The Health Insurance Portability and Accountability Act Privacy Rule sets national standards for protecting medical records and personal health information. It limits how health plans, clearinghouses, and health care providers can use and share patient data. The rule includes a "minimum necessary" standard requiring entities to limit shared data to only what's needed for the stated purpose. An exception allows disclosure to "health oversight agencies" for oversight activities, which OPM cited in its 2025 notice.