Federal grants require reporting. Tribes have an inherent right to govern data about their peoples, lands, and resources. These two realities collide every time a tribal health program submits a performance report to a federal agency.
This page maps the intersection — not to resolve the tension (it is structural and ongoing), but to make it navigable. Tribal health leaders need to know where their data goes, what authority governs it once it leaves their systems, and what provisions they can negotiate into grant agreements to protect tribal data interests.
What Tribal Data Sovereignty Means
Tribal data sovereignty is the principle that tribal nations have the inherent right to govern the collection, ownership, and application of data about their peoples, communities, and resources. It is rooted in the same sovereignty that gives tribal nations jurisdiction over their lands and citizens.
This is not a policy preference. It is an assertion of governmental authority. Just as a state government controls how its public health data is used, a tribal government has the right to control how data about its citizens and communities is collected, stored, analyzed, published, and shared.
Why It Matters for Health Funding
- 1.History of extractive research. Tribal communities have experienced research conducted without consent, results published without review, and findings used in ways that stigmatized communities rather than served them. The Havasupai case — where Arizona State University researchers used blood samples collected for diabetes research to conduct unauthorized genetic studies — is the most cited example, but it is not an outlier. It is a pattern.
- 2.Racial misclassification. Federal and state data systems routinely misclassify AI/AN individuals — coding them as white, Hispanic, or “other.” This undercount means the true health burden on tribal communities is invisible in the data that drives funding allocations. A tribe that cannot control or correct its own health data cannot accurately advocate for the resources it needs.
- 3.Data as a sovereignty expression. A tribal government that depends entirely on federal data systems for information about its own people's health has ceded a dimension of governance. Data sovereignty is self-determination applied to information.
- 4.Practical impact on grant compliance. Federal grants require performance data, outcome metrics, and financial reporting. Much of this data flows into federal systems that tribes do not control. Understanding where the data goes and what protections apply is essential for managing the tension between compliance obligations and data governance.
OCAP Principles
The OCAP principles — Ownership, Control, Access, and Possession — were developed by the First Nations Information Governance Centre in Canada. They have become widely influential in U.S. tribal data governance discussions, though U.S. tribes often adapt the framework to their own contexts and terminology.
| Principle | What It Means | Implications for Grant Data |
|---|---|---|
| Ownership | The community collectively owns its cultural knowledge, data, and information. Individual consent does not override community ownership rights. | Grant performance data about tribal health outcomes belongs to the tribal community, not to the granting agency or research partner. |
| Control | The community controls all aspects of data management — collection, use, analysis, storage, and disclosure. | Tribes should control how their data is collected, who analyzes it, and how results are presented. |
| Access | The community has the right to manage and make decisions about access to their data, regardless of where it is physically held. | Even when data is submitted to a federal clearinghouse, the tribe should retain the right to determine how it is accessed and used by third parties. |
| Possession | Physical control of data. Data should be held within community institutions, not solely in external repositories. | Tribal health data should be maintained in tribal-controlled systems. Submission to federal systems should be a copy, not a transfer. |
Applying OCAP in Practice
Full OCAP implementation in the context of federal grant reporting is aspirational for most tribal programs. Federal grants require data submission to federal systems, and tribes cannot unilaterally rewrite federal reporting requirements. But OCAP provides the framework for:
- •Negotiating data use provisions into grant agreements
- •Maintaining tribal copies of all submitted data
- •Controlling how tribal data is aggregated, published, or shared with third parties
- •Reviewing and approving any publications or reports that include tribal-specific data
- •Insisting on tribal-level data analysis rather than relying on federal agency interpretations
Tribal IRB and Research Review
Standard Institutional Review Boards (IRBs) protect individual human subjects. They do not protect communities. A standard IRB might approve a study that an individual tribal citizen consented to but that the tribal community opposes — because the IRB framework does not include collective consent.
