The proposed rule that the Office of Personnel Management (OPM) issued late last year has generated a strong response since it became publicized recently. Lawmakers in both the House and Senate have urged OPM to drop the proposal, and there were also six public comments submitted on the proposal itself.
The dominant theme across the majority of the comments submitted on the proposed rule is a profound concern over the Health Insurance Portability and Accountability Act (HIPAA) and the protection of Personally Identifiable Information (PII). Multiple stakeholders—ranging from major health insurance carriers to civil rights advocacy groups—warned that OPM’s request for granular, monthly medical and pharmacy claims data lacks the necessary guardrails.
While some commenters acknowledged that analyzing claims data could theoretically help OPM manage costs and improve program quality, almost all respondents fundamentally questioned OPM’s capability to secure such an unprecedented volume of sensitive information.
Details of Individual Comments Submitted
CVS Health
CVS Health, which participates in the FEHB and PSHB programs through Aetna, submitted a strong objection to the proposed rule.
Melissa Schulman, Senior Vice President of Government & Public Affairs at CVS Health, argued that the sweeping access to personal health information sought by OPM raises substantial HIPAA compliance issues. CVS emphasized that federal law strictly regulates how protected health information can be disclosed, and mass, centralized access to identifiable medical records lacks a valid statutory basis.
Furthermore, CVS warned that providing provider-level data could expose proprietary and confidential contracted rates. Ultimately, CVS Health urged OPM not to proceed, suggesting instead that OPM convene a stakeholder workgroup to establish a framework for aggregated, de-identified reporting that protects both privacy and proprietary information.
Association of Federal Health Organizations (AFHO)
The Association of Federal Health Organizations (AFHO), a trade association representing carriers that cover approximately 90% of FEHB and PSHB enrollees and their families, echoed CVS Health’s severe reservations.
AFHO emphasized that its members act as the primary HIPAA-covered entities for these plans and are legally bound to protect patient data. AFHO indicated that OPM’s extremely broad request for medical claims, pharmacy claims, and encounter data raises significant HIPAA privacy and security rule compliance concerns.
AFHO said it was concerned about sharing the de-identified claims data directly with OPM and instead recommended two alternatives:
- OPM can use CMS’s edge server system to query data from Affordable Care Act plans, ensuring data remains with carriers and eliminating re-identification risk.
- Contracting with HCCI, a HIPAA and anti-trust compliant organization with 15 years of experience in translating raw data into actionable insights.
Civil Service Strong (CSS)
Civil Service Strong, a project of the Democracy Forward Foundation, submitted a forceful condemnation of the rule, urging OPM to abandon it entirely.
CSS argued that the proposal is “woefully insufficient” because it fails to explain both how OPM plans to use the highly sensitive data and how it will safeguard it. Most notably, CSS contextualized its opposition within the current political climate, asserting that the Trump administration has demonstrated a “disdain for civil servants and a pattern of abusing sensitive data.” CSS warned that without proper firewalls, the administration could easily weaponize federal employees’ own medical data against them for retaliatory employment actions.
Jonathan Foley
Jonathan Foley, a former OPM employee who served as an advisor on the FEHB program, provided a nuanced perspective in comments he submitted. While he acknowledged that collecting service use and cost data could genuinely enhance OPM’s oversight abilities, he stressed that OPM is still legally obligated by HIPAA to collect only the “minimum necessary” data.
Foley expressed skepticism regarding OPM’s ability to securely manage a massive database of Protected Health Information (PHI), citing the agency’s history with data breaches. To mitigate these risks, Foley suggested an alternative approach: rather than OPM collecting the data directly, trusted third-party “Qualified Entities” certified by CMS should manage the database. This would allow OPM to access de-identified data for analysis while keeping sensitive PHI out of direct federal hands.
Health Care Cost Institute (HCCI)
The Health Care Cost Institute (HCCI), an independent non-profit focused on health care analytics, submitted the most supportive comment among the group. HCCI praised OPM’s interest in leveraging data to understand health care delivery, lower costs, and improve quality.
Drawing on its own extensive background in managing secure claims data and creating price transparency tools, HCCI argued that rigorous analytics are essential for modern health benefits management. Rather than opposing the rule, HCCI offered its expertise, expressing excitement at the prospect of partnering with OPM to build the technical data infrastructure needed to securely ingest and analyze the claims data to improve FEHB and PSHB performance.
Details of OPM’s Proposed Rule
In December 2025, the Office of Personnel Management posted an Information Collection Request (ICR) that, if finalized, would drastically alter the federal government’s access to the medical histories of its workforce.
The proposed rule would require the 65 insurance carriers participating in the FEHB and PSHB programs to submit detailed monthly reports to OPM. These reports would contain granular health data on federal employees and retirees, including current and former USPS employees. These are the types of data OPM is seeking from carriers:
- Detailed medical claims data
- Pharmacy claims, including drug utilization
- Encounter and provider data
- Manufacturer rebate information (quarterly)
- Monthly claims-level reporting
OPM maintains that under HIPAA, health oversight agencies are legally permitted to collect this type of protected health information to properly manage and audit government-sponsored health benefit programs. It says having the data will help with things such as reining in ballooning healthcare costs, strengthening FEHB oversight and auditing, and comparing performance across insurance carriers.
However, as the comments above indicated, the proposal has been controversial. House Democrats, alongside several Senators, have loudly sounded the alarm, demanding that OPM and the Office of Management and Budget (OMB) immediately halt the plan. Lawmakers and legal experts warn that compiling a centralized database of identifiable medical records on 8 million Americans creates an unprecedented privacy risk.
This fear is compounded by two major factors.
First, critics point to OPM’s spotty track record with cybersecurity, most notably the devastating 2015 data breach that compromised the records of over 22 million people.
Second, lawmakers are concerned about political weaponization. Congressional Democrats argue that the current administration could misuse this centralized health data to identify, target, or discipline federal employees who have sought out specific medical treatments that conflict with the administration’s political agenda, such as abortion care, gender-affirming care, or in vitro fertilization (IVF). Consequently, the rule has transformed from a routine data request into a major flashpoint over federal overreach, employee privacy, and partisan retribution.
