OPM Wants Your Medical Records: What Feds Need to Know

Last Updated: April 8, 2026 Reading Time: 7 min

The Office of Personnel Management published a formal request in December 2025 requiring all 65 FEHB health insurance carriers to submit monthly claims-level data on every enrolled federal employee, retiree, and family member. The data includes medical claims, pharmacy records, encounter data, and provider information on more than 8 million people covered by the Federal Employees Health Benefits Program.

The request does not clearly specify whether that data will be de-identified before submission. Privacy advocates say that gap is the whole problem.

Key Takeaways

• OPM's December 2025 Information Collection Request requires 65 FEHB carriers to submit monthly medical claims, pharmacy claims, encounter data, and provider data on 8M+ enrollees.
• The ICR does not state clearly whether the submitted data will be individually identifiable or de-identified, a critical omission that privacy advocates say creates serious risk.
• OPM already operates a Health Claims Data Warehouse with similar data. This request expands and systematizes that collection.
• There is no individual opt-out mechanism. Once enrolled in FEHB, you cannot prevent your insurer from complying.
• Privacy advocates cite the 2015 OPM breach, in which 21.5 million records were stolen by foreign hackers, as evidence that OPM should not be trusted with a new sensitive database without strong safeguards.
• You can file a Privacy Act access request with OPM to see what health records they currently hold on you.

---

What OPM Is Requesting

On December 12, 2025, OPM published a notice in the Federal Register titled "Agency Information Collection Request: Federal Employees Health Benefits and Postal Service Health Benefits Programs Service Use and Cost Data" (reference number 3206-NEW).

The request covers all 65 FEHB and Postal Service Health Benefits Program carriers. It requires:

• Monthly submissions of claims-level data
• Quarterly manufacturer rebate data
• Data types: Medical claims, pharmacy claims, encounter data, and provider data

The FEHB program covers more than 8 million federal employees, retirees, postal workers, and their family members. It is the largest employer-sponsored health insurance program in the country, costing approximately $59 billion in fiscal year 2021.

OPM's stated legal authority is the HIPAA Privacy Rule at 45 CFR 164.512(d)(1), which permits covered entities, such as insurance carriers, to disclose protected health information to health oversight agencies without individual consent for oversight activities.

The comment period closed February 10, 2026.

---

The Data Gap That Has Privacy Advocates Alarmed

The ICR does not state whether the data submitted by carriers will be individually identifiable or de-identified.

That is not a minor technical detail. It determines whether OPM is building a database that links your name, SSN, and medical history, or an aggregate dataset used only for program-level analysis.

Civil Service Strong, a project of Democracy Forward, submitted formal comments on February 10, 2026, specifically targeting this ambiguity. Their analysis found the ICR:

• Fails to explain how OPM will apply HIPAA's "minimum necessary" standard, which requires limiting health data collection to only what is needed for the stated purpose
• Provides no assurances that OPM will not share collected medical data with other federal agencies for purposes unrelated to FEHB administration
• Cites a demonstrated pattern from the current administration of sharing sensitive government data without adequate safeguards

Their filing pointed to January 2026 disclosures that SSA data had been sent to people with no formal relationship with the agency. An OPM request for millions of medical records, with no stated restrictions on what happens to that data afterward, fits the same pattern.

Under the Privacy Act (5 U.S.C. 552a), federal agencies may "maintain in its records only such information about an individual as is relevant or necessary to accomplish a purpose of the agency." Democracy Forward argues OPM's ICR does not meet that standard because it does not adequately justify why claims-level individual data, as opposed to aggregate or de-identified data, is necessary for FEHB oversight.

---

What Data Is Already Held: The Health Claims Data Warehouse

This is not OPM's first health data collection. OPM already operates the Health Claims Data Warehouse (HCDW), which contains medical claims, pharmacy information, enrollment data, and provider records for FEHB enrollees.

