The U.S. Office of Personnel Management (OPM), a federal agency responsible for overseeing government employee benefits, has proposed a plan that has sparked considerable concern among members of the House of Representatives, particularly among Democrats. This plan mandates that insurers provide identifiable health data of federal employees, which has raised significant alarms regarding privacy and security implications.

In December, OPM announced its intention to collect “service use and cost data” from health benefit carriers servicing federal employees and postal service staff. This data encompasses a variety of medical claims, pharmacy claims, encounter data, and provider information. The Democratic members of the House Oversight Committee recently articulated their apprehensions in a letter dated April 17, citing previous administration actions that could misuse such data. They highlighted the potential for the Trump administration to use these records to scrutinize civil servants who have sought sensitive healthcare services, including abortions or gender-affirming therapies. They posited that this data collection could conflict with HIPAA regulations, given OPM’s prior inadequacies in safeguarding sensitive data from cyber threats.

Currently, approximately 65 health insurers cover over 10 million federal employees, retirees, and their families. The OPM insists the data will enable better oversight of health benefits programs, claiming it will lead to more competitive, high-quality, and affordable plans. The agency has argued that HIPAA permits insurers to disclose protected health information, including the sought service use and cost data, to oversight bodies like itself. They are requesting data that spans clinical notes, diagnoses, treatment plans, and prescription records. However, House Democrats pointed out that this requirement could allow for non-anonymized data to be provided without adequate safeguards.

Opposition to OPM’s data collection initiative extends beyond legislative circles. CVS Health, one of the few entities to formally comment on OPM’s solicited feedback, expressed considerable apprehensions about privacy and regulatory compliance issues raised by the plan. CVS highlighted that while OPM’s established practices involve routine data provision for audits and program management, the current extent of the proposed data collection exceeds acceptable boundaries and lacks clarity. They raised concerns regarding HIPAA’s minimum necessary requirement, asserting that the proposed broad data extraction is not consistent with regulations designed to protect consumer health information.

CVM Health questioned OPM’s legal authority to collect comprehensive beneficiary-level claims data for federal employees, expressing worries about creating a vast database that could be susceptible to security breaches. The organization stated, “Submitting this data presents risks of data and security breaches and could lead to significant invasions of privacy concerning consumer health information.” They highlighted that this initiative could also amplify legal liabilities for insurers regarding data breaches.

Other organizations that expressed cautious support for OPM’s plans echoed similar concerns over data security and privacy protocols. The Health Care Cost Institute, an independent non-profit organization, advised OPM to implement robust security measures while considering the details of such data collection.

Experts warn that the ramifications of compiling sensitive health data on federal employees could negatively influence healthcare interactions. Andrew Crawford, a senior policy counsel with the Center for Democracy and Technology, emphasized the significance of trust in healthcare. He cautioned that OPM’s initiative could undermine this trust, as patients may be reluctant to share sensitive personal information with healthcare providers if they suspect it could be funneled to government agencies.

This scenario is especially poignant considering OPM’s troubling history with data breaches. In June 2015, the agency revealed that personal information of around 4.2 million federal employees and retirees had been compromised due to a cyberattack, later disclosing that an additional 21.5 million individuals had their background-check records exposed. These breaches were linked to Chinese espionage efforts, raising alarmingly high stakes regarding the protection of federal employee data.