OPM’s plan to collect medical records draws HIPAA compliance warnings 

Sixty-five health insurance carriers have been asked to submit monthly claims-level protected health information (PHI) on federal employees and their families to a government database, with no clear explanation of how the data will be used or protected.

What happened

The Office of Personnel Management (OPM) published a notice in December 2025 requiring 65 insurance carriers participating in the Federal Employees Health Benefits (FEHB) and Postal Service Health Benefits (PSHB) programs to submit monthly claims-level data on all enrollees, including medical claims, pharmacy claims, encounter data, and provider data. According to KFF Health News, the data would include personally identifiable information on more than 8 million Americans, including current and former federal workers, mail carriers, retired members of Congress, and their immediate family members. The notice states OPM requires the data to oversee health benefits programs and promote competitive, affordable plans, citing 45 CFR 164.512(d)(1), the HIPAA health oversight exception, as legal authority. Health law experts, insurers, and lawmakers have questioned whether OPM's justification meets the legal threshold required and whether the proposal violates HIPAA's minimum necessary standard.

Going deeper

HIPAA permits covered entities such as health plans to disclose PHI to health oversight agencies without individual consent, however it requires that these disclosures be limited to the minimum amount of information necessary for the stated purpose. The Association of Federal Health Organizations (AFHO), representing dozens of FEHB carriers, filed a 122-page comment arguing that the statutory authority that allows OPM to collect "reasonable reports" from carriers does not extend to individual claims-level data on every enrollee. AFHO chair Kari Parsons wrote that carriers are required to furnish "reasonable reports OPM determines to be necessary, not to furnish the individual claims data of every individual." CVS Health filed a separate comment arguing that carriers complying with the request could face HIPAA liability because OPM's stated justification is "vague and broad," and that federal law permits OPM to examine records but not to mass-collect individual data. According to CNN, major insurers, including Blue Cross Blue Shield, Kaiser Permanente, and UnitedHealthcare, declined to comment on whether they would comply. A further concern raised by AFHO is that OPM already holds such detailed enrollment data on FEHB participants that even de-identified submissions could potentially be re-identified.

What was said

On April 17, 2026, 16 Democratic members of the House Oversight Committee wrote to OPM Director Scott Kupor and Office of Management and Budget Director Russell Vought, demanding that the plan be halted. FedScoop reported the letter stated, "More than 8 million Americans receive health insurance under the FEHB and PSHB programs, including federal workers, mail carriers, and their immediate family members. They should be able to make medical decisions in consultation with their doctors, not the federal government." The letter cited CVS Health's finding that the request "raises substantial HIPAA compliance issues" and AFHO's position that the collection "raises significant HIPAA privacy and security rule compliance concerns." Jodi Daniel, a digital health strategist who helped develop the legal framework for HIPAA privacy rules, told KFF Health News that the language in the notice "seems quite broad and encompasses potentially a lot of information and data and is sort of light on justification."

In the know

OPM has a documented history of failing to protect large volumes of sensitive government data. According to Federal News Network, OPM suffered two major data breaches in 2015: one exposing the personal records of 4.2 million current and former federal employees, and a second involving the theft of records belonging to more than 22 million Americans, attributed to the Chinese government. Opponents of the current proposal have noted that building a new centralized database of sensitive medical records at OPM substantially raises the stakes of any future breach. The American Federation of Government Employees stated it was "deeply alarmed" by the proposal, citing both its legal concerns and the context of what it described as coordinated actions targeting federal employees and the repeated stretching of legal boundaries for sharing sensitive data across government agencies.

The big picture

For healthcare organizations and FEHB carriers, the OPM proposal creates a compliance dilemma with no clear resolution. Complying with the request as written may violate HIPAA's minimum necessary standard, while refusing to comply creates a different set of legal and regulatory risks with a federal agency. According to Paubox's What Healthcare Gets Wrong About HIPAA and Email Security report, one of the most consistent HIPAA compliance failures observed across healthcare organizations is the disclosure of more PHI than is necessary for the stated purpose, which is precisely the concern AFHO and CVS Health have documented here. The OPM proposal also raises a data security question independent of the legal debate: centralizing PHI from 65 carriers on more than 8 million individuals into a single government database creates a target of extraordinary value. OPM's 2015 breach record makes that concentration of risk difficult to justify in the absence of explicit, detailed security commitments that the December notice does not provide.

FAQs

What is HIPAA's minimum necessary standard, and why does it apply here?

The minimum necessary standard at 45 CFR 164.502(b) requires that any disclosure of PHI be limited to the least amount of information needed to accomplish the stated purpose. AFHO and CVS Health both argue that OPM's blanket request for monthly claims-level data on every enrollee cannot meet that standard because OPM has not specified what subset of data is actually needed for its oversight functions.

Can FEHB carriers legally refuse to comply with OPM's request?

HIPAA permits, however, do not require disclosures to health oversight agencies. Carriers may choose to limit what they disclose to what they deem appropriate and necessary, but without clearer guidance from OPM on the exact purpose, determining that threshold is difficult and carries its own compliance and administrative burden.

What specific data types does the OPM request cover?

The December 2025 notice requests monthly submissions of medical claims, pharmacy claims, encounter data, and provider data, plus quarterly manufacturer rebate data. Encounter data is particularly broad, as it can encompass full medical records and physician notes beyond what standard claims processing requires.

Why is re-identification of de-identified data a concern in this case?

AFHO warned that OPM already holds detailed identifying information on FEHB enrollees and their families through its administrative role in the program. With that existing data, combining it with even nominally de-identified medical claims creates a meaningful risk that individual records could be traced back to specific people, which HIPAA does not permit.

What should FEHB carriers be doing now while the proposal remains under review?

Carriers should review their HIPAA compliance obligations under the minimum necessary standard before making any submissions, document their legal analysis of the request, and consult with HIPAA counsel on what disclosures are permissible. Monitoring the status of Congressional opposition and any formal legal challenges will also affect how carriers should position their response.