HIPAA and Tribal Sovereignty: What Public Health and Clinical Partners Need to Understand

Requesting Tribal Data Under Tribal Law and HIPAA

Many Tribal health programs, healthcare services specifically designed and operated by or for a federally recognized American Indian or Alaska Native tribe, are considered covered entities under HIPAA. This means they must comply with HIPAA’s Privacy, Security, and Breach Notification Rules just like other healthcare providers (HCPs). 

For more information, review the Privacy information on the Indian Health Service (IHS) Website and the Breach Notification Rule. 

However, Tribal HCPs may also operate under additional Tribal data privacy policies or traditional protocols, which must be followed alongside HIPAA. As sovereign nations recognized under federal law, many Tribes operate their own healthcare facilities as an exercise of their sovereignty. Accessing data from these facilities requires extra care, consideration, and action to follow Tribal law and uphold sovereignty. Thus, accessing Tribal EHI requires first consulting with the Tribal government prior to any direct communication with Tribal HCPs.  

For more information, review the policy brief CSTE Enhancing Data Access to Improve American Indian and Alaska Native Health: A Framework for State and Local Public Health Officials. 

Understanding Tribal Sovereignty

Tribal Nations are sovereign governments recognized by the U.S. Constitution and federal law. This sovereignty gives Tribes the right to govern themselves, including making laws and policies related to public health, privacy, and data governance (CDC, 2024). 

This means: 

  • Tribal governments may establish their own privacy laws or regulations that are more protective than HIPAA. 
  • Any data sharing involving a Tribal Nation requires respect for Tribal authority, legal jurisdiction, and protocols. 
  • A Tribal nation can grant its health authority to an agency on its behalf. 
  • Tribal public health authorities (including the Tribal Epidemiology Centers) are considered public health authorities (PHAs) for the purposes of HIPAA. 
  • Like states, Tribal health authorities can determine the minimum data necessary to perform their public health functions.  
  • Tribal sovereignty extends to data collected on their enrolled citizens, regardless of where they live or where the data are collected. 
  • Certain state laws do not apply on Tribal land, Tribal law does. 
The Public Health Exception and Tribal Health

Conversely, Tribal PHAs can request and receive data, including PHI, for public health purposes under federal law. Under the HIPAA Privacy Rule, PHI can be disclosed without patient authorization to all PHAs and other organizations that are legally authorized to collect the data.  

This includes: 

  • Tribal Nations and their designated PHAs 
  • Tribal Epidemiology Centers (TECs) 

For non-Tribal covered entities (e.g., a hospital), sharing protected health information (PHI) with a Tribal health department may require verification that the Tribal entity is legally authorized to collect the data for public health purposes. To verify the authority of the data requestor, a covered entity may rely on a “written statement identifying the legal authority under which information is requested, or, if a written statement would be impractical, an oral statement of such legal authority” (DHHS, 2013). As an indication of the discretion afforded a HIPAA covered entity in such circumstances, when a PHA acts in good faith and exercises its reasonable professional judgement, it should not be held liable for relying on such document, statement, or representation.  

For more information about data resources and sharing with Tribal health organizations, see the HHS Policies and Processes for Tribes and TECs and the CSTE Tribal Epidemiology Toolkit. 

Toolkit Navigation

what Is EHI

Training and Capacity Building

Benefits and Rationale

Accessing EHI

Understanding hipaa

Operationalizing EHI Access

Partner Engagement Strategies

Resources

Disclaimer

This toolkit is provided for general informational purposes only. It is not intended to be, and should not be taken as, legal advice. Public health agencies and healthcare organizations should always consult their own legal counsel and review applicable laws and regulations when making decisions or taking action related to electronic health information. 

References

Centers for Disease Control and Prevention. (2024, May). About Tribal Affairs. Retrieved May 2025, from Tribal Affairs: https://www.cdc.gov/tribal-health/about/index.html 

U.S. Department of Health and Human Services. (2013, July) Disclosures for Public Health Activities. Retrieved June 2025, from: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/index.html