Tribal Research Governance
Many tribes have established research governance processes that go beyond standard IRB:
| Element | What It Requires |
|---|---|
| Tribal council approval | Any research involving the tribe or its members requires formal tribal council authorization — separate from and in addition to individual informed consent. |
| Tribal research code or protocol | Written policies governing how research is conducted in the tribal community. Covers data ownership, publication review, specimen management, community benefit requirements. |
| Community-based participatory research (CBPR) | Research must be conducted in partnership with the tribal community, not on the tribal community. The tribe is a co-investigator, not a subject pool. |
| Data ownership provisions | Research data belongs to the tribe. Researchers may use it for the agreed purpose but do not own it and cannot share it without tribal consent. |
| Publication review | All manuscripts, presentations, and reports using tribal data must be reviewed and approved by the tribe before dissemination. |
| Specimen governance | Biological specimens collected in tribal communities are governed by tribal protocols. May include restrictions on genetic research, requirements for specimen return, or limits on secondary use. |
Implications for Grant-Funded Programs
Many federal health grants include evaluation or research components. For tribal health programs:
- •If the grant requires an evaluation, clarify whether the evaluation constitutes human subjects research (it often does) and what approval process applies.
- •If a university or external evaluator is involved, ensure the arrangement includes tribal review of data use, publications, and presentations.
- •Negotiate the evaluation plan during the application phase, not after award. A SAMHSA grant that requires GPRA/NOMS data submission is a reporting requirement, not a research protocol — but data sovereignty still applies to how that information is used beyond compliance.
Where Federal Reporting Meets Tribal Data Governance
IHS Resource and Patient Management System (RPMS)
RPMS is the electronic health record system used by IHS and many tribal health programs. For tribally operated 638 programs:
| Issue | Detail |
|---|---|
| System ownership | RPMS is an IHS system. Tribes operating under 638 use RPMS at their facilities but IHS retains certain administrative access. |
| Data ownership | Data entered into RPMS at tribal facilities is tribal data. However, IHS may access aggregate or de-identified data from RPMS for national reporting. |
| Transition to modern EHR | Some tribes have transitioned to commercial EHR systems (Epic, Cerner/Oracle, athenahealth) to gain more control over their health data and systems. This transition carries significant cost but increases data sovereignty. |
| Data exchange | Tribes that share data with state Health Information Exchanges (HIEs) or IHS data systems should have data sharing agreements that specify use limitations. |
Federal Grant Reporting Data
| Reporting System | What's Submitted | Sovereignty Concern |
|---|---|---|
| GPRA/NOMS (SAMHSA) | Performance metrics for SAMHSA-funded programs: enrollment, services, outcomes | Data enters federal systems. SAMHSA may aggregate and publish at the program level. Tribe should clarify with the grant program officer what tribal-identifying data is disclosed. |
| UDS (HRSA) | Uniform Data System reports for HRSA-funded health centers | Patient-level data submitted in aggregate. Tribe should ensure UDS data governance aligns with tribal data policies. |
| SF-425 Financial Reports | Expenditure data by budget category | Financial data, not clinical. Lower sovereignty sensitivity but still tribal governmental information. |
| Federal Audit Clearinghouse | Single Audit reports | Publicly accessible. Audit findings about tribal programs are visible to any federal agency and the public. |
| USASpending.gov | Federal award data (amounts, recipient information) | Award amounts and recipient information are public. This is a transparency requirement, not negotiable. |
State Reporting Data (Medicaid/Apple Health)
Tribal health programs billing Medicaid submit claims data to HCA. This data includes:
- •Patient demographics and encounter information
- •Diagnostic and procedure codes
- •Service dates and locations
HCA and managed care organizations have access to this data. AIHC has negotiated tribal-specific provisions in managed care contracts, but Medicaid claims data governance remains an active area of tribal advocacy.
Negotiating Data Provisions
Tribal health programs can and should negotiate data provisions into grant agreements and research partnerships. Not all provisions are negotiable in every context — federal reporting requirements are statutory — but the space for negotiation is wider than many programs realize.
