Skip to main content
Compliance

US OPM Health Data Collection Plan Sparks Privacy Concerns

Medical file folder open on cluttered desk with blurred figure working in background.

Approximately 65 health insurers provide coverage benefits for more than 10 million federal and postal service employees, retirees and their family members — and the Office of Personnel Management wants detailed, identifiable health records from those carriers.

OPM's December solicitation: what the agency is asking for

In December the Office of Personnel Management (OPM) published a notice soliciting public comment on plans to collect "service use and cost data" from federal employee and postal service health benefit carriers. The agency said the data would include medical claims, pharmacy claims, encounter data and provider data, and would enable OPM to better oversee health benefits programs "and ensure they provide competitive, quality and affordable plans."

The public notice described the scope of records sought to include clinical notes, diagnosis, treatment plans and prescriptions records. OPM also contended that HIPAA permits insurers to disclose protected health information (PHI), including service use and cost data, to oversight agencies like OPM.

House Oversight Committee Democrats: privacy and security alarms

Democratic members of the House Oversight Committee raised objections in an April 17 letter, warning the plan could be used by "the Trump administration" to target civil servants who accessed sensitive healthcare, such as an abortion or gender-affirming care. The Democrats said the mandate could run afoul of HIPAA and pointed to "repeated security failures at the agency" to argue OPM might be unable to protect such data from hackers.

The letter underscores a remembered security breach: in June 2015 OPM disclosed personal information for 4.2 million federal employees and retirees had been stolen, and days later that 21.5 million individuals' background-check records were also exposed. The 2015 incident was tied, the agency said, to Chinese espionage agencies.

House Democrats also noted the proposed information collection would not require insurers to anonymize data before providing it to OPM.

CVS Health and insurers: legal, compliance and risk concerns

Only six organizations or individuals publicly responded to OPM's request for comment; CVS Health was among them and expressed formal privacy and regulatory compliance concerns. "As OPM states, it has long required carriers to provide necessary information to OPM to perform audits and examinations to manage the [Federal Employees Health Benefits] program effectively. However, the data collection described goes far beyond this, and is unprecedented in its scope and lack of specificity," CVS Health wrote.

CVS Health pointed to HIPAA's constraints, noting that although the HIPAA privacy rule allows disclosure of PHI to health oversight agencies, "any such disclosure is subject to HIPAA’s minimum necessary requirement." The firm added that rule "is not intended to allow for the wholesale extraction of all data held by the covered entity for the vague and broad general purposes of ensuring quality and competitive plans."

CVS also questioned OPM's legal authority to obtain and retain beneficiary-level claims data of all federal and postal service members in a "proposed warehouse approach," and warned the proposal could increase carriers' exposure to data/security breaches and legal liability: "Submitting this data has the potential for data/security breaches, and invasion of privacy for consumer health information," CVS Health wrote. "This would also increase carriers’ legal liability with respect to data breaches and other instances where consumer health information is inappropriately shared and outside of our control."

Health Care Cost Institute and privacy advocates weigh in

Organizations that otherwise signaled support for OPM’s ability to collect claims data still urged cautious implementation. The Health Care Cost Institute said: "As OPM considers collecting claims data, it also should plan carefully how it will use security and privacy protocols to protect the information provided."

Advocacy voices raised a separate concern about the effect on clinical trust. Andrew Crawford, senior policy counsel of the privacy and data project at the Center for Democracy and Technology, told ISMG: "Effective healthcare relies on patients being able to trust their doctors and share very personal details about themselves with their doctor and healthcare providers. I fear that OPM’s plans will chill and erode this essential trust because some patients won't want their sensitive and personal data shared with the government."

What this means for federal employees, insurers, and OPM

  • Federal employees and dependents: face a risk perceived by lawmakers and advocates that sensitive care — examples cited include abortion and gender-affirming care — could be exposed or used against them, and may be less willing to disclose information to clinicians if they fear disclosures to government-held repositories.
  • Insurers and carriers: must reconcile OPM's request with HIPAA's "minimum necessary" requirement, contend with potential new legal liabilities tied to large-scale transfers and retention of beneficiary-level data, and manage the operational risks of contributing to any "proposed warehouse approach."
  • OPM: has framed the collection as necessary to oversee and ensure competitive, quality, and affordable plans, but faces questions about statutory authority, the breadth of non-anonymized data requested, and whether it can secure such a trove of sensitive records given prior agency breaches.

The December notice has already produced targeted objections from lawmakers, a major carrier and privacy advocates, and rekindled memories of OPM's 2015 data breaches. The choice facing OPM is concrete: either narrow and specify the data it needs and the legal basis for retaining it, and show how it will meet privacy and security requirements, or proceed into a contested collection that critics say risks patient privacy, regulatory conflict, and increased legal exposure for carriers.

https://www.govinfosecurity.com/us-opm-health-insurance-data-collection-plan-draws-concern-a-31472