Alabama Act 2018-396: Alabama Data Breach Notification Act
Originally known as Alabama Senate Bill 318, it was passed March 27, 2018.
Among other requirements, Alabama Data Breach Notification Act requires:
- certain entities to notify certain persons when a breach of security results in the unauthorized acquisition of sensitive personal information.
- When “reasonably likely to cause substantial harm,” notice must be made to all individuals affected within 45 days of the determination of a breach.
- If more than 1,000 individuals are impacted, written notice must be sent to the Attorney General within 45 days. Notification must also be sent “without unreasonable delay” to all nationwide consumer reporting agencies.
- If an entity is found to be in violation of the act, it will be subject to civil penalties up to $500,000 for a single breach.
Remember Alabama state laws are in addition to federal HIPAA requirements.
If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR).