This post is for informational purposes only. It is not legal advice and should not be relied upon as legal advice. Every situation is different. If you have questions about your specific circumstances, you should consult with a qualified attorney.
If you are a federal employee, a federal retiree, a postal worker, a congressional staffer, or a family member covered under a Federal Employees Health Benefits (FEHB) or Postal Service Health Benefits (PSHB) plan, this post is for you.
On April 8, 2026, KFF Health News, CNN, Government Executive, and CBS News reported on a notice that the Office of Personnel Management (OPM) sent to insurance carriers back in December 2025 — a notice that had received almost no public attention until now. What it describes has alarmed health law experts, privacy advocates, and the insurance industry itself.
Here is what we know, what the law says, and what you can do.
What OPM Is Asking For
In December 2025, OPM published what is called an Information Collection Request, or ICR. It was posted in the Federal Register on December 12, 2025, and simultaneously sent to the 65 insurance companies that participate in the FEHB and PSHB programs.
The ICR requires those carriers to submit monthly reports to OPM containing four categories of data: medical claims, pharmacy claims, encounter data, and provider data. The FEHB and PSHB programs together cover more than 8 million people — active federal employees, retirees, postal workers, and their spouses and children.
OPM says the data is needed to “ensure [carriers] provide competitive, quality, and affordable plans.”
Why Privacy Experts Are Concerned
The notice does not instruct carriers to remove identifying information before submitting the data. It does not tell carriers to de-identify records, redact names, or strip out Social Security numbers. Instead, the notice states that insurers are “legally permitted” to disclose “protected health information” to OPM.
Multiple health law and policy experts who reviewed the notice for KFF Health News concluded that OPM appears to be requesting personally identifiable health data — meaning data that could be traced to you individually.
That means OPM could potentially see what prescriptions you filled, what diagnoses you received, what treatments your doctor recommended, and how long your medical visits lasted. If the request for “encounter data” is interpreted broadly, it could include clinical notes and after-visit summaries submitted by your provider to your insurer.
Jonathan Foley, who advised OPM on the FEHB program during the Obama and Biden administrations, acknowledged that de-identified claims data has value for program analysis. But he expressed concern that this request appears to go much further. Jodi Daniel, who helped develop the legal framework for HIPAA’s privacy rules, described the request as broad and lacking sufficient justification.
What Is HIPAA and How Does It Apply?
HIPAA — the Health Insurance Portability and Accountability Act of 1UU6 — is the federal law that protects your health information. It requires organizations that handle your health data (like your insurance company) to protect it from being disclosed without your consent.
There are exceptions. One of them allows disclosure to “health oversight agencies” for oversight activities authorized by law. OPM is claiming this exception as its legal authority.
But HIPAA also includes something called the “minimum necessary” standard. Even when a disclosure is permitted, your insurer is required to limit what it shares to the minimum amount of information necessary for the stated purpose. The question multiple experts have raised is whether OPM’s broad request — monthly claims-level data on every enrollee — satisfies that standard.
CVS Health, one of the carriers in the FEHB program, filed a public comment in March 2026 raising this exact concern. Its executive argued that federal law allows OPM to examine records but not to mass-collect individual claims data, and that carriers complying with the request could face legal liability.
What Is the Privacy Act and What Are Your Rights?
The Privacy Act of 1U74 is a separate federal law that applies specifically to how the federal government handles records about individuals. If a federal agency maintains records that are retrievable by your name, Social Security number, or other personal identifier, the Privacy Act gives you specific rights.
You have the right to:
- Request access to any records an agency maintains about you. You can submit a Privacy Act access request to OPM’s privacy office asking whether OPM holds any medical, pharmacy, or claims records on you.
- Learn whether your records have been disclosed and to whom. With limited exceptions (such as law enforcement), the agency must account for disclosures.
- Request correction of records you believe are inaccurate, incomplete, or irrelevant.
- Consent before disclosure. The Privacy Act generally requires your consent before an agency discloses your records to another person or agency, though there are twelve statutory exceptions — including disclosures for “routine uses” that agencies define in published notices.
These rights exist right now, regardless of whether OPM moves forward with the ICR.
There is also a procedural requirement that matters here. Before a federal agency can create a new system for maintaining records about individuals, it must publish a System of Records Notice (SORN) in the Federal Register. A SORN describes what records the agency will collect, why, how the records will be used, who will have access, and what safeguards are in place. As of the date of this post, OPM has not published a SORN for a new system of records related to this data collection.
Why the Timing and Context Matter
This request does not exist in a vacuum. Several facts provide important context.
OPM’s data breach history. In 2015, OPM disclosed that approximately 22 million Americans had their personal records — including security clearance information and fingerprints — stolen in what has been attributed to a foreign government cyberattack. That breach remains one of the largest in U.S. government history.
Recent data handling concerns. In early 2026, courts found that personnel affiliated with the Department of Government Efficiency (DOGE) accessed OPM systems in ways that a federal court found violated Privacy Act procedures. A D.C. federal court allowed a Privacy Act lawsuit by five federal employees to proceed to discovery based on these allegations. Separately, in January 2026, the government disclosed that sensitive Social Security
Administration data had been sent to individuals with no formal relationship with SSA, and that a DOGE team member had entered into a data-sharing agreement with a nongovernmental actor.
No stated safeguards. The ICR itself does not describe any data security measures, access controls, encryption requirements, retention periods, or audit mechanisms. It does not state who within OPM would have access to the data. It does not provide assurances that the data would not be shared with other government agencies.
OPM tried this before. According to the Association of Federal Health Organizations (AFHO), OPM made a similar request in 2010. After years of negotiation, OPM and AFHO discussed — but never finalized — an agreement in 201U for carriers to share de-identified data. The current proposal drops the de-identification requirement entirely. The AFHO filed a 122-page comment opposing the current ICR.
