As a leader in policy and legislation, Donald Gainsborough has dedicated his career to navigating the complex intersection of government authority and individual privacy. Currently at the helm of Government Curated, he has become a vital voice in the conversation surrounding how federal agencies handle the sensitive data of the citizens they serve. Recently, a proposal from the Office of Personnel Management has sent ripples through the health policy world, as it seeks unprecedented access to the medical records of 8 million federal workers, retirees, and their families. This move raises profound questions about the legality of such sweeping data collection, the technical capacity of federal agencies to protect information, and the potential for political retaliation. In this discussion, we explore the shifting landscape of health data privacy, the tension between administrative oversight and confidentiality, and the long-term implications for the federal workforce.
Since insurers may be required to share identifiable health data for 8 million people, how does gathering granular records like doctor’s notes change the privacy landscape? What specific safeguards are necessary to prevent unauthorized access, and how might this data be used to analyze system costs?
The shift from general oversight to the collection of “encounter data” represents a seismic change in the privacy landscape because it moves beyond simple billing codes into the intimate details of a patient’s life. When you include doctor’s notes and after-visit summaries, you are essentially providing a window into the most private conversations a person has, covering everything from mental health struggles to sensitive physical diagnoses. To protect this, we would need ironclad encryption and strict “need-to-know” access protocols that are currently not outlined in the proposal. While the agency argues this data will help them analyze costs and ensure plans remain “competitive, quality, and affordable,” the sheer volume of 8 million records makes it an incredibly high-stakes experiment. Without clear guardrails, we risk creating a centralized repository that is as much a liability as it is an analytical tool.
Federal law typically requires organizations to share only the minimum health information necessary for oversight. In a scenario where an agency requests full identifiable claims data, how do you assess the legal balance between oversight and confidentiality? What specific liabilities do insurers face if data is inappropriately shared?
The legal balance here is incredibly precarious because HIPAA mandates that covered entities provide only the “minimum necessary” information to achieve a specific purpose. By requesting identifiable data—including names, birth dates, and full pharmacy claims—without a narrow justification, the government is testing the outer limits of “oversight activities.” Insurers are rightly terrified because they could be held liable for breaking federal law if they hand over personal health information for what some have called “vague and broad general purposes.” If a breach occurs or if the data is misused once it leaves their hands, these 65 insurance companies face massive legal exposure and a total breakdown of trust with their members. It is one thing to furnish “reasonable reports,” but it is quite another to hand over the individual claims data of every single enrollee.
Large government agencies have historically faced significant data breaches involving millions of personal records. What technical infrastructure is required to ingest monthly medical reports for millions of citizens securely? How can an organization demonstrate it has the capability to protect this sensitive information from potential threats?
The technical challenge of ingesting monthly medical reports for 8 million people is staggering, requiring a robust, highly secure pipeline that most agencies are simply not equipped to manage. We have to remember that in 2015, this very agency suffered a catastrophic breach where the records of 22 million Americans were stolen, a chilling reminder of what is at stake. To demonstrate true capability, an organization would need to prove it has advanced intrusion detection, air-gapped storage for the most sensitive files, and a transparent audit trail for every single person who accesses the database. Many experts doubt the agency currently has the infrastructure to handle such “minutiae” as doctor’s notes and encounter data. Without a proven track record of modernizing their cybersecurity, asking for this level of detail is like asking to hold the keys to a vault while the front door is still off its hinges.
Concerns exist that detailed medical records could be used to monitor sensitive treatments like reproductive or gender-affirming care. What protocols could prevent medical data from being used for workplace discipline or political retaliation? How does this level of data collection impact the trust and morale of a workforce?
The potential for political retaliation is the “elephant in the room,” especially given the current climate where thousands of federal workers have faced layoffs or felt targeted for their political leanings. If a supervisor or a politically appointed official has access to pharmacy claims for gender-affirming care or records of reproductive health visits, that information becomes a weapon for discipline. We would need strict “siloing” protocols that legally bar any personnel or management division from ever seeing health data, ensuring it is used strictly for actuarial cost-benefit analysis. When employees know their employer can see every prescription they fill, it creates a “chilling effect” that destroys morale and makes people hesitant to seek the care they need. This isn’t just about data; it’s about the fundamental trust between a worker and the institution they serve.
Past negotiations have often focused on sharing anonymous data rather than personally identifiable information. Why might a regulator prefer identifiable data for cost-benefit analysis over de-identified records? What are the technical challenges in ensuring that anonymous data cannot be traced back to specific individuals?
Regulators often prefer identifiable data because it allows them to track “patient journeys” across different providers and timeframes with 100% accuracy, which is harder to do with de-identified sets. However, the technical challenge today is that “anonymous” data isn’t as anonymous as it used to be; with the sheer amount of information already collected on enrollees, it is often possible to “re-identify” a person by cross-referencing a few unique data points. In 2019, there were discussions about sharing only de-identified data, but those agreements were never finalized, leaving us in this current state of uncertainty. The danger is that if the agency gains access to the full, identifiable stream, the “de-identification” process becomes a moot point because they already hold the master key. It is far safer to provide aggregated reports that highlight cost trends without exposing the individual names of the mail carriers or retired members of Congress behind the numbers.
What is your forecast for federal health data privacy?
I forecast a period of intense litigation and a “wait-and-see” standoff between insurers and the federal government. Given that the proposal has prompted a 122-page opposition from major health organizations and warnings of HIPAA violations, it is unlikely this will be implemented without a significant legal fight. We will likely see a push for a compromise that involves strictly de-identified data and heavy third-party auditing to ensure the information isn’t being used for political targeting. However, if the government successfully compels the sharing of identifiable records for 8 million citizens, it will set a precedent that could effectively end the era of medical privacy for public servants. The next few months will be a defining moment for whether “oversight” remains a tool for efficiency or becomes a tool for surveillance.