The December 2025 ICR represents an expansion: moving from existing, ad hoc collection to a formal, ongoing monthly requirement across all 65 carriers.

The HCDW is governed by OPM's own privacy policies and HIPAA. But the new ICR introduces several concerns that go beyond what the HCDW framework previously addressed, including the lack of clarity on de-identification and the absence of restrictions on inter-agency data sharing.

Here is what is known about the data types involved:

Data Type	What It Includes
Medical claims	Diagnoses, procedures, dates of service, provider, cost
Pharmacy claims	Prescriptions filled, drug names, dosages, refill history
Encounter data	Records of patient-provider interactions, including visits not billed as traditional claims
Provider data	Which providers you see, their specialties, billing codes

Put those four together and you have a detailed medical profile. Pharmacy claims alone can expose chronic conditions, mental health treatment, and reproductive health decisions. That is not routine program oversight data.

---

Why the 2015 OPM Breach Is Impossible to Ignore

In June 2015, OPM disclosed two related breaches that together compromised:

• 4.2 million current and former federal employee personnel records (names, SSNs, employment history)
• 21.5 million background investigation records, including SF-86 forms with mental health history, foreign contacts, financial information, and 5.6 million sets of fingerprints

The attacks were attributed to Chinese state-sponsored hackers. It remains the largest known theft of federal government personnel data.

OPM contracted IDX to provide 10 years of free identity protection to affected individuals. That coverage expires September 30, 2026. If you were enrolled in IDX coverage from the 2015 breach, check your expiration date now.

OPM's security posture in 2015 was bad enough that Chinese state hackers sat inside its systems for more than a year before detection. Adding a new database of medical records to that same agency, without any public accounting of what has changed, is the specific concern advocates are raising. Not the idea of oversight data in general. The idea of OPM holding it.

The 2025-2026 DOGE period has added another layer. Courts found that OPM systems were accessed by DOGE personnel in ways that violated Privacy Act procedures, and a D.C. federal court allowed a Privacy Act lawsuit by five federal employees to advance to discovery in early 2026. The pattern of inadequate data controls is not limited to 2015.

---

Your Privacy Rights Under the Privacy Act

The Privacy Act of 1974 (5 U.S.C. 552a) gives federal employees specific rights over records agencies maintain on them. Those rights apply to health records OPM holds through the FEHB program.

The law gives you five specific rights:

1. Access records OPM maintains on you. Submit a Privacy Act access request to OPM's privacy office.
2. Know whether your records have been disclosed and to whom, with limited law enforcement exceptions.
3. Amend records you believe are inaccurate or irrelevant.
4. Consent before disclosure, except for the Privacy Act's 12 enumerated exceptions, including "routine use" disclosures that agencies define in their System of Records Notices.
5. Sue in federal district court for unlawful disclosures (5 U.S.C. 552a(g)).

The "routine use" exception is where disputes often land. Agencies define their own routine uses in Federal Register notices. If OPM establishes a routine use that permits sharing FEHB health data with, for example, other benefit administrators, law enforcement, or policy offices, it can do so without your consent, as long as the routine use is published.

HIPAA adds a layer of protection for health data specifically. The minimum necessary standard under 45 CFR 164.502(b) requires that when a covered entity requests or receives health information, it must make reasonable efforts to limit that information to the minimum necessary. Privacy advocates argue OPM's ICR does not demonstrate that standard has been applied.

---

What You Can Do Right Now

There is no individual opt-out for this data collection. Here is what you can actually do.

File a Privacy Act access request. Contact OPM's Privacy Office and ask for copies of all health records OPM maintains on you. Agencies must acknowledge within 10 days and respond within 30 days. This tells you what OPM already holds and creates a documented baseline.

OPM's Privacy Office: privacy@opm.gov or OPM Privacy Office, 1900 E Street NW, Washington, DC 20415.

Contact your congressional representatives. The comment period closed February 10, 2026, but Congress can still act. House Oversight and Senate Homeland Security members have authority to demand answers about OPM's safeguards and any inter-agency sharing plans. A constituent call or letter goes on record.

