OPM Wants Your Medical Records: The 8M-Person Privacy Fight, Explained

Last Updated: April 23, 2026 Reading Time: 10 min

On December 12, 2025, OPM quietly published a Federal Register notice requiring all 65 FEHB and PSHB insurance carriers to submit monthly reports containing individually identifiable medical claims, pharmacy records, and doctor's notes on 8 million federal employees, retirees, and family members. The de-identification requirement that appeared in prior OPM data frameworks was stripped out. Sixteen senators are now demanding withdrawal. OPM is not commenting. This guide explains what the proposal actually is, which laws apply, whether it's still on the table, and what every federal employee should do this month.

Key Takeaways

• OPM's Information Collection Request (ICR 3206-NEW) requires 65 FEHB/PSHB carriers to hand over monthly patient-level medical claims, pharmacy data, and encounter notes on 8+ million people.
• De-identification was explicitly removed from this version compared to prior OPM data frameworks.
• OPM's legal basis is the HIPAA health oversight exception; the fight is over the "minimum necessary" standard.
• 16 Democratic senators (Schiff and Warner leading) and 9 House Democrats (Garcia leading) demanded withdrawal in letters dated April 18 and 21, 2026. OPM has not withdrawn and has declined all media comment.
• The 2015 OPM breach (21.5M records stolen by Chinese actors) is central to why critics call this reckless. GAO still had 29 of 80 post-breach recommendations unaddressed as of 2018.
• Five concrete employee actions outlined below, including how to file the Privacy Act request and the HHS OCR HIPAA complaint.

What OPM Actually Proposed

The mechanism is an Information Collection Request (ICR), not a proposed regulation. ICRs are administrative tools under the Paperwork Reduction Act that let agencies compel regulated entities to submit data. They bypass standard notice-and-comment rulemaking. Once OMB approves an ICR, OPM can require carriers to comply.

The data source is your FEHB or PSHB carrier (not your employer, not OPM's existing files, not your eOPF). Carriers are covered entities under HIPAA. OPM is asking them to send monthly reports directly.

What the data includes

• Medical claims: diagnoses, procedures, dates of service, costs
• Pharmacy claims: drugs prescribed, dosage, frequency
• Encounter data: this is the expansive category. It can include doctor's notes, after-visit summaries, specialist referral records, mental health visit records
• Provider data: which doctors and facilities you use
• Drug manufacturer rebate data (quarterly)

What the ICR does NOT explicitly include but critics fear: genetic test results are not listed, but the encounter data category is broad enough to capture records that incidentally contain genetic information.

Who's covered

8+ million people:

• Current federal employees (FEHB)
• Federal retirees (FEHB)
• USPS employees and retirees (PSHB, the new Postal Service-specific program)
• Members of Congress and staff
• Enrolled spouses and dependents of all of the above

OPM's stated purpose

Per OPM's Federal Register notice: "rein in ballooning healthcare costs, strengthen FEHB oversight and auditing, and compare performance across insurance carriers."

What the ICR does NOT specify

• Whether data will be de-identified before submission
• Security controls, encryption, access restrictions
• Who inside OPM would have access
• Whether data could be shared with other federal agencies
• Retention and destruction schedules
• Whether individuals would be notified if their data is accessed

These omissions are the core of the critics' argument.

Four Laws That Overlap Here

HIPAA (45 CFR Part 164)

FEHB carriers are HIPAA covered entities. OPM invokes the health oversight exception (45 CFR 164.512(d)(1)), which permits disclosures to oversight agencies without individual consent for audit and investigation purposes.

The fight is over the minimum necessary standard (45 CFR 164.502(b)). Even when the oversight exception applies, HIPAA requires that disclosures be limited to what's necessary to accomplish the purpose. CVS Health and the Association of Federal Health Organizations (AFHO, representing dozens of FEHB carriers) both filed comments arguing that monthly patient-level data far exceeds minimum necessary for cost oversight. Aggregate or de-identified data could accomplish the same purpose.

OPM itself is not a HIPAA covered entity because it does not provide treatment. It can receive oversight disclosures but cannot independently compel carriers beyond what HIPAA authorizes.

Privacy Act (5 U.S.C. § 552a)

Two provisions are central:

§ 552a(e)(1): Agencies must "maintain in its records only such information about an individual as is relevant or necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order." Democracy Forward's public comment argued OPM failed to justify why individual-level claims data, rather than aggregate or de-identified data, is necessary for cost oversight.

