Senators demand OPM withdraw plan to access feds’ medical records

A group of 16 Democratic senators on Monday called on the Office of Personnel Management to withdraw its plan to collect claims-level health data from federal workers and retirees, expressing “grave concern” that the measure would violate the Health Insurance Portability and Accountability Act and basic tenets of doctor-patient confidentiality.

Last December, OPM published an information collection request in the Federal Register that would require insurers who participate in the Federal Employee Health Benefits and Postal Service Health Benefits programs to provide monthly reports with identifiable health data on their enrollees, prompting unease from both health ethicists and health care providers alike. The notice would require the collection of medical visits, prescriptions and treatment data, and fails to task insurance carriers with redacting personally identifiable information.

In a letter to OPM Director Scott Kupor on Monday, more than dozen senators, led by Sens. Adam Schiff, D-Calif., and Mark Warner, D-Va., demanded the agency rescind its request, arguing that the agency’s general “oversight” rationale is insufficient, given the extraordinary nature of OPM’s request.

“Such sweeping access to personal health information would violate the core principles of the Health Insurance Portability and Accountability Act, which was enacted to strictly regulate how protected health information can be disclosed to ensure that patient data is shared only for limited, clearly defined purposes,” they wrote. “Mass, centralized access to identifiable medical records absent individualized consent, clear necessity or narrowly tailored legal authority undermines those protections and lacks a valid statutory basis.”

And, following more than a year of attempts by the Trump administration to cut the federal workforce with terminations and incentivized resignations and retirements, the lawmakers said claims-level data could be used to further target employees and their families.

“Since January 2025, federal employees have been pushed into early retirement, illegally fired, demonized, seen their civil service protections weakened, and more,” they wrote. “This proposal is another step in the stated goal of traumatizing the federal workforce, this time by requiring the most sensitive health information about federal employees and their families to be shared with OPM. We are deeply concerned this information will be used in employment actions, including actions related to hiring, suitability determinations, appeals, reductions in force, disability accommodation requests, labor-management relations and performance reviews.”

In a statement this month, American Federation of Government Employees National President Everett Kelley noted claims-level data could allow the administration to continue its crusade against transgender Americans.

“Legal experts have already noted that this data could be used to discipline or target workers who are not complying with the administration’s political directives,” he said. “It could be used to identify employees who have sought care that this administration has made a specific target of its policy agenda, including reproductive health care and gender-affirming treatment. And it would be held by an agency that, in 2015, suffered one of the largest federal data breaches in American history, compromising the personal records of roughly 22 million people.”

Last week, Rep. Robert Garcia, D-.Calif., the top Democrat on the House Oversight and Reform Committee, along with some Maryland and Virginia Democrats sent their own letter to Kupor and Office of Management and Budget Director Russell Vought demanding OPM halt its efforts to collect federal workers and retirees’ health care data, noting that the lack of published safeguards on the data raise additional concerns in light of the 2015 hack and alleged disclosures to the U.S. Department of Government Efficiency.

“Last year, OPM reportedly allowed a server of unknown nature and origin to be added to its network and access sensitive government data,” the House lawmakers wrote. “A few months, later, DOGE employees inside OPM reportedly sent highly sensitive electronic files to internet protocol addresses outside of the federal government, potentially allowing private actors or adversarial governments to access sensitive data. By collecting data currently held by 65 insurance carriers into one database, expanding OPM’s access to employee data to include detailed personal health information would significantly heighten the risk of misuse, unauthorized disclosure, or exploitation by bad actors.”

Rather than including the detailed list of questions with which lawmakers typically conclude their letters to agencies, Monday’s letter ends with a simple plea to reverse course.

“For these reasons, we strongly urge you to cease any further consideration of this proposal,” the senators wrote. “Our federal employees work every day to serve the American people and deserve to have their health data protected. Protecting patient privacy is not a bureaucratic obstacle, but a cornerstone of ethical medicine, legal compliance, and public trust.”

OPM declined to comment for this story.