I stop and 2nd source.
No trust!

Who would expect these stupid miscreants to obey the law.

...depending on whether these plans are considered to be "employer sponsored" -- I assume they are.

If so, PHI can be used "for the proper management and administration of the business associate" as long as PHI isn't used for hiring/firing decisions. (See quote and CFR source below.)

Of course, who can trust the regime to not use the info for hiring, firing, and God knows what else - arrests? Investigations? If you think that's hyperbole, ask Texas parents of trans children. Ask women in some red states who have had abortions.

But the kicker is this: complaints about violations are handled by...Health and Human Services (HHS).

If all this sounds confusing, take a look next time you sign the form when you check in for a doctpr appointment. The small print will say something about you authorizing your info to go to your insurer for purposes of reimbursement (blah blah blah). And in normal times, that makes sense. It will likely be argued by the trumpists that this data hoovering is that clause, enacted on a grand scale...and thus your identity will linked to everything ever written about you in your medical and mental health files, if those were covered by the federal insurance plan.

NB: I am not a lawyer, but had to become familiar with ins & outs of HIPAA for work. My info is dated, but detailed. If you belong to a union and may be impacted by this, raise a ruckus as soon and as loud as you can.

I welcome any updating or corrections to my interpretation of this.

---

(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section....

I also noticed that this is hitting the news after the public comment period has elapsed.

Trying not to be cynical, but....

Anyway, here is the distributed document.
https://www.regulations.gov/document/OPM-2025-0206-0049

Even if the government is self-insured, they have to use a 3rd party intermediary to ensure that protected information is not provided to the employer.

There are very limited circumstances under which the employer is entitled to protected informaiton. Otherwise it is the obligation of the covered entity (medical provider, insurer, etc.) not to provide it to them - even if they are asked for it - since generally it is not the type of transaction in which the covered entity is permitted to share such information without the patient's consent.

They can require documentation of medical need for use of sick leave. They can require documentation of the need for FMLA. Those are circumstances in which limited medical information can be disclosed to an employer. But it wouldn't be as detailed as what prescriptions they are taking, etc.

...that the federal government is both covered entity (in this case, insurer) and employer?

I wonder if that is their wiggle room, and also the hinge point for the inevitable lawsuits.

Edited to add parenthetical

It generally has to use a third party administrator to handle the claims. I don't have experience with a federal employer, but I have experience with a medium-sized state employer and a small business (which was small enough it could have been exempt from the separation requirements, but chose not to). In both instances, third parties handled all claims (and payments form FSA accounts).

For the state employer, it looked to us like a typical insurance company - e.g. Blue Cross/Blue Shield. On the back end, the employer reimbursed the insurance company for the bills it approved - but had no insight into what those claims were for, or which employee incurred them. A quick look suggests the federal government handles it the same way (there are at least two commercial insurers on the list).

This makes me wonder whether state regulators can exert pressure on companies that might be tempted to comply with the federal OPM letter ( https://www.regulations.gov/document/OPM-2025-0206-0049 ) assuming the companies also provide services in-state.

Although maybe that gets into supremacy tussles, I dunno. Those will be coming to a head in other areas soon enough.

God these trumpers are simply evil, in the "devil is in the details" sense. And often other senses.

I'm one of the retired ones

I don't know what they want with my records but if they have them they have them. I have minimal contact with the medical professional world so they aren't going to have much to work with. By the time time they get to me, I probably will be gone.

Can you say surveillance state?

Absolutely terrifying on its face. If the Federal Government can get away with this, only a matter of time before EVERYONE'S medical history is legally available to ALL employers.

I promise you that is "the goal". Weeding out the sick, the infirm, not giving them jobs, not "burdening productive society", and letting them die.

You know, straight up NAZI SHIT

It would appear either comply, or don't, and sue also start looking for another job. Meanwhile, pack up and leave the country, just to be sure.

Everyone needs to remind their carriers of large damage awards from sympathetic juries.

They are the ones legally obligated to protect the information (and to disclose it to employers except under very limited circumstances). Any self-respecting covered entity has a good legal team to make sure the formal channels aren't improperly disclosing information. The challenge comes with people who have information but aren't normally in the business of using it for permitted purposes (e.g. low level customer service agents who inadvertently disclose protected information about a patient with a similar name; a doctor who doesn't bother to check who he is permitted to disclose information to when he starts chatting with a family member, etc.) The folks Trump's stooges will be asking should not need a reminder.

The government isn't a covered entity - so once it has the information, possession of the information doesn't magically make it a covered entity with an obligation to protect it.

Such an important set of laws impacting our lives...and yet so labyrinthine.