Read your FEHB carrier's privacy notices. Carriers are required to send HIPAA Notice of Privacy Practices updates. Those documents spell out exactly what your insurer discloses to OPM and under what legal authority. Most people never read them. Now is a good time.

Consider plan type at next open season. Fee-for-service plans and HMOs generate different types of encounter and claims data. If you have privacy concerns about a specific carrier's data practices, that is a legitimate factor to weigh when comparing plans.

Watch the litigation. Democracy Forward's formal opposition may precede a legal challenge. The D.C. court precedent from early 2026, allowing Privacy Act suits by federal employees to reach discovery, has strengthened the position of employees bringing these cases.

---

Check Your FEHB Plan Coverage

Understanding your current FEHB coverage is the starting point for evaluating what health data your plan generates and submits. Use our free FEHB Calculator to compare plan costs, premiums, and coverage levels for your situation.

---

Frequently Asked Questions

What medical data is OPM requesting from FEHB insurers?

OPM's Information Collection Request asks 65 FEHB carriers to submit monthly claims-level data including medical claims, pharmacy claims, encounter data, and provider data on all enrollees. The request does not clearly specify whether the data will be de-identified before submission, which is a central concern raised by privacy advocates.

Is my health data already being collected by OPM?

OPM already operates a Health Claims Data Warehouse (HCDW) that contains medical claims, pharmacy, enrollment, and provider information for approximately 8 million FEHB enrollees. The December 2025 Information Collection Request represents an expansion of that collection, requiring ongoing monthly submissions from all 65 carriers going forward.

Can I opt out of OPM collecting my FEHB health data?

There is currently no individual opt-out mechanism for this data collection. FEHB enrollment itself is voluntary, but once enrolled, you have no documented ability to prevent your insurer from submitting claims data to OPM under this request. You can file a Privacy Act access request with OPM to see what records they hold on you.

What is OPM's stated reason for collecting this data?

OPM states the data will enable it to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans. OPM cites HIPAA's health oversight exception as the legal authority permitting FEHB carriers to share protected health information with OPM without individual consent.

Why does the 2015 OPM breach matter for this new data collection?

The 2015 OPM breach compromised 21.5 million background investigation records and 4.2 million personnel records, attributed to Chinese state-sponsored hackers. Privacy advocates argue that OPM's demonstrated history of catastrophic data security failures makes adding a new trove of sensitive medical data an unjustified risk, especially without strong safeguards against sharing that data with other agencies.

What can I do if I'm concerned about OPM collecting my medical data?

You can file a Privacy Act access request with OPM to see what health records they maintain on you, submit a complaint to your agency's privacy office, or contact your congressional representatives. Organizations like Democracy Forward have submitted formal comments opposing the collection. You can also review your FEHB plan options using the FEHB Calculator.

---

Related Resources

• Federal Employee Data Privacy After DOGE 2026: The full timeline of DOGE system access, SSA whistleblower incidents, and your Privacy Act rights
• FEHB Plan Evaluation Guide 2026: How to evaluate your health plan options and what to look for during open season
• FEHB Value in Retirement 2026: What your FEHB coverage is worth and how it changes after you retire
• Government Shutdown Guide 2026: How workforce disruptions affect your federal benefits

---

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy Act rights and HIPAA protections involve legal and factual complexities specific to each individual's situation. Consult qualified legal counsel for advice about your specific circumstances.

Sources: Federal Register ICR Notice 3206-NEW (Dec. 12, 2025), Democracy Forward / Civil Service Strong comment (Feb. 10, 2026), OPM Health Claims Data Warehouse Privacy Impact Assessment, OPM.gov FEHB Carriers, HHS HIPAA Privacy Rule Summary, DOJ Privacy Act Overview, Federal News Network: 2015 OPM breach coverage, GovExec: OPM April 2026 FEHB coverage