Alabama Healthcare Data Breach Notification Law Explained: Requirements, Deadlines, and Who to Notify

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

Alabama Healthcare Data Breach Notification Law Explained: Requirements, Deadlines, and Who to Notify

Kevin Henry

Data Breaches

February 28, 2026

8 minutes read
Share this article
Alabama Healthcare Data Breach Notification Law Explained: Requirements, Deadlines, and Who to Notify

Overview of Alabama Data Breach Notification Act

Alabama’s Data Breach Notification Act of 2018 sets statewide rules for how you investigate and notify after a breach involving Sensitive Personally Identifying Information (SPII) in electronic form. Healthcare providers, health plans, and business associates operating in Alabama are “covered entities” under the Act, even if they also fall under HIPAA.

Who is covered

  • Any entity that acquires or uses SPII about Alabama residents, including hospitals, clinics, physician groups, health insurers, third‑party administrators, and IT/service vendors (third‑party agents).
  • Vendors that handle your patients’ data must alert you of a qualifying breach so you can meet notice obligations.

What triggers notification

  • Unauthorized acquisition of SPII in electronic form that is reasonably likely to cause substantial harm to the affected individuals.
  • You must conduct a prompt, good‑faith investigation to determine scope, risk, and remedial steps.

While HIPAA continues to govern protected health information (PHI), the Alabama Act adds state‑level duties around SPII and specifies who to notify in Alabama when thresholds are met.

Definition of Sensitive Personally Identifying Information

Under Alabama law, SPII means an Alabama resident’s first name or first initial and last name in combination with one or more of the following, for the same individual:

  • Non‑truncated Social Security number or Tax Identification Number.
  • Non‑truncated driver’s license number, state ID card, passport number, military ID, or other unique, government‑issued ID used to verify identity.
  • Financial account number (bank, credit card, or debit card) with any security code, access code, password, expiration date, or PIN required to access the account or complete a transaction.
  • Information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.
  • Health insurance policy number or subscriber ID and any unique identifier a health insurer uses to identify the individual.
  • Username or email address with a password or security question and answer that permits access to an online account affiliated with your organization and reasonably likely to contain or obtain SPII.

SPII does not include information that is lawfully public or data rendered unusable (for example, properly encrypted or truncated) unless an Encryption Key Compromise occurred.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Notification Requirements and Deadlines

Risk‑of‑harm standard

  • Notify affected individuals if SPII was acquired (or you reasonably believe it was) by an unauthorized person and the incident is reasonably likely to cause substantial harm.
  • If you decide notice is not required, you must document your determination in writing and retain it for at least five years.

Data Breach Notification Deadlines

  • Provide individual notice as expeditiously as possible and without unreasonable delay—no later than 45 days after you determine a qualifying breach occurred or after you receive notice from a third‑party agent.
  • Law enforcement delay: you may postpone notice for the period a written request from law enforcement says is necessary to avoid impeding an investigation or national security.

Form and content of individual notices

  • Delivery: written notice by mail or email to the address on file. Substitute notice is allowed if direct notice is infeasible because (a) cost exceeds $500,000 or is excessive relative to your resources, (b) you lack sufficient contact information, or (c) more than 100,000 individuals are affected.
  • Content must include: (1) date or estimated date range of the breach; (2) description of SPII involved; (3) actions you have taken to restore security; (4) Identity Theft Protection Measures the individual can take; and (5) your contact information for inquiries.

Third‑party agent breaches

  • Your vendor must notify you of a qualifying breach as soon as possible, and no later than 10 days after determining a breach or having reason to believe one occurred.
  • You, as the covered entity, are responsible for sending required notices (unless a contract delegates that task to the vendor).

Reporting Obligations to Attorney General

Who must report and when

  • If you are required to notify more than 1,000 Alabama residents, you must also provide written notice to the Alabama Attorney General within the same 45‑day timeframe.