What You Can Negotiate
| Provision | Where to Negotiate | Language Example |
|---|---|---|
| Tribal ownership of data | Grant subaward agreements, research MOUs | “All data collected under this agreement is owned by the Tribe. The [partner/agency] may use the data for the purposes described in this agreement. Secondary use requires written tribal approval.” |
| Publication review | Research partnerships, evaluation contracts | “No publication, presentation, or report using data collected under this agreement may be disseminated without prior written approval from the Tribal Council or designated tribal authority.” |
| Aggregation controls | Program reporting agreements | “Data may not be published or presented in a manner that identifies the Tribe or allows identification of tribal members without written tribal consent.” |
| Data return/destruction | Research agreements, contracts | “Upon completion of the project, all data and specimens shall be returned to the Tribe or destroyed per tribal protocol. The [partner] shall retain no copies.” |
| Tribal access | Data sharing agreements with state/federal agencies | “The Tribe shall have unrestricted access to all data collected about tribal citizens or within tribal service areas, regardless of where the data is stored.” |
| IRB/research review | Pre-award, during application development | Include tribal research review requirements in the application's evaluation plan. State explicitly that tribal council review is required before any data collection begins. |
What You Cannot Negotiate (Typically)
- •Federal financial reporting (SF-425) — required by statute
- •Single Audit submission to Federal Audit Clearinghouse — required by 2 CFR 200 Subpart F
- •USASpending.gov award disclosure — required by DATA Act
- •Grant-specific performance reporting (GPRA/NOMS for SAMHSA, UDS for HRSA) — required by program statute or terms
However, even for non-negotiable reporting, tribes can:
- •Maintain tribal copies of all submitted data
- •Review data before submission for accuracy
- •Request that the awarding agency not publish tribal-identifying data beyond what is legally required
- •Document the distinction between data submitted for compliance and data retained under tribal governance
Building a Tribal Data Governance Framework
For tribal health programs that do not yet have a formal data governance policy, the following elements form a starting framework:
Core Elements
- 1.Statement of tribal data sovereignty. Formal declaration by tribal council that the tribe exercises sovereignty over data about its people, lands, and resources.
- 2.Scope. What data is covered — health records, program data, research data, surveillance data, environmental data, cultural data.
- 3.Data ownership. Default ownership is the tribe. External partners may be granted use rights but not ownership.
- 4.Data collection standards. How data is collected, by whom, with what consent processes. Include both individual consent (HIPAA) and community consent (tribal approval).
- 5.Data storage and security. Where data is stored, who has access, what security standards apply. Prefer tribal-controlled systems where feasible.
- 6.Data sharing agreements. Template for agreements with federal agencies, state agencies, research partners, and other tribes. Include use limitations, publication review, and return/destruction provisions.
- 7.Research review process. How research proposals are reviewed, by whom, and what criteria apply. May be a formal tribal IRB, a tribal council review process, or delegation to NPAIHB.
- 8.Publication and dissemination. All publications, presentations, and reports using tribal data require tribal review and approval before release.
- 9.Enforcement. Consequences for violation of data governance provisions. May include contract termination, exclusion from future research partnerships, or legal action under tribal law.
Resources
- •NPAIHB provides data governance guidance and technical assistance for Portland Area tribes
- •National Indian Health Board (NIHB) has published national-level tribal health data governance recommendations
- •National Congress of American Indians (NCAI) has passed resolutions supporting tribal data sovereignty
- •Urban Indian Health Institute (UIHI) addresses data governance specifically for urban AI/AN populations
HIPAA and Tribal Health Programs
Tribal health programs that conduct electronic health transactions are covered entities under HIPAA. This means:
- •Privacy Rule, Security Rule, and Breach Notification Rule all apply
- •Patient health information is protected under HIPAA regardless of data sovereignty provisions
- •Tribal councils may want access to aggregate health data for program planning — this must be managed carefully. De-identified aggregate data can be used for governmental purposes without violating HIPAA. Individual-level data requires the same protections as any covered entity.
The intersection: HIPAA protects individual health information. Tribal data sovereignty protects community-level data and the collective right to govern information about the tribal nation. Both apply simultaneously. HIPAA is a floor, not a ceiling — tribal data governance provisions should exceed HIPAA protections, not conflict with them.