The federal personnel office is quietly trying to get its hands on an enormous pile of health data. The Office of Personnel Management has asked dozens of insurers to turn over detailed medical and pharmacy claims for millions of federal employees, retirees and their families. Privacy advocates and worker groups warn the move could expose treatment histories and prescription records for more than 8 million people and open the door to misuse or even targeting of specific patients.
What OPM Is Asking For
According to KFF Health News, a brief notice on the federal docket instructs 65 insurers that participate in the Federal Employees Health Benefits and Postal Service Health Benefits programs to send monthly “service use and cost data.” That includes medical claims, pharmacy claims, encounter records and provider information.
The notice, delivered to carriers in December, does not require them to strip out identifying details before sending the files. It explicitly states that OPM may receive protected health information for oversight activities. Reporting by KFF Health News also notes that OPM has not issued a final decision and has given no public update since the comment period closed in March.
Insurers, Experts and Unions Push Back
The Association of Federal Health Organizations, which represents dozens of FEHB carriers including CVS Health, filed a lengthy comment objecting to the plan. The group argued that insurers are bound by HIPAA and that the statute allows only “reasonable reports,” not a continuous stream of full individual claims data, according to the Los Angeles Times.
Advocates warn the requested data could be used to single out employees who obtained abortions or gender-affirming care. Michael Martinez of Democracy Forward told reporters he is concerned about how the agency might later use such information. Health law ethicist Sharona Hoffman cautioned that the files would be “very, very detailed and granular,” a level of specificity that goes beyond what is typically needed for oversight.
Privacy and Security Risks After OPM’s 2015 Breach
Opponents also point to OPM’s rocky cyber past. In 2015, the agency revealed breaches that exposed personal records for roughly 22 million people, a failure that triggered congressional hearings and leadership shake-ups, according to The Associated Press.
Critics say that history makes any plan to centralize identifiable health data especially fraught. Parking detailed claims for millions of people in one place, they argue, would create an inviting single point of failure for hackers and a serious test of OPM’s security promises.
Legal Implications
Privacy lawyers note that the proposal raises immediate HIPAA issues, including how OPM would apply the law’s “minimum necessary” standard and which officials or contractors would be able to see the files. The AFHO comment warned that carriers themselves could face legal risk if they hand over identifiable claims data without clearer legal authority and robust safeguards, a concern described in the Los Angeles Times coverage.
What’s Next
For now, the proposal is in limbo. OPM has not issued a final rule and has publicly said only that the data would be used for oversight and plan oversight activities, according to KFF Health News.
Insurers, unions and privacy advocates say legal and regulatory fights are likely if OPM moves ahead with collecting detailed, identifiable records. Any shift in what carriers must report would require a formal decision from OPM before plans change their current reporting practices.
