On June 1, 2018, any person or business that acquires or uses personally identifiable information of an Alabama resident, or contracts to maintain, store, process or access such information, may be subject to The Alabama Data Breach Notification Act of 2018. On March 28, Alabama, following unanimous vote of the house and senate, became the 50th state to enact legislation to protect the data of its residents. The time taken to structure the legislation resulted in a stringent Act that addresses current cybersecurity threats, such as hacking events that circumvent encryption technologies. For a healthcare provider or vendor, the Act is comparable to HIPAA and provides a HIPAA safeharbor for HIPAA compliant organizations.
|
Provision 
|
Alabama |
HIPAA |
|
Who is regulated: Covered Entity |
person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association or other business entity that acquires or uses sensitive personally identifying information |
Health plan, healthcare clearinghouse or healthcare provider transmitting HIPAA transaction 
|
|
Who is regulated: Third Party Agent vs. Business Associate |
entity that has contracted to maintain, store, process, or otherwise access sensitive personally identifying information when providing services to covered entity |
Person, other than workforce, , that creates, receives, maintains or transmits PHI for covered entity |
|
Who is protected |
Alabama residents |
Individual whose PHI is created, received, maintained or transmitted |
|
What is protected |
Sensitive personally identifiable information: first name or initial and last name plus non-truncated SSI, tax ID, state or government issued ID, financial account information with access information, and any information regarding an individual's medical history, condition, treatment or diagnosis; health insurance policy number or ID number and unique insurer ID; name or email plus password or security question and answer to enable access to a covered entity account. |
PHI: individually identifiable health information, including demographics, created or received that relates to the past, present, or future health condition, treatment or payment |
|
Electronic or digital, including tapes or storage devices |
Electronic, paper or other |
|
|
What is a Breach |
Unauthorized acquisition with limited exceptions including good faith of covered entity employee and law enforcement |
Acquisition, access, use or disclosure of PHI not permitted by the Privacy Rule which compromises the security or privacy of PHI; some limited exceptions |
|
Breach Risk Assessment |
Information was actually acquired or reasonably believed to be acquired and the breach is reasonably likely to cause substantial harm to individuals; consider if the information in the physical control of another (lost/stolen device); downloaded or copied; unauthorized use (accounts opened/identity theft reported) or information made public |
Consider if there is a low probability of risk to PHI: (1) nature and extent of PHI; (2) unauthorized person who used or to whom disclosure was made; (3) was it actually acquired or viewed; (4) extent of mitigation |
|
Encryption Safeharbor |
Yes but not if the encryption key or code is compromised |
Yes; but HHS guidance notes that encryption is not a safeharbor when unauthorized access circumvents the encryption level |
|
How is it protected? |
||
|
HIPAA Safeharbor |
Compliance with HIPAA and notice for ≥1000 |
|
|
Security Measures |
Security officer, risk assessment and identification, and adoption and assessment of safeguards to address risks |
HIPAA Security Rule |
|
Security Risk Assessment |
Identify internal and external risks |
HIPAA Security Rule |
|
Contracts |
contracts with service providers requiring appropriate safeguards; CE may contract with 3rd Party regarding breach notice obligations |
BAAs |
|
Management Reports |
Informing management and board of overall security measures |
None but OIG guidance recommends similar action |
|
Disposal |
Reasonable measures to dispose of records in custody or control |
HIPAA Security Rule |
|
Notice |
Individuals; if ≥ 1000, notice to Attorney General and consumer reporting agencies; substitute notice allowed |
Individuals; if ≥ 500, notice to HHS and media; substitute notice allowed |
|
Covered Entity Timing |
As expeditiously as possible if at CE; within 45 if at 3rd Party |
Within 60 days; HHS considers this the outer limit and possibly inadequate in some circumstances |
|
Business Associate Timing |
Notice to Covered Entity as expeditiously as possible after determination of breach or reason to believe breach occurred but no later than 10 days |
Within 60 days; HHS considers this the outer limit and inadequate in some circumstances |
|
Penalty/Fine |
Unlawful trade practice; civil penalties; no criminal penalty (max. $500,000/breach); $5000/day for delayed notice |
Civil and criminal fines and penalties |
|
Covered entity and 3rd party liability |
Covered entity and business associate liability |
|
|
Attorney General representative action |
U.S. Attorney General restitution to victims |
|
|
No private right of action |
No private right of action |
Beth Pittman, JD, CHPC is Of Counsel with Waller, Lansden, Dortch & Davis LLP where she practices Health Law.
