperating politically.”
OPM spokespeople did not respond to repeated requests for comment. The agency’s notice asks insurers that offer Federal Employees Health Benefits or Postal Service Health Benefits plans to furnish “service use and cost data,” including “medical claims, pharmacy claims, encounter data, and provider data.” It says the data will “ensure they provide competitive, quality, and affordable plans.”
The notice, posted and sent to insurers in December, does not instruct them to redact identifying information — a burdensome process that they would need federal guidance to complete.
Instead, it states that insurers are legally permitted to disclose “protected health information” to OPM. Several experts in health policy and law consulted by KFF Health News said they interpreted the request to mean the Trump administration was seeking identifiable data.
The ask comes a year into a Republican administration that has been defined by haphazard mass layoffs and firings of thousands of federal workers, including dozens who say they were targeted in acts of political retaliation or for not embracing the White House’s agenda. Under President Donald Trump, the government has also routinely tested the legal bounds of sharing sensitive and personally identifiable tax or health information across government agencies in its efforts to carry out mass immigration arrests or pursue identify fraud.
“You can anticipate a scenario where this information on 8 million Americans is now in the hands of OPM and there’s a real concern of how they use it,” said Michael Martinez, senior counsel at Democracy Forward, an advocacy organization that filed a public comment opposing OPM’s proposal in February. Martinez previously worked at OPM.
“They’ve given no information about how they would treat that information once they have it,” he said.
Among Martinez’s concerns is how the administration might use information about employees who have sought abortions — 41 states have some type of abortion ban — or transgender treatment, medical care that the Trump administration has tried to curb.
The American Federation of Government Employees, the largest union representing federal workers, did not respond to requests for comment.
Martinez and others who reviewed the notice for KFF Health News said the proposal was so vague that they were uncertain, exactly, what medical records OPM wants to access.
At the very least, they said, the proposal would allow the agency to access the medical and pharmaceutical claims of patients with their identifying information, such as names and birth dates. Claims data also includes diagnoses, treatments, visit length, and provider information.
OPM’s request to view “encounter data” could allow the agency to look at “anything and everything,” Hoffman noted.
That could include detailed medical records, such as a doctor’s notes or after-visit summaries.
Jonathan Foley, who worked at OPM advising on the Federal Employees Health Benefits program during the Obama and Biden administrations, said he doubts the agency has the capability to ingest such minutiae.
The agency, however, could easily begin collection of personally identifiable medical and pharmaceutical claims information from insurers, he said.
Foley said he sees a benefit to OPM having broader access to de-identified claims data. In recent years, OPM has ramped up its analysis of claims data, which has allowed it to examine prescription drug costs and encourage plans to offer federal workers cheaper alternatives. He’s worried, though, that the Trump administration’s proposal goes too far, because it appears to seek identifiable data.
“It’s kind of shocking to think of them having protected health information without having strict guardrails,” he said.
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, requires certain organizations that maintain identifiable health information — such as hospitals and insurers — to protect it from being disclosed without patient consent.
Those entities can disclose such information without consent only in specific scenarios, with a justification that it is deemed “reasonable” or “necessary.” Even then, HIPAA mandates that they provide only the minimum amount of information required.
OPM argues in its notice that it is entitled to the information from insurers “for oversight activities.”
But several people who reviewed the notice questioned whether OPM’s explanation for requesting the information is sufficient.
“The language in it seems quite broad and encompasses potentially a lot of information and data and is sort of light on justification,” said Jodi Daniel, a digital health strategist who helped develop the legal framework for HIPAA privacy rules over two decades ago.
Several major insurers that offer federal employee health plans — including the Blue Cross Blue Shield Association, Kaiser Permanente, and UnitedHealthcare — declined to comment on their plans to comply with the notice or offer insight on where plans to implement the data sharing stood.
Only one insurer individually weighed in with a public comment on OPM’s plan. In March, CVS Health executive Melissa Schulman urged the federal agency to reconsider its proposal.
“OPM’s request raises substantial HIPAA compliance issues,” Schulman wrote, arguing that federal law allows the agency to examine records but not to collect data. Insurers would be breaking the law by providing personal health information for OPM’s “vague and broad general purposes,” she added.
Schulman, who did not respond to additional questions from KFF Health News, also raised concerns about a lack of data privacy protections. She noted that insurers could be liable for security breaches or other situations “where consumer health information is inappropriately shared and outside of our control.”
In 2015, OPM announced the personal records of roughly 22 million Americans had been stolen from the agency in a data breach that has been blamed on the Chinese government.
The Association of Federal Health Organizations, which represents CVS Health and dozens of other federal health plan carriers, also weighed in with a 122-page comment opposing the notice. In it, AFHO Chair Kari Parsons emphasized that insurance carriers are bound by HIPAA to safeguard personal health information.
Federal law requires carriers “to furnish ‘reasonable reports’ OPM determines to be necessary,” Parsons wrote, “not to furnish the individual claims data of every individual.”
This isn’t the first time OPM has requested detailed data from insurers. In the AFHO comment, Parsons noted OPM had made a similar proposal in 2010, prompting HIPAA concerns. She described how, after several years of negotiations with AFHO, they discussed — but OPM never finalized — an agreement in 2019 for carriers to share de-identified data with OPM.
But since then, Parsons wrote, OPM has collected such detailed information on enrollees and their families that, with OPM’s new request, the agency may be able to trace even de-identified records to individuals.
OPM has not provided any update since closing comments in March. The agency would need to publish a final decision before anything officially changes.