System of Records Notice (SORN) requirement: Before OPM can create a new database of records about individuals, it must publish a SORN in the Federal Register establishing the system's purpose, routine uses, retention rules, and individual notification procedures. OPM has NOT yet published a SORN for this proposed database. That's a procedural checkpoint that advocacy groups can challenge.

Penalties: Willful unauthorized disclosure of Privacy Act records is a misdemeanor. Individuals harmed by intentional violations can sue in federal district court (§ 552a(g)).

GINA (Genetic Information Nondiscrimination Act)

Title II and Executive Order 13145 apply GINA to federal agencies. GINA prohibits any use of genetic information in employment decisions. It requires genetic information to be maintained as a confidential medical record, in files separate from other personnel information.

The concern: the encounter data OPM wants can include records that incidentally contain genetic information (cancer screenings, hereditary condition diagnoses). Nothing in the ICR firewalls the data from employment-related use. If OPM or a downstream agency accessed the data for any employment purpose, that could be a GINA violation.

ADA / Rehabilitation Act (29 CFR 1630.14)

Limits employer-initiated medical inquiries to those "job-related and consistent with business necessity." The proposal routes data to OPM, not to employing agencies, so the direct employer-inquiry rule isn't triggered. But inter-agency sharing concerns remain live, and advocacy groups including NTEU have raised this as a structural risk.

The Timeline of Pushback

• December 12, 2025: OPM publishes ICR notice 3206-NEW. Limited initial attention.
• February 10, 2026: Public comment period closes. Hundreds of comments filed in opposition including CVS Health, AFHO, Democracy Forward.
• Early April 2026: GovExec publishes the first major investigation (April 8). KFF Health News and FedSmith follow. A r/fednews post titled "Senators demand OPM withdraw plan to access feds' medical records" reaches 1,129 upvotes.
• April 18, 2026: Rep. Robert Garcia (Ranking Member, House Oversight) and 9 House Democrats send letter to OPM Director Scott Kupor and OMB Director Russell Vought demanding a halt.
• April 21, 2026: Sixteen Democratic senators led by Sen. Adam Schiff (D-CA) and Sen. Mark Warner (D-VA) send letter to OPM demanding full withdrawal. NTEU publicly endorses the senators' position.
• April 22-23, 2026: FedWeek, FedSmith, Federal News Network publish follow-up coverage. FedSmith headline: "OPM Faces Backlash Over Federal Employee Health Information Proposal."
• As of April 23, 2026: Proposal has NOT been withdrawn. OPM has declined all comment requests. It remains in OMB post-comment review.

The 2015 Breach: Exhibit A

Every major critic cites the 2015 OPM breach. In July 2015, Chinese state-sponsored actors exfiltrated 21.5 million records from OPM's background investigation database. The stolen data included Social Security numbers, fingerprints, and full SF-86 security clearance forms. The OPM Director and CIO both resigned. GAO subsequently issued 80 recommendations to improve OPM data security. As of 2018 (the last comprehensive audit), 29 of those 80 recommendations remained unaddressed.

Both the April 18 House letter and the April 21 Senate letter explicitly cite the 2015 breach as proof that OPM cannot be trusted with a centralized database of 8 million people's medical records. AFGE President Everett Kelley's statement: the proposal "comes in the context of coordinated attacks on federal employees and repeated stretching of legal boundaries for sharing sensitive personal data."

Five Things Federal Employees Should Do Now

1. Request your eOPF

Know what's already on file about you. Contact your HR office or email eopfhelpdesk@opm.gov. Request a full copy of your electronic Official Personnel Folder. Look at the medical section for existing records like disability claim files, fitness-for-duty exams, and FMLA documentation that might be swept up in any broader OPM data collection.

2. Ask your FEHB carrier for their HIPAA privacy notice

Your carrier is the entity that would be compelled to hand over your data. You have a right under HIPAA to receive the carrier's Notice of Privacy Practices. Read what they disclose and to whom. If the ICR is approved, carriers may update their notices accordingly, which would give you advance warning.

3. File a Privacy Act access request with OPM

Under 5 U.S.C. § 552a(d), you have a right to see any records OPM has about you. Mail or email a request to OPM's FOIA office stating that you want copies of all records about you in any OPM system, including any pending systems under development. A standard request costs nothing for reasonable volumes. The response clock is 20 business days, often extended in practice.