What the Attorney General notice must include

  • A synopsis of events surrounding the breach.
  • The approximate number of Alabama residents affected.
  • Any free services you are offering (for example, credit monitoring) and how to use them.
  • Contact information for a designated employee or agent who can answer questions.

Information you mark as confidential in the Attorney General filing is not subject to public records disclosure. You may supplement your filing if new facts emerge.

Notification to Consumer Reporting Agencies

  • If you must notify more than 1,000 individuals at a single time, you must also provide Consumer Reporting Agency Notification to all nationwide consumer reporting agencies without unreasonable delay.
  • Your submission to the agencies must state the timing, distribution, and content of your individual notices.

Exemptions and Encryption Standards

Federal law (HIPAA) exemption for healthcare

  • If you are subject to federal breach rules (for example, HIPAA/HITECH) and you (1) maintain required procedures, and (2) provide notice to affected individuals under those federal rules, the Alabama Act exempts you from its duplicate notice requirements.
  • However, if your HIPAA breach requires notifying 1,000 or more Alabama residents, you must still send a copy of that notice to the Alabama Attorney General.

State law exemption

  • Entities regulated by state breach‑notification regimes that are at least as thorough as Alabama’s are exempt if they follow those rules and, when 1,000+ individuals are notified, send a copy to the Attorney General.

Encryption standards and safe harbor

  • Data that is truncated, encrypted, or otherwise rendered unusable is not treated as SPII for breach‑notification purposes—unless there is an Encryption Key Compromise or credential exposure that makes the data readable or usable.
  • Good‑faith acquisition by an employee or agent is not a breach if the information is not used for an unrelated purpose or subject to further unauthorized use.

Penalties for Non-Compliance

  • Notification Act Compliance Penalties: Violations are unlawful trade practices enforceable exclusively by the Alabama Attorney General; there is no private right of action under the Act.
  • Monetary exposure includes civil penalties up to $500,000 per breach, plus up to $5,000 per day for each day you fail to take reasonable action to comply.
  • Third‑party agents that fail to inform covered entities may face the same penalties. Government entities must provide notices but are exempt from civil penalties (injunctive actions against officials are still possible).

Bottom line: Know what counts as SPII, investigate promptly, meet the 45‑day deadline, and, when thresholds apply, complete Attorney General Breach Reporting and notify the consumer reporting agencies. Strong encryption and disciplined vendor management materially reduce your notification risk.

FAQs.

What information qualifies as sensitive personally identifying information under Alabama law?

SPII includes a name plus any of the following for the same person: non‑truncated SSN/TIN; non‑truncated driver’s license, state ID, passport, or military ID; financial account number with a code/password/PIN/expiration date needed to access or transact; medical history, condition, treatment, or diagnosis information; health insurance policy or subscriber ID (and any unique insurer identifier); or a username/email with a password or security answers that permit access to an account holding or obtaining SPII.

When must healthcare entities notify affected individuals after a data breach?

Under the Alabama Act, as expeditiously as possible and without unreasonable delay, but no later than 45 days after determining a qualifying breach (or after vendor notice). If you are a HIPAA‑covered entity relying on HIPAA rules, follow HIPAA’s 60‑day deadline; if 1,000+ Alabama residents are notified, you must still provide a copy of your HIPAA notice to the Alabama Attorney General.

Who must healthcare organizations notify if more than 1,000 individuals are affected?

Notify the Alabama Attorney General within 45 days and, if you are subject to the Alabama Act’s notice provisions, also notify all nationwide consumer reporting agencies without unreasonable delay about the timing, distribution, and content of your individual notices. HIPAA‑covered entities relying on the federal exemption must at least send the Attorney General a copy of their HIPAA notice when 1,000+ Alabama residents are notified.

What are the penalties for failing to comply with Alabama's breach notification requirements?

Violations can result in civil penalties up to $500,000 per breach, plus up to $5,000 per day for each day you unreasonably delay compliance. The Attorney General has exclusive enforcement authority; there is no private right of action. Vendors that fail to inform the covered entity can face the same penalties.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles