The Trump administration is quietly seeking broad access to medical records for millions of federal workers, retirees, and their families. A new proposal from the Office of Personnel Management (OPM) could significantly expand the type of medical information the agency collects, including sensitive details about prescriptions and medical treatments.
This move has raised concerns among health insurers, legal experts, and privacy advocates about the potential risks to patient confidentiality and the agency’s ability to safeguard such vast amounts of personal data.
OPM’s Request for Detailed Medical Data
OPM’s proposal would require 65 insurance companies covering more than 8 million people—including federal workers, retired members of Congress, postal workers, and their families—to provide monthly reports containing identifiable health data.
These reports would include medical claims, pharmacy claims, encounter data, and provider information. The goal is to ensure competitive, affordable, and quality healthcare plans for federal workers, but critics are questioning the sweeping nature of the request.
Several experts, including Sharona Hoffman, a health law ethicist, have raised concerns about the potential misuse of this detailed data. Hoffman warned that while the data could be used to improve cost analysis and healthcare systems, it could also be used for political purposes, potentially targeting individuals who do not align with the administration’s policies.
The proposal has led to unease about how OPM might use sensitive information such as abortion or transgender treatment data, which the administration has previously tried to limit.
Concerns Over the Scope of the Proposal
The regulation does not specify that insurers must redact personally identifiable information before sharing it with OPM, leading many experts to believe that the agency seeks direct access to identifiable medical records.
This includes details such as patients’ names, birthdates, diagnoses, treatment history, and even provider notes. Critics argue that this broad access could lead to privacy violations, especially without clear guidelines on how OPM would handle the data once it has been collected.
Jonathan Foley, a former OPM advisor, expressed concerns that the agency might not have the capacity to process such detailed medical data. Although he acknowledged that there could be benefits to broader access to de-identified claims data, he stressed that the proposal appeared to seek identifiable information without sufficient safeguards.
Legal and Privacy Implications
The Health Insurance Portability and Accountability Act (HIPAA) regulates the disclosure of personal health information, mandating that healthcare providers and insurers protect sensitive data and disclose it only in specific scenarios.
OPM’s request raises questions about whether its request complies with HIPAA, particularly since the notice from OPM is vague about how the data will be used and lacks adequate justification for accessing such detailed information.
Jodi Daniel, a health strategist and former HIPAA privacy rule developer, expressed concern that the broad language in the proposal could lead to the collection of far more information than necessary. She suggested that OPM’s justification for needing this information is insufficient and lacks the necessary oversight protections.
Industry Response and Insurer Concerns
Several major insurers, including Blue Cross Blue Shield Association, Kaiser Permanente, and UnitedHealthcare, have not commented on their plans to comply with OPM’s request. However, CVS Health has raised alarms about the potential legal and privacy issues in a public comment.
CVS executive Melissa Schulman argued that OPM’s proposal violates HIPAA, as it would allow the agency to collect personal health information for vague purposes, potentially exposing insurers to liability in case of data breaches or other security incidents.
The Association of Federal Health Organizations (AFHO), which represents insurers providing federal health plans, also voiced concerns about OPM’s request. AFHO Chair Kari Parsons emphasized that insurers are legally bound by HIPAA to protect personal health information and that OPM’s request for identifiable claims data is unnecessary and overly broad.
Data Breach Concerns
OPM’s history of handling sensitive data is also a point of concern. In 2015, OPM experienced a massive data breach, which compromised the personal information of approximately 22 million individuals, allegedly due to a cyberattack by the Chinese government. This incident raises additional questions about whether the agency has the proper security measures in place to protect sensitive medical data.
Next Steps and Potential Outcomes
While OPM’s request has sparked significant controversy, the agency has not provided an update since the public comment period closed in March. A final decision from OPM is expected in the coming months, and the proposal could ultimately be revised or even scrapped based on feedback from insurers, privacy advocates, and lawmakers.
As of now, it remains uncertain how the agency will move forward with this request, but the concerns surrounding patient privacy and data security are likely to continue to drive discussions on this issue.