4. Reserve your HIPAA complaint option

If the ICR is approved and carriers begin transmitting data, you have 180 days from when you know of the violation to file a complaint with HHS Office for Civil Rights. HHS OCR investigates HIPAA complaints and can impose penalties on covered entities. File at hhs.gov/hipaa/filing-a-complaint. Mark your calendar now.

5. Contact your Congressional representative

The House and Senate letters are not legally binding. What stops this proposal is either OPM voluntarily withdrawing, OMB declining to approve, or a court injunction. Congressional pressure matters. Call your Senators and your House member. The phone is more effective than email. Tell them you are a federal employee constituent and you oppose OPM's ICR 3206-NEW medical records collection.

Three Misconceptions About This Proposal

Misconception 1: "My supervisor can now see my records."

Wrong. The proposal routes data to OPM, not to your employing agency. Your direct supervisor and agency HR office are not the intended recipients. The concerns are legitimate but different: downstream sharing risk, centralized breach risk, and GINA violations if the data were ever used for employment decisions.

Misconception 2: "HIPAA means OPM needs my consent."

Wrong. HIPAA's general rule is that disclosures require consent, but there are exceptions. The "health oversight agency" exception (45 CFR 164.512(d)(1)) permits disclosures without consent for oversight activities. OPM argues this exception applies. The legal fight is NOT about whether consent is needed; it is about whether the full monthly patient-level dataset satisfies the HIPAA "minimum necessary" standard.

Misconception 3: "The senators killed it."

Wrong. Congressional letters are advocacy, not law. The proposal has not been withdrawn. OPM has declined to comment. It remains in OMB review. Letters from Congress do put pressure on OPM and OMB but they do not have binding legal force.

Calculate Your FEHB Alternatives

If the proposal advances and you want to evaluate staying in FEHB vs. alternatives, the FEHB Premium Calculator compares plan costs across carriers and metal tiers. Weigh the tradeoffs carefully: leaving FEHB has significant consequences for retirement (you need 5 years continuous FEHB enrollment before retirement to keep it as a retiree) and catastrophic health coverage.

• FEHB Premium Calculator
• FERS Retirement Calculator: Model your retirement scenario.

Frequently Asked Questions

Is OPM going to see my doctor's notes?

If ICR 3206-NEW is approved in current form, yes. OPM would receive monthly carrier reports including medical claims, pharmacy claims, encounter data (which can include doctor's notes), and provider data. De-identification was explicitly removed from this version.

Can my supervisor see my records through this?

Not directly. Data routes to OPM, not to your employing agency. The concerns are downstream sharing risk, centralized breach risk, and GINA violations if the data were used for employment decisions.

Is OPM allowed to do this legally?

Disputed. OPM cites the HIPAA health oversight exception. Critics argue the minimum necessary standard prohibits the full monthly patient-level dataset. The Privacy Act also requires OPM to publish a System of Records Notice before creating a new database, which hasn't happened.

Has the proposal been withdrawn?

No. As of April 23, 2026, it remains in OMB review. Congressional letters are not legally binding. OPM has declined all comment requests.

What should I do to protect my records?

Five steps: request your eOPF, ask your FEHB carrier for their privacy notice, file a Privacy Act access request with OPM, reserve your 180-day HHS OCR complaint option, and contact your Congressional representative.

How is this different from the 2015 OPM breach?

2015 was a security failure exposing 21.5 million records. This proposal is a policy choice to centralize more sensitive data in the same agency. GAO still had 29 of 80 post-breach recommendations unaddressed in 2018.

Can I opt out?

No. FEHB carriers would be required to submit the data. There is no individual opt-out. Leaving FEHB entirely is the only way to avoid inclusion, with its own serious consequences.

Related Resources

• OPM Medical Records (Original): The earlier explainer for broader context.
• FEHB Premium Calculator
• FERS Retirement Calculator
• Federal Employee Data Privacy 2026: Adjacent privacy content.
• FEHB Guide 2026

Sources

• Federal Register ICR 3206-NEW: Original OPM notice.
• GovExec on Senate letter
• GovExec first investigation
• KFF Health News
• FedSmith Backlash Coverage
• FedScoop House Democrats letter
• NTEU Senate letter support
• 45 CFR 164.512 HIPAA health oversight exception
• 5 U.S.C. § 552a Privacy Act
• HHS How to File a HIPAA Complaint
• 2015 OPM Breach coverage