By Molly Barnett, Esq.

Is my tribal organization subject to the requirements of HIPAA?


If you are a tribal organization which a) provides health care and transmits patient health information electronically OR b) is part of the Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.), your organization must comply with the Health Insurance Portability and Accountability Act (HIPAA). [HIPAA applies to “covered entities”; refer to the following outside link for more information on “covered entities”: ]


Why is a tribal entity subject to federal requirements?


Interestingly enough, according to the Indian Health Service’s (IHS) website, “We have no official answer to that question [of whether Tribes are required to become compliant under HIPAA]… However, we urge all members of the Indian health community to begin work toward HIPAA compliance.” The issue has not yet been brought in court, although the federal agency which enforces HIPAA, the Office of Civil Rights, is requiring tribes to comply. Violations of HIPAA could result in fines. Thus, as a purely precautionary matter, tribal health care providers which transmit patient health information electronically and/or are part of an IHS program may want to seriously consider HIPAA compliance until the issue is resolved in court. Furthermore, compliance with HIPAA might help protect against damages lawsuits for privacy violation, even if HIPAA is determined by a court not to require tribal compliance.


            If the tribal organization would like to impose standards which are more stringent than HIPAA, it should feel free to do so.   


The basics of HIPAA:


            HIPAA requires organizations to safeguard patient health information and to restrict disclosure of patient health information. There are different rules for disclosure, depending on the person or organization requesting disclosure. Usually, the patient is entitled to receive their own health information (unless it will hurt them, another person or another exception applies). Usually, persons within the organization may access patient health information only if it is necessary to do their jobs (“need to know basis”). Disclosures to persons outside the organization is allowed only in certain circumstances, which may require an authorization/consent form from the patient (if there is an emergency or suspicion of child abuse, please consult HIPAA for specific disclosure rules in these circumstances). HIPAA has a number of requirements that must be included in the authorization/consent form for it to be valid. THIS IS ONLY A SUMMARY; PLEASE CONSULT HIPAA FOR A COMPLETE DESCRIPTION OF THESE REQUIREMENTS.


Other requirements of HIPAA:


            Patients must receive notice of the organization’s HIPAA policies and of their rights under HIPAA. A notice form is not valid unless it precisely complies with HIPAA’s notice requirements.


All employees of a health organization must be given training and a copy of written internal policies regarding HIPAA. Employees must report violations of HIPAA.


The Security Rule section of HIPAA requires certain precautions be taken regarding electronic patient health information (EPHI). Such precautions include encryption and restricting computer and software access to EPHI via secure log-on systems. THIS IS ONLY A SUMMARY; PLEASE CONSULT HIPAA FOR A COMPLETE DESCRIPTION OF THESE REQUIREMENTS.


            If your organization provides alcohol and/or substance abuse treatment, there are more stringent laws governing the protection of patient health information. See 42 C.F.R. Part 2.


HIPAA Resources


HIPAA Statute: P.L. 104-191, available online at .


HIPAA Regulations: 45 C.F.R. Parts 160, 162 and 164, available online at .


U.S. Department of Health and Human Services, Office of Civil Rights Website: .


Indian Health Services Website: .


For more information about HIPAA compliance for tribal agencies or to request HIPAA training, please email .




This post is for informational purposes only; it is not intended to be legal advice. This post in no way creates an attorney-client relationship. Please consult with an attorney of your choice for advice about your particular case.