Improving Data Sharing for Tribal Health: What Public Health Departments Need to Understand About HIPAA Data Privacy Requirements
December 2, 2021
Tribes, tribal organizations, and Tribal Epidemiology Centers (TECs) (tribal organizations) need continuous and routine access to comprehensive and specific public health data to drive public health decision making, particularly during the current pandemic. Nothing in HIPAA prevents public health departments from sharing public health data with tribal organizations just as they can share data with any other public health authority. Sharing these data with tribal public health authorities is essential for addressing the health disparities American Indians and Alaska Natives experience.
Background: Federally Recognized Tribes
There are 574 federally recognized American Indian and Alaska Native tribes throughout the United States. Federally recognized tribes are located in 36 states, and some have state recognized tribes. Tribal sovereignty grants tribes the inherent power to govern their members, including health and welfare, and social and cultural organization. Tribal governments provide services ranging from health care and education to infrastructure and environmental management on tribal lands. Tribes have inherent authority to undertake public health activities.
American Indians and Alaska Natives experience some of the most severe health inequities in the country due to centuries of oppression and racism. Their life expectancy is 5.5 years less than the general U.S. population. Tribal populations suffer significant burdens of heart, disease, chronic liver disease, diabetes, unintentional injuries, self-harm, and respiratory diseases. They have the highest poverty rate among all racial and ethnic groups in the United States, at 25.4 percent in 2018.
Health services for tribal populations are underfunded and discrimination in health care is rampant. The COVID-19 pandemic has disproportionately affected American Indian and Alaska Native populations. The Centers for Disease Control and Prevention (CDC) reports that these groups are more likely to be hospitalized and die from COVID-19 than any other racial or ethnic group. As a matter of law and policy, the federal government is very much involved in reducing these health disparities.
The Role of TECs
To address these stark health disparities, Congress established TECs as part of the Indian Health Care Improvement Act. 25 U.S.C. §1621m. TECs are legislatively mandated and legally required to perform tribal public health activities, including data surveillance and analysis and supporting tribes in their own public health activities. There are twelve TECs, each of which serves one of twelve areas established by the United States Indian Health Service. Alaska, California, and the Navajo Nation each have one TEC, and there are eight other regional TECs. One TEC, the Urban Indian Health Institute, is dedicated solely to supporting urban Indian communities.
In partnership with tribes, TECs provide technical support, collect and analyze public health data, evaluate health programs, and design and implement public health interventions. Specific activities vary by TEC as they are responsive to the unique health care and public health needs of tribes in different regions. Both TECs and Indian tribes are “public health authorities” either under federal law at 25 U.S.C. §1621m or federal regulation at 45 C.F.R. § 164.501. Thus, they have the legal authority to collect, receive, and disseminate public health data as necessary to respond to public health threats. As such, tribes and TECs have the same public health authority designation as, for example, the CDC, and state and local health departments.
Privacy and Data Sharing
The HIPAA Privacy Rule establishes requirements for covered entities to protect the privacy of individuals’ health information. The Rule specifies permitted uses and disclosures that allow covered entities to share protected health information. 45 CFR 164.502(b). Among the permitted uses that do not require individual authorization for disclosure are public health activities. 45 C.F.R. § 164.512(b). Covered entities may disclose protected health information, even where there are small numbers, to public health authorities. Public health authorities, including TECs, may collect such information for the purposes of preventing or controlling disease, injury, or disability. The Privacy Rule unequivocally recognizes the importance of public health activities and ensuring that designated public health authorities have access to the data necessary to effectively promote public health.
Even HIPAA-covered health departments may share identifiable protected health information with another public health authority for public health purposes, such as for disease reporting, birth and death reporting, public health surveillance, public health investigations and interventions. Sharing data for public health purposes is a national priority to protect everyone’s health, especially during the global COVID-19 pandemic.
Data Sharing with Tribes and Tribal Organizations
Data is critical for public health authorities’ timely response to emerging public health threats. To effectively protect their communities, tribal health entities need access to identifiable public health data—the same access that state and local health departments have. Federal agencies and state and local health departments have a long, rich history of sharing identifiable data among themselves and across state lines. During this pandemic, these existing data sharing relationships have proven invaluable.
