Trump Administration’s Controversial Push for Federal Workers’ Medical Records Raises Privacy Alarms

An Unprecedented Data Collection Effort

In a move that has sparked serious concerns among privacy advocates, healthcare experts, and insurance companies, the Trump administration is quietly attempting to gain access to the medical records of millions of Americans connected to the federal government. Through a brief notice issued by the Office of Personnel Management (OPM), the administration is proposing a dramatic shift in how much personal medical information it can collect from federal employees, retirees, former members of Congress, postal workers, and their immediate families. The proposal would require 65 insurance companies covering more than 8 million Americans to submit monthly reports containing identifiable health data to OPM. This information could include everything from prescriptions filled at pharmacies to specific treatments received from doctors, diagnoses, visit lengths, and detailed provider information. What makes this particularly alarming to critics is the scope and granularity of the data being requested, combined with the lack of clear safeguards about how this sensitive information would be protected and used once collected by the federal agency.

Legal Questions and HIPAA Concerns

The proposal has raised significant legal questions, particularly regarding compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires organizations handling identifiable health information to protect it from unauthorized disclosure. While OPM claims it is entitled to this information “for oversight activities,” health policy and legal experts are questioning whether this justification is sufficient under HIPAA’s strict requirements. The law permits disclosure of protected health information without patient consent only in specific scenarios where it’s deemed “reasonable” or “necessary,” and even then, requires providing only the minimum amount of information required. Jodi Daniel, a digital health strategist who helped develop the legal framework for HIPAA privacy rules over two decades ago, noted that the language in OPM’s notice “seems quite broad and encompasses potentially a lot of information and data and is sort of light on justification.” CVS Health executive Melissa Schulman went further in her public comment, arguing that insurers would actually be breaking the law by providing personal health information for OPM’s “vague and broad general purposes.” The notice notably does not instruct insurers to redact identifying information—a burdensome process that would require federal guidance—but instead simply states that insurers are legally permitted to disclose “protected health information” to OPM, a claim that many experts dispute.

Potential for Political Targeting and Misuse

Perhaps the most troubling aspect of this proposal is its emergence during an administration characterized by mass layoffs and firings of federal workers, including dozens who claim they were targeted for political retaliation or for not embracing the White House’s agenda. Sharona Hoffman, a health law ethicist at Case Western Reserve University, acknowledged that OPM could legitimately use such data to analyze costs and improve the federal health system, but she warned: “The concern here is the more information they have, they could use it to discipline or target people who are not cooperating politically.” Michael Martinez, senior counsel at Democracy Forward and a former OPM employee, expressed particular concern about how the administration might use information about employees who have sought abortions—especially given that 41 states have some type of abortion ban—or transgender medical care, which the Trump administration has actively tried to restrict. Under President Trump, the government has repeatedly tested legal boundaries by sharing sensitive and personally identifiable tax or health information across agencies in its efforts to carry out mass immigration arrests or pursue identity fraud cases. This track record amplifies concerns about how expansive medical data on 8 million Americans might be used if it falls into OPM’s hands without clear protections or oversight.

Industry Pushback and Security Vulnerabilities

The proposal has prompted significant resistance from insurance companies and industry organizations that would be required to hand over this sensitive information. The Association of Federal Health Organizations (AFHO), which represents CVS Health and dozens of other federal health plan carriers, submitted a 122-page comment opposing the notice. AFHO Chair Kari Parsons emphasized that while federal law requires carriers “to furnish ‘reasonable reports’ OPM determines to be necessary,” it does not require them “to furnish the individual claims data of every individual.” Several major insurers offering federal employee health plans—including the Blue Cross Blue Shield Association, Kaiser Permanente, and UnitedHealthcare—declined to comment on their plans to comply, suggesting the industry remains deeply uncertain about how to respond. Insurers are particularly concerned about liability issues, as Melissa Schulman noted they could be held responsible for security breaches or situations “where consumer health information is inappropriately shared and outside of our control.” These concerns are not theoretical—in 2015, OPM announced that personal records of roughly 22 million Americans had been stolen from the agency in a massive data breach attributed to the Chinese government. This history raises serious questions about OPM’s ability to safeguard the vast trove of sensitive medical information it now seeks to collect.

A Troubling Pattern of Expanding Data Collection

This isn’t the first time OPM has attempted to obtain detailed data from insurers, but previous efforts followed a more cautious and collaborative approach. According to the AFHO comment, OPM made a similar proposal in 2010 that raised HIPAA concerns, leading to several years of negotiations with industry representatives. By 2019, they had discussed—though never finalized—an agreement for carriers to share de-identified data with OPM, which would remove personally identifying information from the records. However, Parsons noted that since then, OPM has collected such detailed information on enrollees and their families that the agency may now be able to trace even supposedly de-identified records back to specific individuals. Jonathan Foley, who advised on the Federal Employees Health Benefits program during the Obama and Biden administrations, said he sees value in OPM having broader access to de-identified claims data, which has allowed the agency to examine prescription drug costs and encourage plans to offer federal workers cheaper alternatives. However, he finds the Trump administration’s approach concerning because it appears to seek identifiable data without sufficient justification or safeguards. “It’s kind of shocking to think of them having protected health information without having strict guardrails,” he said, adding that he doubts the agency even has the technical capability to process the most detailed medical records, such as doctor’s notes or after-visit summaries, though it could easily begin collecting personally identifiable medical and pharmaceutical claims information.

Uncertain Future and Unanswered Questions

As of now, the future of this proposal remains unclear, with OPM providing no updates since the comment period closed in March and the agency not responding to repeated requests for comment from journalists. The agency would need to publish a final decision before any changes officially take effect, but the lack of transparency surrounding the process has only deepened concerns among critics. The vagueness of the proposal has left even experienced health policy experts uncertain about exactly what medical records OPM wants to access. At minimum, legal and policy analysts believe the proposal would allow the agency to access medical and pharmaceutical claims of patients along with identifying information such as names and birth dates, as well as diagnoses, treatments, visit lengths, and provider information. OPM’s request to view “encounter data” is particularly ambiguous and could potentially encompass “anything and everything,” according to Hoffman, including the most sensitive details of a person’s medical history. The proposal represents a significant expansion of government surveillance into the private health decisions of millions of Americans who work for or are connected to the federal government, raising fundamental questions about privacy rights, the appropriate scope of government data collection, and the protections that should exist to prevent misuse of sensitive personal information. With the Trump administration’s track record of pushing legal boundaries and targeting perceived political opponents, the stakes of this seemingly bureaucratic notice could have far-reaching implications for civil liberties and the doctor-patient relationship for millions of Americans.