The Alabama Data Breach Notification Act of 2018


On June 1, 2018, any person or business that acquires or uses personally identifiable information of an Alabama resident, or contracts to maintain, store, process or access such information, may be subject to The Alabama Data Breach Notification Act of 2018. On March 28, Alabama, following unanimous vote of the house and senate, became the 50th state to enact legislation to protect the data of its residents. The time taken to structure the legislation resulted in a stringent Act that addresses current cybersecurity threats, such as hacking events that circumvent encryption technologies. For a healthcare provider or vendor, the Act is comparable to HIPAA and provides a HIPAA safeharbor for HIPAA compliant organizations.




Who is regulated: Covered Entity

person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association or other business entity that acquires or uses sensitive personally identifying information

Health plan, healthcare clearinghouse or healthcare provider transmitting HIPAA transaction

Who is regulated: Third Party Agent vs. Business Associate

entity that has contracted to maintain, store, process, or otherwise access sensitive personally identifying information when providing services to covered entity

Person, other than workforce, , that creates, receives, maintains or transmits PHI for covered entity

Who is protected

Alabama residents

Individual whose PHI is created, received, maintained or transmitted

What is protected

Sensitive personally identifiable information: first name or initial and last name plus non-truncated SSI, tax ID, state or government issued ID, financial account information with access information, and any information regarding an individual's medical history, condition, treatment or diagnosis; health insurance policy number or ID number and unique insurer ID; name or email plus password or security question and answer to enable access to a covered entity account.

PHI: individually identifiable health information, including demographics, created or received that relates to the past, present, or future health condition, treatment or payment

Electronic or digital, including tapes or storage devices

Electronic, paper or other

What is a Breach

Unauthorized acquisition with limited exceptions including good faith of covered entity employee and law enforcement

Acquisition, access, use or disclosure of PHI not permitted by the Privacy Rule which compromises the security or privacy of PHI; some limited exceptions

Breach Risk Assessment

Information was actually acquired or reasonably believed to be acquired and the breach is reasonably likely to cause substantial harm to individuals; consider if the information in the physical control of another (lost/stolen device); downloaded or copied; unauthorized use (accounts opened/identity theft reported) or information made public

Consider if there is a low probability of risk to PHI: (1) nature and extent of PHI; (2) unauthorized person who used or to whom disclosure was made; (3) was it actually acquired or viewed; (4) extent of mitigation

Encryption Safeharbor

Yes but not if the encryption key or code is compromised

Yes; but HHS guidance notes that encryption is not a safeharbor when unauthorized access circumvents the encryption level

How is it protected?

HIPAA Safeharbor

Compliance with HIPAA and notice for ≥1000

Security Measures

Security officer, risk assessment and identification, and adoption and assessment of safeguards to address risks

HIPAA Security Rule

Security Risk Assessment

Identify internal and external risks

HIPAA Security Rule


contracts with service providers requiring appropriate safeguards; CE may contract with 3rd Party regarding breach notice obligations


Management Reports

Informing management and board of overall security measures

None but OIG guidance recommends similar action


Reasonable measures to dispose of records in custody or control

HIPAA Security Rule


Individuals; if ≥ 1000, notice to Attorney General and consumer reporting agencies; substitute notice allowed

Individuals; if ≥ 500, notice to HHS and media; substitute notice allowed

Covered Entity Timing

As expeditiously as possible if at CE; within 45 if at 3rd Party

Within 60 days; HHS considers this the outer limit and possibly inadequate in some circumstances

Business Associate Timing

Notice to Covered Entity as expeditiously as possible after determination of breach or reason to believe breach occurred but no later than 10 days

Within 60 days; HHS considers this the outer limit and inadequate in some circumstances


Unlawful trade practice; civil penalties; no criminal penalty

(max. $500,000/breach);

$5000/day for delayed notice

Civil and criminal fines and penalties

Covered entity and 3rd party liability

Covered entity and business associate liability

Attorney General representative action

U.S. Attorney General restitution to victims

No private right of action

No private right of action

Beth Pittman, JD, CHPC is Of Counsel with Waller, Lansden, Dortch & Davis LLP where she practices Health Law.


Related Articles:

Email Print





Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: