threat_intelligence770 wordsRead on Arc Codex

OPM’s Problematic Health Data Grab

OPM’s Problematic Health Data Grab Under a new plan from the Office of Personnel Management (OPM) the government is trying to obtain intimate health records of hundreds of thousands of federal employees. Given the lack of specificity and authority, and the likelihood of extreme harm to federal employees, OPM should abandon this effort. In December of 2025, OPM released a troubling information collection request (ICR). This very short request outlined OPM’s plan to require the Federal Employees Health Benefits (FEHB) and Postal Service Health Benefits (PSHB) programs to disclose a host of very personal information about federal employees’ medical claims, pharmacy claims, medical encounter data, and provider data to the federal government. Specifically, the data shared with OPM could include patient and doctor names and their specific diagnoses. While OPM claims this data is necessary “to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans,” others challenge if OPM needs this type of granular, highly personal data to meet its stated goals. Beyond the scope of data being sought, there are also questions around whether OPM has the authority to require insurance companies to share vast amounts of personal health data with the government. OPM argues it has that authority based on its interpretation of the HIPAA Privacy Rule, which permits covered entities, including the carriers in question, to disclose protected health information (PHI) to health oversight agencies, like OPM, for oversight activities. However, companies and groups have weighed in and challenged OPM’s interpretation of the Privacy Rule. OPM has not provided any meaningful justification regarding why such detailed and granular personal health data is necessary. Providing a rationale is vital to ensure that the agency is limiting its collection to the data it needs to accomplish its purpose, particularly given the breadth of the data collection proposed. As CVS Health explained in its comments: “the data collection described in this ICR goes far beyond [what is needed to accomplish the goal] and is unprecedented in its scope and lack of specificity. Rather than seeking necessary and targeted data in an audit or examination setting, OPM is proposing the wholesale collection of vast amounts of granular data from all FEHB and PSHB carriers.” The absence of such a rationale raises suspicions that the government is seeking detailed information about health care decisions of federal employees for improper purposes, such as cracking down on medical procedures the administration opposes. If OPM implements this proposal, it will diminish and harm the quality of health care federal employees receive. Effective health care relies on patients being able to trust their doctors and share very personal details about themselves with their health care providers. But that only happens when patients trust their doctor will only use that information to better diagnose and treat each individual based on their unique situation, symptoms, and conditions. OPM’s plan threatens this essential trust between federal employees and their doctors for fear that individuals’ sensitive and personal data will be shared with their employer. Federal employees have every right to question how OPM will ultimately use and retain their health data. Once in government hands, employee PHI may be used for purposes far beyond merely OPM’s stated purpose of providing competitive, quality, and affordable health plans. The ICR places no limits on the data’s use or sharing once it is obtained, and the data would likely no longer be protected by HIPAA because the federal government is not acting as a HIPAA covered entity or business associate. Health data might go into an employee’s permanent file, or it may be shared with other departments for unspecified uses. We’ve already seen the Trump administration use medical records for unrelated purposes like immigration enforcement. Finally, OPM has proven to be a poor stewards of people’s data. It was subject to an unprecedented data breach in 2015 where the sensitive information of 21.5 million people was compromised. This breach remains one of the largest thefts of federal data and included social security numbers, biometric data like fingerprints along with health, criminal, and financial histories. The threat of breaches has not diminished either. We’ve recently seen government agencies mishandle data, and cyber attacks on the FBI, global infrastructure, and even toy companies. OPM’s plan will create a new trove of very sensitive personal data that can become the target of malicious actors. The ICR has caught the attention and scrutiny of industry, lawmakers, and privacy advocates. We urge OPM to abandon this effort and, in the meantime, privacy-minded advocates to push back against this proposal. Otherwise, federal employees may find their government employer standing between them and their doctor.

How it works

Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.

Questions are cached — you'll always get the same 5 for this article.