Democratic Senators Urge OPM to Cancel Plan to Collect Federal Workers’ Health Information
The Trump administration’s plan to collect health insurance claims data for all federal employees and retirees has attracted considerable criticism, including from Congressional Democrats, who recently wrote to the Office of Personnel Management calling for them to immediately cease all work toward finalizing their plans.
The plan was published in the Federal Register in December 2025, and comments were requested from the public. The comment period closed in February 2026. The plan, which was light on detail, requires 65 insurers who participate in the Federal Employees Health Benefits (FEHB) and Postal Service Health Benefits (PSHB) programs to submit monthly reports to OPM on service use and cost data.
Currently, more than 8 million Americans receive benefits under those programs. The Trump administration is seeking to slash federal costs, and has targeted research grants and agency budgets, and has negotiated lower drug prices. In this case, the data required under the plan is to provide the government with greater visibility into how health insurance plans are used, and to ensure competitive, quality, and affordable coverage for federal workers and retirees.
One of the problems with the plan, of which there are several, is the amount of data the government is potentially seeking. In the published plan, “service use and cost data” is stated as including “medical claims, pharmacy claims, encounter data, and provider data,” and there is no mention of the data first being de-identified. Further, anticipating potential criticism, the plan notes that the data requested is protected under HIPAA, and the HIPAA Privacy Rule permits such disclosures.
“The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule permits covered entities, including carriers, to disclose protected health information (PHI), including service use and cost data, to health oversight agencies, such as OPM, for oversight activities authorized under 45 CFR 165.512(d)(1),” wrote OPM in its information collection request (ICR).
What the ICR does not state is that the minimum necessary standard would apply to disclosures, and it would be difficult for insurers to determine what is necessary, as OPM has failed to state exactly how the data will be used. Such disclosures would therefore carry a considerable compliance risk, if not under the current administration, then certainly under future administrations.
There are also potential security risks, as OPM has not stated how the data will be protected. As pointed out by commenters and Democrats on the House Oversight Committee, OPM has a poor track record for protecting sensitive data, having experienced a massive data breach in 2015 affecting 22 million Americans. What was not mentioned in the letter was that OPM experienced a second massive data breach that year as well. Both were attributed to nation state espionage by Chinese hacking groups.
“By collecting data currently held by 65 insurance carriers into one database, expanding OPM’s access to employee data to include detailed personal health information would significantly heighten the risk of misuse, unauthorized disclosure, or exploitation by bad actors,” Wrote the House Democrats in the letter. They also warned that disclosing the information to OPM may violate HIPAA, and the data could potentially be used to target federal employees for political purposes.
Another letter was sent to OPM Director Scott Kupor by Senators Mark Warner (D-VA) and Adam Schiff (D-CA), expressing “grave concern” over the ICR. “According to the notice, this effort would involve the widespread aggregation of these individuals’ health data, including medical visits, prescriptions, and treatment histories. This proposal raises profound statutory, constitutional, and public health concerns,” wrote the senators.
“The risks of misuse of the data to be shared in OPM’s proposal and subsequent data breaches cannot be overstated, as large, centralized databases of health records are prime targets for cyberattacks and unauthorized access,” explained the senators. Further, the senators also expressed deep concern about the potential for secondary uses of the data or mission creep, and the inability to protect sensitive data over the past 12 months, including the improper storage and theft of data by DOGE employees. “This administration has demonstrated a cavalier approach toward utilizing sensitive data, breaking down firewalls that work to protect individuals’ privacy and security, and an incompetence in protecting that data.”
