The Office of Personnel Management (OPM), under the Trump administration, proposed a measure to obtain extensive access to personally identifiable medical records for millions of federal workers, retirees, and their families. This proposal, outlined in a December notice, aimed to collect detailed health information from 65 insurance companies covering over 8 million Americans, prompting concerns among insurers, health policy experts, and legal professionals regarding its legality, OPM's data protection capabilities, and the potential for misuse.
OPM's proposal aimed to collect detailed health information from 65 insurance companies covering over 8 million Americans, sparking widespread concerns about legality, data security, and potential misuse.
Proposal Details
The OPM notice requested "service use and cost data" from insurers offering Federal Employees Health Benefits and Postal Service Health Benefits plans. This data was to be submitted monthly and included:
- Medical claims
- Pharmacy claims
- Encounter data
- Provider data
OPM stated the purpose of collecting this information was to "ensure they provide competitive, quality, and affordable plans." The notice did not explicitly instruct insurers to redact identifying information, which led health policy and legal experts to interpret the request as seeking identifiable data. This data could encompass details such as prescriptions, treatment specifics, diagnoses, visit length, names, birth dates, and potentially detailed medical records like doctor's notes.
OPM argued in its notice that it was entitled to the information for "oversight activities."
Concerns Raised
A range of concerns were voiced regarding the proposal:
- Legality and Privacy: Experts questioned the legality of OPM acquiring such a comprehensive database of sensitive health information.
- Data Security: Concerns were raised about OPM's capacity to safeguard the data, particularly given a 2015 data breach that resulted in the theft of personal records for approximately 22 million Americans.
- Potential Misuse: Health law ethicist Sharona Hoffman noted the potential for OPM to obtain "very detailed and granular data," raising concerns about its use for disciplinary actions or targeting individuals. Critics also raised concerns about the potential use of medical information regarding sensitive treatments, such as abortions or transgender care.
Health law ethicist Sharona Hoffman noted the potential for OPM to obtain "very detailed and granular data," raising concerns about its use for disciplinary actions or targeting individuals.
- Lack of Safeguards: Jonathan Foley, who advised on the Federal Employees Health Benefits program in previous administrations, acknowledged potential benefits of broader access to de-identified claims data for cost analysis but expressed concern about the request for identifiable data without strict guardrails.
Jonathan Foley, who advised on the Federal Employees Health Benefits program in previous administrations, expressed concern about the request for identifiable data without strict guardrails.
Legal and Regulatory Context
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that organizations protect identifiable health information and only disclose it without patient consent in specific, justifiable scenarios, providing the minimum necessary information. Jodi Daniel, a digital health strategist involved in developing HIPAA privacy rules, questioned the sufficiency of OPM's justification for such a broad request due to its general wording.
Jodi Daniel, a digital health strategist involved in developing HIPAA privacy rules, questioned the sufficiency of OPM's justification for such a broad request due to its general wording.
Melissa Schulman, an executive at CVS Health, argued that federal law permits OPM to examine records but not to collect individual data for "vague and broad general purposes."
Similarly, the Association of Federal Health Organizations (AFHO) stated that federal law requires carriers to furnish "reasonable reports," not individual claims data for every person.
Industry and Expert Response
Several major insurers, including Blue Cross Blue Shield Association, Kaiser Permanente, and UnitedHealthcare, declined to comment on the proposal. However, CVS Health, through Melissa Schulman, submitted a public comment urging OPM to reconsider, citing "substantial HIPAA compliance issues" and concerns about insurers' liability for security breaches.
The Association of Federal Health Organizations (AFHO) also formally opposed the notice, emphasizing carriers' HIPAA obligations. AFHO noted a similar OPM proposal in 2010 that raised HIPAA concerns, leading to discussions in 2019 about sharing de-identified data, which was never finalized. OPM spokespeople did not respond to requests for comment regarding the proposal.
Current Status
OPM has not provided an an update since the public comment period closed in March. For any changes to take effect, OPM would need to publish a final decision.