The Office of Personnel Management proposal to collect claims-level health insurance data for federal employees and retirees has generated sustained criticism due to privacy risks, potential violations of the HIPAA Privacy Rule, and concerns about data misuse and insufficient safeguards.
Proposal Scope and Data Collection Requirements
A December 12, 2025 notice outlines a request to collect information covering the Federal Employees Health Benefits and Postal Service Health Benefits programs. The proposal requires insurance carriers to submit claims-level data to the Office of Personnel Management every month. The data includes protected health information (PHI) and personal identifiers for current and former federal workers.
The Office of Personnel Management states that the data collection is intended to monitor health benefits programs and ensure they meet standards for cost, quality, and competitiveness. The required data include medical claims, pharmacy claims, encounter data, provider data, and quarterly manufacturer rebate data. The reporting requirement covers 65 insurance providers that collectively maintain the data of over 8 million individuals, including federal employees, retirees, and their family members.
The data sought is maintained by entities regulated under the Health Insurance Portability and Accountability Act. The proposal would result in the transfer of PHI into a centralized government database.
HIPAA Privacy Rule and Disclosure Authority
The Office of Personnel Management asserts that disclosures are permitted under the HIPAA Privacy Rule for health oversight activities. The relevant regulatory provision allows covered entities to disclose PHI to oversight agencies when authorized by law.
The HIPAA Privacy Rule permits such disclosures but does not require them. Carriers retain discretion regarding the scope of information disclosed. The proposal introduces uncertainty regarding how carriers can determine what information is appropriate for disclosure due to the absence of detailed limitations on data elements.
The HIPAA Minimum Necessary Rule requires covered entities and business associates to limit disclosures to the minimum necessary to achieve the intended purpose. The breadth of the requested data raises compliance concerns regarding whether the proposed disclosures meet this standard.
Data Scope and Sensitivity Concerns
The categories of requested data include encounter data that may extend beyond summary claims information. Encounter data can include detailed records such as treatment information and provider notes. The proposal does not specify limits that would restrict the inclusion of full medical records or similar detailed content.
The absence of clear boundaries on data categories increases the volume and sensitivity of information that may be transferred. The proposal does not indicate that personal identifiers will be removed prior to submission. De-identified data is not referenced as an alternative approach in the notice.
Privacy groups have raised concerns that the data collection could result in the creation of a large repository of sensitive, personally identifiable health information. The potential for misuse includes the use of data for purposes unrelated to health plan oversight.
Compliance and Legal Risk For Carriers
Insurance carriers face compliance exposure due to the scope of the requested disclosures. The requirement to submit broad categories of PHI without detailed purpose specifications creates uncertainty regarding compliance with the HIPAA Minimum Necessary Rule.
Future enforcement considerations introduce additional risk. The proposal does not establish a clear compliance framework that would guide carriers in limiting disclosures. Carriers may need to evaluate each data element to determine whether it meets the minimum necessary threshold, which increases administrative burden.
The proposal acknowledges that disclosures for oversight purposes are permitted under the HIPAA Privacy Rule, but the lack of specificity in the data request requires carriers to interpret regulatory obligations without clear guidance. The potential for differing interpretations may result in inconsistent compliance approaches.
Government Data Protection Concerns
Concerns have been raised regarding the ability of the Office of Personnel Management to safeguard a centralized database containing sensitive health information. Government entities are frequent targets of cyberattacks.
The Office of Personnel Management experienced two significant data breaches in 2015. One breach involved the personal information of 4.2 million individuals, and another involved the theft of personal records affecting more than 22 million individuals. These incidents have contributed to concerns about the capacity to protect newly collected data.
Additional concerns relate to the handling of sensitive data by the current administration. Instances involving the transmission of Social Security Administration data to unauthorized individuals and the use of nongovernmental servers have been cited in opposition statements.
Stakeholder Responses and Alternative Approaches
The Association of Federal Health Organizations has identified similar concerns to those raised during a prior proposal in 2010 to establish a healthcare claims data warehouse. The organization has indicated that earlier concerns regarding compliance with the HIPAA Privacy Rule remain unresolved.
The Association of Federal Health Organizations has proposed limiting data sharing to de-identified information. The organization has also raised concerns that de-identified data could be re-identified due to the volume of information already held by the Office of Personnel Management. The HIPAA Privacy Rule does not permit the sharing of de-identified data if there is a risk of re-identification.
Alternative approaches include the use of external systems to query data without direct transfer of identifiable information. One proposed method involves leveraging an existing system used by the Centers for Medicare and Medicaid Services to minimize re-identification risk. Another proposal suggests contracting with an external entity to convert raw data into aggregated insights.
Jonathan Foley, a former Office of Personnel Management employee, has indicated that there are potential benefits associated with analyzing identifiable data but has also identified risks related to data misuse and privacy exposure. Foley has suggested that data could be maintained by an independent entity with restrictions on federal access.
CVS Health has recommended the formation of a stakeholder working group to define specific data elements required for oversight purposes and to establish consistent reporting standards.
Congressional Oversight and Formal Objections
On April 17, 2026, a group of 16 Democratic members of the House Oversight Committee formally requested the withdrawal of the proposal. The request was directed to Office of Personnel Management Director Scott Kupor and Office of Management and Budget Director Russell Vought.
The members cited concerns regarding potential data misuse, risks of noncompliance with the HIPAA Privacy Rule, and the absence of safeguards to protect sensitive health information. The request also referenced the scale of the affected population, which includes more than 8 million individuals enrolled in the relevant health benefits programs.
The group requested a briefing to explain the rationale for collecting a broad dataset without defined protections for employee privacy. The request also called for the cessation of all plans to collect private health insurance data under the proposal.
Operational and Policy Uncertainty
The proposal does not provide detailed information regarding how collected data will be used, maintained, or protected. The absence of defined use cases and safeguards has contributed to concerns regarding secondary uses of the data.
There is no clear indication of how carriers will implement the reporting requirements while maintaining compliance with the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule. The lack of clarity extends to audit processes and oversight mechanisms.
The scope of the data request, combined with limited operational guidance, creates uncertainty for both carriers and affected individuals. The proposal remains subject to ongoing review and stakeholder feedback.
Image credit: Tada Images, AdobeStock
