FMA National President Linda S. Lentjes expressed support for Office of Personnel Management (OPM) oversight efforts while urging strict limits on the collection of individually identifiable health information, citing cybersecurity risks and fears of a chilling effect on workers seeking care. She wrote OPM Director Scott Kupor to outline the concerns related to the collection of sensitive health data and offered recommendations to ensure privacy.

In the letter, Lentjes commended OPM's push to improve carrier accountability, reduce improper payments, and modernize claims processing. She wrote FMA supports enhanced audit capabilities, fraud detection, and stronger carrier performance standards as consistent with OPM's statutory mission.

"Effective government requires both accountability and the protection of individual rights. These goals are not incompatible."

However, the letter drew a sharp line at any initiative that would involve broad collection, aggregation, or centralized storage of individually identifiable health information. Lentjes warned that such data — covering diagnoses, prescriptions, mental health treatment, and reproductive health — could be misused in employment decisions, security clearance reviews, or disciplinary proceedings.

Lentjes also pointed to cybersecurity risks, citing the catastrophic 2015 OPM data breach that exposed personal records of more than 21 million individuals. A centralized health database, the letter argued, would represent a high-value target for foreign adversaries and hackers. She also raised concerns about a chilling effect: federal employees may avoid seeking mental health care, substance use treatment, or other sensitive services if they fear their records are subject to government surveillance.

The letter calls on OPM to comply fully with HIPAA and the Privacy Act of 1974, and laid out specific recommendations: prohibit collection of individually identifiable health data except where strictly required by law; require that any analytical data be de-identified under HIPAA's Safe Harbor or Expert Determination standards; conduct Privacy Impact Assessments for all new data systems; and, establish robust access controls and breach notification protocols aligned with NIST standards.

FMA also requested a formal process allowing federal employees to access, correct, and receive notice about any health-related information held by OPM or its contractors, and called for strict limits on sharing that data with other agencies or third parties without explicit legal authority or employee consent.

To read the full letter, click here.