At the same time, tribes and TECs generally have had a much more difficult time obtaining identifiable COVID-19 and other data on their members from federal agencies and state and local health departments. From the Network’s consultations with tribes, we have learned that federal agencies and health departments have created a separate standard for tribal data requests that often includes demands for a tribal resolution supporting the data request, submission of a Freedom of Information Act request, execution of a HIPAA Business Associate Agreement (that is only required for service providers), review of tribal security and more. Further, many health departments refuse to share data containing small numbers with tribes, citing confidentiality concerns (i.e., the possibility of identifying individuals). In some cases, after working with a federal agency or state or local health department for a year, a tribe might receive no data at all.
Thus, the key question to address is whether HIPAA requires federal agencies or state and local health departments to exercise this rigorous due diligence and investigation when releasing identifiable data to tribal organizations for public health activities. The answer is absolutely not.
HIPAA requires that the HIPAA-covered agency or health department simply verify a data requestor’s identity and authority. The federal agency or health department must verify that the tribal organization is a public health authority authorized by law to collect or receive such data to prevent or control disease, injury, or disability (i.e., disease reporting, conducting public health surveillance, investigations, and interventions). The federal agency or health department may require the data requestor to submit a written statement identifying the legal authority under which the information is required, such as a statement declaring a tribe’s inherent public health authority, a statement declaring a tribal organization’s grant of public health authority from a tribe, or a statement referring to a TEC’s legally mandated public health authority from the Indian Health Care Improvement Act, 25 U.S.C. §1621m.
Once a federal agency or health department has already worked with a tribal organization and receives a request for identifiable data for public health purposes, no identity or authority verification is required. Where personal identifiers have been removed from the data and it is considered de-identified, identity and authority verification is not required.
In some instances, a HIPAA-covered federal agency or health department may have not previously shared identifiable public health data with a tribal organization and would need to identify and verify its status as a public health authority. HIPAA regulations provide mechanisms for doing so. The tribal organization may provide proof of government status through a legitimate government e-mail extension, such as xxx.gov. The HIPAA-covered entity may rely on the data requestor’s documentation, statements, or representations where they meet the verification requirements on their face, without the need to investigate further. Also, the health department could: have a phone conversation with the data requestor; return a call to the data requestor through a number obtained from an official directory; rely on a tribal identification badge; answer an email requesting data sent from the tribe’s email address; or answer a data request on appropriate tribal letterhead. When a federal agency or health department acts in good faith and exercises its reasonable professional judgment, it will not be held liable for relying on a document, statement, or representation.
As a general way to develop a relationship, the health department could use the government’s tribal liaison, if applicable, to meet with tribal organizations within its jurisdiction. At an introductory meeting, the federal agency or health department and the tribal organizations could share goals, and identify where mutual data sharing might occur.
HIPAA sets a clear verification standard that should be equitably applied across all public health authorities regardless of whether the health department already worked with the tribe, tribal organization or TEC. A public health department which has identified and verified the tribal status can share the much-needed public health data upon request. In cases where identify and verification has not yet occurred, the health department can take the appropriate steps as outlined in this post. Currently, the incorrect application of HIPAA has resulted in a critical lack of data sharing with tribal public health authorities. In contrast, HIPAA offers great flexibility and allows for verification to occur either orally or in written form.
This article was developed by Sallie Milam, JD, CIPP/US/G, Deputy Director, Network for Public Health Law – Mid-States Region Office and Susan Fleurant, Senior Legal Researcher and JD/MPH Candidate, Univ. of Michigan, 2022. The article was reviewed by Denise Chrysler, JD, Director, Network for Public Health Law – Mid-States Region Office, and Peter D. Jacobson, JD, MPH, Co-Director, Mid-States Region, Network ofr Public Health Law. Tribal review was performed by Charles Abourezk, JD, General Counsel, Great Plains Tribal Leaders Health Board & Great Plains Tribal Epidemiology Center.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, please consult specific legal counsel.