Overview
- OPM’s December 2025 notice asks 65 Federal Employees Health Benefits and Postal Service Health Benefits carriers for monthly “service use and cost” reports with identifiable medical and pharmacy claims, encounter data, and provider data.
- Experts say the request could reveal prescriptions, diagnoses, visit notes, and provider details, and they note the notice does not instruct plans to remove names or other identifiers.
- OPM cites HIPAA’s oversight exception to justify the collection, while privacy lawyers warn HIPAA also requires disclosures be limited to the minimum necessary and clearly defined.
- The public comment period closed in March, and OPM has not issued a final decision or detailed data-handling rules, prompting carriers to warn of potential liability if they share protected health information without clearer direction.
- Pushback includes a March letter from CVS Health urging OPM to reconsider and a 122-page submission from the Association of Federal Health Organizations, with critics also pointing to OPM’s 2015 breach of roughly 22 million records as a major security risk.