Office of Personnel Management demanded prescription and diagnosis records for 8 million federal workers

On December 12, 2025, OPM Director SKScott Kupor's agency , ordering all 65 Federal Employees Health Benefits and Postal Service Health Benefits insurers to submit monthly identifiable health records for every enrolled member. The notice asks carriers to furnish medical claims with diagnoses and treatments, pharmacy claims showing which prescriptions people fill, encounter data, and provider records. It doesn't require insurers to redact names, birth dates, or other personal identifiers before submitting the data.

OPM claims authority under HIPAA section 45 CFR 164.512(d)(1), the exception allowing disclosures to "health oversight agencies," but doesn't explain what specific oversight purpose requires unredacted health records on millions of Americans. JDJodi Daniel, a partner at Wilson Sonsini who at HHS, said the notice "seems quite broad and encompasses potentially a lot of information and data and is sort of light on justification." She wrote the rules OPM is now using as cover.

The plans cover , including active federal civil servants, retirees, retired members of Congress, US Postal Service employees, mail carriers, and all of their immediate families. The 65 insurers include major carriers like CVS Health, which owns Aetna, United Healthcare, and Blue Cross plans. The Association of Federal Health Organizations represents all 65 carriers.

HIPAA's "minimum necessary" standard requires agencies to limit data collection to what's specifically needed for an articulated purpose. OPM's notice doesn't state a specific purpose. JDJodi Daniel, one of the nation's first digital health lawyers, said the language "encompasses potentially a lot of information." That gap is what insurers and privacy experts have identified as the core legal problem with the request.

CVS Health executive MSMelissa Schulman arguing that "OPM's request raises substantial HIPAA compliance issues." Schulman said federal law allows OPM to "examine records but not to collect data" and warned that providing personal health information for OPM's "vague and broad general purposes" would break federal law. She said insurers could face liability if "consumer health information is inappropriately shared and outside of our control."

KPKari Parsons, chair of the Association of Federal Health Organizations, led filed before the February 10, 2026 deadline. Parsons argued that federal law requires carriers to furnish "reasonable reports OPM determines to be necessary," not individual-level claims data with personal identifiers attached. AFHO represents all 65 carriers whose compliance is at stake.

OPM that prompted the same HIPAA objections from insurers. After years of negotiations, OPM and carriers discussed but never finalized a 2019 agreement for carriers to share de-identified data. The December 2025 notice is a significant escalation. It moves from voluntary, negotiated collection of anonymized data to a formal, mandatory monthly reporting requirement for identifiable health records across all 65 carriers simultaneously.

OPM already operates a Health Claims Data Warehouse containing medical claims, pharmacy information, enrollment data, and provider records for FEHB enrollees. The legal basis for the warehouse's data collection has never been publicly clarified. The new notice would dramatically expand what has been an informal system into a formalized monthly pipeline of unredacted personal health data.

Privacy experts raised alarms about potential misuse, particularly in the context of the Trump administration's mass federal layoffs. With federal employment down 355,000 from its October 2024 peak — an 11.8 percent decline confirmed by — identifiable health data could be used to flag employees based on medical conditions, mental health treatment, or prescriptions. OPM's 2015 data breach, attributed to Chinese government hackers, personnel and security clearance records.

Civil Service Strong, a Democracy Forward project, arguing the request violates both HIPAA's minimum necessary standard and the Privacy Act of 1974's requirement that agencies maintain only information "relevant or necessary" to a stated purpose. Their analysis found OPM provided no assurance it won't share collected health data with other agencies. Separately, a federal court allowed a Privacy Act lawsuit against DOGE and OPM to advance to discovery in early 2026, over DOGE personnel's access to OPM systems.

KFF Health News , reporting on a Federal Register notice that had been publicly available for four months without congressional comment. The House Oversight Committee, chaired by RJRep. James Comer (R-KY), and the Senate Homeland Security and Governmental Affairs Committee both have jurisdiction over OPM and the authority to demand answers about the agency's legal justification and data security plans. Neither committee had scheduled a hearing on the notice as of April 8.

The administration has separately reclassified civil servants to make them easier to fire, eliminated diversity offices, conducted mass layoffs across federal agencies, and, through DOGE, accessed federal employee databases in ways courts have found raise Privacy Act concerns. MMMichael Martinez, a senior counsel at Democracy Forward who formerly worked at OPM, noted those actions alongside the new medical records request in formal comments, writing that an OPM with access to health data, workforce data, and disciplinary authority over 8 million employees would hold an unprecedented concentration of personal information about the federal workforce.

SKScott Kupor became OPM director on July 14, 2025, after serving as managing partner at the venture capital firm Andreessen Horowitz. During his Senate confirmation hearing, and data protection practices at OPM and told senators worried about DOGE's access to federal records that he'd protect workers' data. He said DOGE workers weren't currently accessing OPM systems. Five months later, his agency published the Federal Register notice demanding identifiable medical records from 65 insurers for more than 8 million people.

Kupor's agency hasn't published a final rule since the comment period closed February 10, 2026. It hasn't withdrawn the notice either. That leaves 65 insurance companies waiting to find out whether they'll be legally required to hand over millions of Americans' unredacted medical histories to the same agency that lost 22 million personnel files to hackers a decade ago.

OPM says it needs the data to oversee FEHB and PSHB plans and control costs — but that stated rationale appears nowhere in the Federal Register notice itself. The notice was filed as a , a lighter regulatory process that doesn't require the formal notice-and-comment rulemaking that major agency rules demand. That procedural choice let the request advance with less public scrutiny than a standard rulemaking would have triggered.

MMMichael Martinez, a senior counsel at Democracy Forward who formerly worked at OPM, raised a specific concern about which employees the data could target. He said: "You can anticipate a scenario where this information on 8 million Americans is now in the hands of OPM and there's a real concern of how they use it." Martinez specifically flagged workers who sought abortions and those who received transgender medical care — two categories the Trump administration has separately moved to restrict. SHSharona Hoffman, a health law professor at Case Western Reserve University, that encounter data could give OPM access to "anything and everything," including doctor's notes and after-visit summaries, and warned the agency could use the information "to discipline or target people who are not cooperating politically."