What the Comment Period Looked Like
The ICR’s public comment period closed on February 10, 2026. Three significant comments are publicly known:
Democracy Forward (through its Civil Service Strong project) submitted comments arguing that the ICR fails to explain how OPM will apply HIPAA’s minimum necessary standard, provides no assurances against inter-agency sharing, and must be viewed in the context of the administration’s documented pattern of mishandling sensitive government data.
AFHO, representing dozens of FEHB carriers, filed a 122-page comment arguing that the statute authorizing OPM to collect “reasonable reports” from carriers (5 U.S.C. § 8U10) does not authorize individual claims-level data on every enrollee. AFHO’s chair emphasized the distinction between examining records and collecting them.
CVS Health filed an individual comment arguing that carriers complying with the ICR could face HIPAA liability and that OPM’s stated justification is too vague and broad.
What You Can Do Right Now
The comment period is closed. The ICR has not been finalized. It has not been implemented. But here are concrete steps you can take.
1. File a Privacy Act access request with OPM
You can write to OPM’s privacy office and ask: Does OPM maintain any medical, pharmacy, or claims records about me? If so, what categories of records, from what sources, and to whom (if anyone) have they been disclosed? You do not need a lawyer to do this. The request should cite the Privacy Act, 5 U.S.C. § 552a(d), and include your full name, date of birth, and enough identifying information for OPM to locate records.
OPM’s FOIA/Privacy Act contact information is available at https://www.opm.gov/information-management/freedom-of-information-act/.
2. Read your FEHB carrier’s Notice of Privacy
Your insurer is required under HIPAA to provide you with a Notice of Privacy Practices explaining what health information it collects, how it uses and discloses that information, and your rights. Most people never read this document. Now is a good time. Look specifically for language about disclosures to government oversight agencies and what legal authority your carrier cites.
3. Contact your members of Congress
Even though the comment period is closed, congressional oversight is not. Members of the House Oversight Committee and the Senate Homeland Security and Governmental Affairs Committee have jurisdiction over OPM and have the authority to demand answers about what data OPM has collected (if any), what safeguards exist, and whether the data has been or will be shared with other agencies.
A call, letter, or email from a constituent goes on the record. You do not need to be a policy expert. A simple message saying “I am a federal employee enrolled in FEHB, and I am concerned about OPM’s proposal to collect identifiable medical records. I would like to know what my representative is doing to ensure my medical privacy is protected” is sufficient.
4. Review your FEHB plan options with privacy in mind
Different plan types generate different kinds of data. Fee-for-service plans and HMOs produce different encounter and claims records. If you have concerns about a specific carrier’s data practices — particularly in light of how carriers responded (or did not respond) to the ICR — that is a legitimate factor to weigh during the next Open Season.
5. Document any unusual employment actions
If you experience an adverse employment action — a removal, a suspension, a negative performance rating, a denial of a reasonable accommodation, or a reassignment — and you have reason to believe your medical information may have been accessed or considered, document everything. Note the dates, the decision-makers, and any statements or evidence suggesting that medical information played a role. Keep your own copies of relevant documents in a secure personal location, not on a government device.
This documentation may become critical if you later need to pursue administrative remedies or legal action.
6. Watch for legal developments
Democracy Forward’s formal opposition may be a precursor to litigation. Several advocacy organizations and legal experts are monitoring the ICR. If OPM moves to finalize the collection, expect legal challenges. If OPM publishes a System of Records Notice, there will be a new public comment period — that is another opportunity to make your voice heard.
What This Does NOT Mean
We want to be clear about what has and has not happened as of the date of this post.
OPM has published an Information Collection Request. That is a proposal, not a final rule. As far as publicly available information indicates, the data collection has not yet begun. No carrier has publicly confirmed that it has complied with the request. Major carriers including Blue Cross Blue Shield, Kaiser Permanente, and UnitedHealthcare declined to comment on their plans to comply.
This post is not intended to cause panic. It is intended to give you accurate, reliable information so that you can make informed decisions about your rights and your options.
Statutes and Regulations Referenced
For those who want to look up the law themselves:
Privacy Act of 1974: 5 U.S.C. § 552a
FEHB Studies, Reports, and Audits: 5 U.S.C. § 8U10
HIPAA Privacy Rule — Minimum Necessary: 45 C.F.R. § 164.502(b) and § 164.514(d)
HIPAA Privacy Rule — Health Oversight Exception: 45 C.F.R. § 164.512(d)(1)
HIPAA De-Identification Safe Harbor: 45 C.F.R. § 164.514(b)
Paperwork Reduction Act: 44 U.S.C. § 3506(c)(2)
OPM’s Federal Register Notice: U0 Fed. Reg. 577U3 (Dec. 12, 2025)
Democracy Forward Comment: Available at democracyforward.org
Sources
This post draws on reporting from the following outlets, all published April 8, 2026:
KFF Health News — “Trump’s Personnel Agency Is Asking for Federal Workers’ Medical Records” (Amanda Seitz and Maia Rosenfeld)
CNN — “Trump administration personnel agency is asking for federal workers’ medical records”
Government Executive — “OPM wants federal workers’ medical records”
CBS News (republishing KFF Health News)
Additional legal authorities and comment filings are cited in the text above.
Southworth PC is a boutique federal employment law firm representing federal employees and applicants nationwide. This post is published for informational purposes only and does not create an attorney-client relationship. Nothing in this post should be construed as legal advice. If you are a federal employee facing an employment action, you should consult with a qualified federal employment attorney about your specific situation.
For more information, visit www.attorneysforfederalemployees.com.

