Trump Administration Seeks Unprecedented Access to Federal Workers' Medical Records

The Office of Personnel Management (OPM) is pursuing an extraordinary initiative that could grant it access to the medical records of millions of federal employees, retirees, and their families. This move, quietly announced, raises significant concerns about privacy and data security.

In a notice issued by OPM, the agency outlined plans to require 65 insurance companies—serving over 8 million individuals, including federal workers and retired members of Congress—to submit monthly reports containing identifiable health information. This includes details on prescriptions filled and medical treatments sought.

Health policy experts and insurers are expressing alarm over the implications of such a sweeping request. The legality of OPM's acquisition of sensitive health data is under scrutiny, particularly regarding the agency's capacity to protect this information. "They are going to get very, very detailed and granular data about everything that happens," noted Sharona Hoffman, a health law ethicist at Case Western Reserve University. "The concern here is that with more information, they could target individuals based on political compliance."

Despite repeated inquiries, OPM representatives have not provided comments on the matter. The agency's notice specifically requests insurers to provide "service use and cost data," which encompasses medical claims, pharmacy claims, and provider data. The stated goal is to ensure competitive and affordable health plans for federal employees.

However, the notice does not mandate that insurers redact identifying information—a process that would require federal guidance. Instead, it asserts that insurers are permitted to disclose "protected health information" to OPM. Experts interpreting this request suggest it indicates a desire for identifiable data.

This initiative emerges amid a Republican administration characterized by mass layoffs and firings of federal employees, many of whom allege political retaliation. Under President Trump, the government has tested the limits of sharing sensitive personal information across agencies in efforts related to immigration enforcement and fraud investigations.

"You can anticipate a scenario where this information on 8 million Americans is now in the hands of OPM," warned Michael Martinez, senior counsel at Democracy Forward. "There's a real concern about how they will use it." Martinez highlighted potential risks regarding sensitive information related to abortion or transgender treatment, areas where the administration has sought to impose restrictions.

The American Federation of Government Employees, representing federal workers, has not commented on the proposal. Experts reviewing the notice have expressed uncertainty about the specific medical records OPM aims to access. At a minimum, they believe it would allow access to identifiable medical and pharmaceutical claims data.

OPM's request for "encounter data" could potentially enable access to comprehensive medical records, including doctors' notes. Jonathan Foley, a former OPM advisor during previous administrations, expressed skepticism about the agency's ability to manage such detailed information but acknowledged that it could begin collecting identifiable claims data from insurers.

Foley sees some merit in OPM having broader access to de-identified claims data for analyzing costs and improving healthcare options for federal employees. However, he cautioned that the current proposal appears to overreach by seeking identifiable data without adequate safeguards. "It's shocking to think of them having protected health information without strict guardrails," he remarked.

The Health Insurance Portability and Accountability Act (HIPAA) mandates that organizations maintaining identifiable health information protect it from unauthorized disclosure. Entities can only share such information under specific circumstances deemed "reasonable" or "necessary," and even then, only the minimum required data should be disclosed.

OPM contends that it is entitled to this information for oversight activities. Yet, many experts question whether this justification is sufficient given the broad language used in the notice. Jodi Daniel, a digital health strategist involved in developing HIPAA privacy rules, remarked on the vagueness of the proposal.

Major insurers like Blue Cross Blue Shield Association and UnitedHealthcare have refrained from commenting on their compliance plans regarding OPM's request. Only CVS Health publicly addressed the issue, with executive Melissa Schulman urging OPM to reconsider its proposal due to substantial HIPAA compliance concerns.

Schulman emphasized that while federal law permits examination of records, it does not authorize data collection for vague purposes. She raised alarms about potential liabilities for insurers if consumer health information were mishandled.

In 2015, OPM faced a significant data breach affecting approximately 22 million Americans' personal records, attributed to foreign cyberattacks. The Association of Federal Health Organizations has also voiced opposition to OPM's current request, stressing that insurance carriers are bound by HIPAA regulations to protect personal health information.

Federal law stipulates that carriers must provide "reasonable reports" deemed necessary by OPM—not individual claims data for every member. This isn't OPM's first attempt at accessing detailed data; a similar proposal in 2010 raised HIPAA concerns but was never finalized after negotiations with stakeholders.

Since then, OPM has gathered extensive information on enrollees and their families, leading to fears that even de-identified records could be traced back to individuals under the new request. As of now, OPM has not issued any updates following the closure of public comments in March. A final decision must be published before any changes take effect.