Citing HIPAA Groups Oppose Renewed Federal Plan to Amass Millions of Workers Health Data Health Care Compliance Association HCCA JDSupra

pppReport on Patient Privacy 26 no 3 March 2026ppCalling the proposal unprecedented in its scope and lack of specificity CVS Healthowner of Aetnais among a chorus of firms and organizations opposing a renewed effort by the Office of Personnel Management OPM to establish what CVS termed a wholesale collection of vast amounts of granular data from health plans that cover more than 8 million federal workers including US Postal Service employees enrolled in the standalone Postal Service Health Benefits PSHB ProgramppCVS and other commenters including the Association of Federal Health Organizations AFHO say the proposed collection raises significant HIPAA privacy and security rule compliance concerns as AFHO put it The association noted that its members cover approximately 90 of FEHB Federal Employee Health Benefit and PSHB enrollees and family membersppAs of March 10 OPM had posted six comments it received in response to its Dec 12 Federal Register notice seeking feedback on the plan in OPMs words to collect service use and cost data from FEHB and PSHB carriers including medical claims pharmacy claims encounter data and provider dataippOPM Data Needed for OversightppThe data OPM said will enable OPM to oversee health benefits programs and ensure they provide competitive quality and affordable plansppOPM posted its plan in a oneparagraph information collection request ICR and allowed 60 days for commentsppThe agency explained in the brief notice that it already requires the plans to provide necessary information and permit audits and examinations to manage the FEHB Program effectively Because OPMs ICR states that HIPAA permits covered entities including carriers to disclose protected health information PHI including service use and cost data to health oversight agencies such as OPM for oversight activities authorized under 45 CFR 165512d1 it left open the possibility that the agency plans to generate a data warehouse of identified data or PHI rather than aggregating deidentified data The agency didnt say either way an ambiguity that underlies some of the oppositionppHowever commenters opposed even the amassing of deidentified data based in part on the potential for reidentificationppThe ICR referred to ongoing monthly submissions of claimslevel data and quarterly manufacturer rebate data which it said would affect 65 carriers OPM estimated that the first year of reporting would take 225 hours per carrier In subsequent years the estimate was 12 hourssubmission monthly or quarterly depending on attributed file type with a total burden hours the first year of 14625 hours and 9360 hours in subsequent yearsppEnough Data Already AvailableppCVS comment letter was authored by Melissa Schulman CVS Health senior vice president for government and public health affairs Schulman urged OPM to abandon the planppAetna supports OPMs goal to ensure that the FEHB and PSHB programs provide high quality affordable care and it appreciates the need for relevant data to conduct oversight of carriers As OPM states it has long required carriers to provide necessary information to OPM to perform audits and examinations to manage the FEHB program effectively Schulman wrote However the data collection described in this ICR goes far beyond this and is unprecedented in its scope and lack of specificity Rather than seeking necessary and targeted data in an audit or examination setting OPM is proposing the wholesale collection of vast amounts of granular data from all FEHB and PSHB carriersppGoing ahead as proposed violates the Privacy Rules minimum necessary standard poses the potential for datasecurity breaches and invasion of privacy for consumer health information and raises proprietary concerns as the data could reveal sensitive and confidential information that carriers consider proprietary Providerlevel information could reveal contracted rates potentially violating contractual obligations Schulman saidppAFHO Chair Kari Parsons pointed out in the groups comment letter that this is not the first time that OPM has sought to launch this healthcare claims data warehouseppIn fact OPM made the same proposal in 2010 We raised the same HIPAA concerns then and by late 2019 AFHO and OPM were near agreement on an arrangement under which carriers would share HIPAA deidentified data with OPMs claims data warehouse she saidppBut that never came to pass and there was little inkling OPM would raise the issueand certainly not in this wayuntil the Federal Register notice appearedppLegal Authority QuestionedppAt this point six years later we are concerned about sharing the deidentified claims data directly with OPM because since 2019 OPM has gathered detailed information on enrollees and family members which may allow it to reidentify claims records The HIPAA Privacy Rule does not allow covered entities to share deidentified data when a risk of reidentification exists See 45 CFR 164514bii Parsons wroteppParsons disputed OPMs conclusion that the Federal Employees Health Benefits Act gives the agency authority to establish the proposed collection saying the data request falls outside the scope of Section 8910 That provision 1 requires carriers to furnish reasonable reports OPM determines to be necessary not to furnish the individual claims data of every individual covered under the FEHB Program and 2 authorizes OPM to examine carrier records not to possess them Similarly related federal procurement law 41 USC 4706b authorizes contracting agencies to examine certain contractor records not to possess themppAs a result OPM does not have the legal authority to request FEHB carriers