The Trump administration is quietly searching for unprecedented entry to medical records for thousands and thousands of federal staff and retirees, and their households.
A brief notice from the Office of Personnel Management may dramatically change which personally identifiable medical info the agency obtains, giving it the ability to see prescriptions workers had crammed or what therapy they sought from medical doctors. The regulation would require 65 insurance coverage firms that cowl greater than 8 million Americans — together with federal staff, retired members of Congress, mail carriers, and their quick relations — to supply month-to-month studies to OPM with identifiable well being information on their members.
The proposal is prompting unease from insurers in addition to well being coverage and authorized consultants, who’re involved concerning the legality of OPM buying such a sweeping database of delicate well being info, and the agency’s skill to safeguard it.
OPM may use the information to investigate prices and enhance the system, mentioned Sharona Hoffman, a well being legislation ethicist at Case Western Reserve University in Ohio.
“But,” she mentioned, “they are going to get very, very detailed and granular data about everything that happens. The concern here is the more information they have, they could use it to discipline or target people who are not cooperating politically.”
OPM spokespeople didn’t reply to repeated requests for remark. The agency’s discover asks insurers that supply Federal Employees Health Benefits or Postal Service Health Benefits plans to furnish “service use and cost data,” together with “medical claims, pharmacy claims, encounter data, and provider data.” It says the information will “ensure they provide competitive, quality, and affordable plans.”
The discover, posted and despatched to insurers in December, doesn’t instruct them to redact figuring out info — a burdensome course of that they would want federal steerage to finish.
Instead, it states that insurers are legally permitted to reveal “protected health information” to OPM. Several consultants in well being coverage and legislation consulted by KFF Health News mentioned they interpreted the request to imply the Trump administration was searching for identifiable information.
The ask comes a yr right into a Republican administration that has been outlined by haphazard mass layoffs and firings of hundreds of federal staff, including dozens who say they were targeted in acts of political retaliation or for not embracing the White House’s agenda. Under President Donald Trump, the federal government has additionally routinely examined the authorized bounds of sharing delicate and personally identifiable tax or health information throughout authorities businesses in its efforts to hold out mass immigration arrests or pursue establish fraud.
“You can anticipate a scenario where this information on 8 million Americans is now in the hands of OPM and there’s a real concern of how they use it,” mentioned Michael Martinez, senior counsel at Democracy Forward, an advocacy group that filed a public remark opposing OPM’s proposal in February. Martinez beforehand labored at OPM.
“They’ve given no information about how they would treat that information once they have it,” he mentioned.
Among Martinez’s considerations is how the administration would possibly use details about workers who’ve sought abortions — 41 states have some sort of abortion ban — or transgender therapy, medical care that the Trump administration has tried to curb.
The American Federation of Government Employees, the most important union representing federal staff, didn’t reply to requests for remark.
Martinez and others who reviewed the discover for KFF Health News mentioned the proposal was so obscure that they have been unsure, precisely, what medical records OPM desires to entry.
At the very least, they mentioned, the proposal would enable the agency to entry the medical and pharmaceutical claims of sufferers with their figuring out info, similar to names and delivery dates. Claims information additionally contains diagnoses, therapies, go to size, and supplier info.
OPM’s request to view “encounter data” may enable the agency to take a look at “anything and everything,” Hoffman famous.
That may embody detailed medical records, similar to a physician’s notes or after-visit summaries.
Jonathan Foley, who labored at OPM advising on the Federal Employees Health Benefits program through the Obama and Biden administrations, mentioned he doubts the agency has the aptitude to ingest such trivialities.
The agency, nonetheless, may simply start assortment of personally identifiable medical and pharmaceutical claims info from insurers, he mentioned.
Foley mentioned he sees a profit to OPM having broader entry to de-identified claims information. In current years, OPM has ramped up its evaluation of claims information, which has allowed it to look at prescription drug prices and encourage plans to supply federal staff cheaper options. He’s anxious, although, that the Trump administration’s proposal goes too far, as a result of it seems to hunt identifiable information.
“It’s kind of shocking to think of them having protected health information without having strict guardrails,” he mentioned.
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, requires sure organizations that preserve identifiable well being info — similar to hospitals and insurers — to guard it from being disclosed with out affected person consent.
Those entities can disclose such info with out consent solely in particular situations, with a justification that it is deemed “reasonable” or “necessary.” Even then, HIPAA mandates that they supply solely the minimal quantity of knowledge required.
OPM argues in its discover that it is entitled to the knowledge from insurers “for oversight activities.”
But a number of individuals who reviewed the discover questioned whether or not OPM’s rationalization for requesting the knowledge is ample.
“The language in it seems quite broad and encompasses potentially a lot of information and data and is sort of light on justification,” mentioned Jodi Daniel, a digital well being strategist who helped develop the authorized framework for HIPAA privateness guidelines over 20 years in the past.
Several main insurers that supply federal worker well being plans — together with the Blue Cross Blue Shield Association, Kaiser Permanente, and UnitedHealthcare — declined to touch upon their plans to adjust to the discover or provide perception on the place plans to implement the information sharing stood.
Only one insurer individually weighed in with a public touch upon OPM’s plan. In March, CVS Health government Melissa Schulman urged the federal agency to rethink its proposal.
“OPM’s request raises substantial HIPAA compliance issues,” Schulman wrote, arguing that federal legislation permits the agency to look at records however to not accumulate information. Insurers could be breaking the legislation by offering private well being info for OPM’s “vague and broad general purposes,” she added.
Schulman, who didn’t reply to extra questions from KFF Health News, additionally raised considerations a few lack of information privateness protections. She famous that insurers might be liable for safety breaches or different conditions “where consumer health information is inappropriately shared and outside of our control.”
In 2015, OPM introduced the non-public records of roughly 22 million Americans had been stolen from the agency in an information breach that has been blamed on the Chinese authorities.
The Association of Federal Health Organizations, which represents CVS Health and dozens of different federal well being plan carriers, additionally weighed in with a 122-page remark opposing the discover. In it, AFHO Chair Kari Parsons emphasised that insurance coverage carriers are sure by HIPAA to safeguard private well being info.
Federal legislation requires carriers “to furnish ‘reasonable reports’ OPM determines to be necessary,” Parsons wrote, “not to furnish the individual claims data of every individual.”
This isn’t the primary time OPM has requested detailed information from insurers. In the AFHO remark, Parsons famous OPM had made the same proposal in 2010, prompting HIPAA considerations. She described how, after a number of years of negotiations with AFHO, they mentioned — however OPM by no means finalized — an settlement in 2019 for carriers to share de-identified information with OPM.
But since then, Parsons wrote, OPM has collected such detailed info on enrollees and their households that, with OPM’s new request, the agency could possibly hint even de-identified records to people.
OPM has not supplied any replace since closing feedback in March. The agency would want to publish a last determination earlier than something formally modifications.