According to the so-called systems of record notice (SORN) that the OPM published in the Federal Register, the data collected will be de-identified, which means that details that would tie pieces of data to specific individuals would be removed. This process would occur "in many instances" and before an analysis is conducted, the OPM reports. However, the notice offers no details on how and when such de-identification will be done or the extent to which personal identifiers will be removed before analysis.
In addition to using the data for its own internal analysis, the OPM will also make it available, if required, for law enforcement purposes and for use in judicial or administrative proceedings, and to "researchers and analysts" inside and outside government for healthcare research purposes, the OPM notice said.
The OPM's notice is troubling for its lack of detail and the limited time it offers for evaluation, said Harley Geiger, policy counsel for the CDT.
"There are far too many unknowns about the program for it to be acceptable," at this point, Geiger said.
While the OPM, for instance, has indicated that the data it collects will help to better administer the three healthcare programs, there are no details why the data will be useful, he said.
The OPM did not respond to several requests for comment.
The OPM has also made little mention of how it plans to protect the data it collects or what its processes for de-identification are going to be, Geiger said. Regulations in HIPAA (the Health Insurance Portability and Accountability Act) require specific steps for making health care data anonymous, but there is no indication that the OPM will adopt those standards or something else, Geiger said.
The OPM's statement that it will share the data with third-party researchers and analysts is also deeply troubling, as is its willingness to make the data available for law enforcement and judicial purposes, he said.
At a minimum, the OPM needs to issue a revised notice fleshing out its plans in more detail and to provide a genuine opportunity for public comment, Geiger said. "This goes completely against public expectations of confidentiality in their [health] records," he said. "People expect their healthcare provider to have their medical information. What they don't expect is for the government to get a copy of that which they will then disclose to law enforcement and to Congress and to researchers."
Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation in Austin, said the OPM's database proposal raises serious privacy concerns. One of the biggest concerns revolves around the fact that the OPM will share the data it collects with third-party researchers. While the OPM says the data will be used only for medical research purposes, such data is almost never used that way, she said.