provide OPM with the PHI of every FEHB member to populate its health claims data warehouse because if FEHB Carriers complied with this request they would be violating the HIPAA Privacy Rule Parsons wroteppFear Data Will Be Weaponized Against WorkersppCVS and AFHO were joined in their opposition by Civil Service Strong CSS part of the Democracy Forward Foundation which added its own concernsppAs an initial matter OPM does not state whether the data will be identifiable by individual If the data is in fact identifiable then OPM could use it for all manner of improper and illegal purposes discriminating against federal employees based on their health status targeting them as a result of obtaining certain medical procedures or threatening to share their or their family members protected health information unless they comply with certain demands The options for harm are near limitless wrote Robert H Shriver III CSS managing directorppShriver added that even if OPM does not have any nefarious intent the ICRs lack of information leaves unanswered the critical question of how OPM will ensure the data is only used for appropriate oversight purposes Who will have access to the data How will that access be controlled What protections and protocols will prevent improper authorization What security standards will prevent data breachesppMoreover OPMs ICR is especially concerning given the TrumpVance Administrations explicit contempt for federal workers and its pattern of recklessness with highly sensitive data Shriver said He cited the number of federal workers who have been terminated and lost civil service protections as well as 2023 comments by nowOffice of Management and Budget Director Russell Vought who expressed a desire for bureaucrats to be traumatically affectedppWrote Shriver It requires no leap at all to think that it will now attempt to weaponize federal employees own medical data against themppStakeholder Group Other Alternatives OfferedppCVSAetna officials strongly recommend that OPM not proceed with this ICR but instead convene a stakeholder workgroup with carriers to determine the specific data elements needed to support program goals and to establish a consistent reporting framework Aggregated HIPAA compliant deidentified reporting would allow OPM to obtain necessary program insights without compromising privacy statutory boundaries or proprietary information Schulman wroteppAFHO offered OPM two alternativesppIt could enter into an agreement with the Centers for Medicare Medicaid Services CMS to allow OPM to use CMSs edge server system CMS has been using an edge server to query data from Affordable Care Act plans since 2014 The edge server system arrangement keeps the data in the carriers possession which eliminates the risk of OPM reidentificationppOPM also could contract with the Health Care Cost Institute HCCI which has 15 years of experience translating raw data into actionable insights HCCI is HIPAA and AntiTrust compliant according to Parsons letterppHCCI which also submitted a comment letter offered OPM its servicesppHCCI provides nationally recognized analytic methods that create insights that are credible comparable and actionable These methods include claims data cleaning enrichment and normalization that generate consistent service definitions In turn these efforts move the data from a dataset meant for processing claims to one purposebuilt to allow for applestoapples comparisons of standard measurements for health care spending price and utilization across services markets and time We also offer transparent analytic methodologies that create benchmarks the Agency would be able to trust wrote HCCI President and CEO Katie MartinppHCCI Has Deep ExpertiseppShe added that HCCIs expertise includes a detailed understanding of the technical solutions required to perform data acquisition and ingestion ensure that all statutory and industry data security standards are met and implement a consumer health price transparency tool At the same time as described above we also have deep expertise in producing meaningful insights using the granular level of information in our datappHCCI believes in the power of data particularly claims data to bring about change that will lower costs increase quality and otherwise improve the functioning of the health care system Martin said in closing Importantly our commitment to applying rigorous analytics to generate insights from claims data is consistent with broader employer efforts to access their data and use it to improve the value of their health benefits If the opportunity arises we would be excited to partner with the agency on this initiative and believe that we bring a unique blend of expertise in data infrastructure and analytics that would maximize the opportunity to improve FEHB and PSHB performanceppShriver suggested OPM concern itself with core oversight of the FEHBppCSS urges OPM to abandon this proposal and to instead refocus its efforts on administering the FEHB Program in a manner that honors the commitment and dedication of this countrys current and retired civil servants Shriver saidppi Office of Personnel Management Agency Information Collection Activities Proposals Submissions and Approvals Federal Employees Health Benefits and Postal Service Health Benefits Programs Service Use and Cost Data accessed March 10 2026 httpsbitly4cwCHtCppReport on Patient Privacy 26 no 3 March 2026ppLearn more httpswwwhccainfoorgpublicationsnewslettersreportpatientprivacyppSee more pp
Health Care Compliance Association HCCA
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppJoin more than 70000 authors publishing their insights on JD SuprappBack to TopppExplore 2026 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp