Health Information Compliance Alert

Published on Wed May 16, 2018 PDF

Providers must follow certain data breach and notification policies federally covered under HIPAA. At long last, all 50 states and territories have their own laws and regulations for reporting privacy and data violations in addition to HIPAA.

Background: California started the trend of adopting state-centered rules for clinicians for data-breach notification back in 2002, suggested attorney Zach Heck of Taft Stettinius & Hollister in a Lexology blog post on the subject. Alabama recently added its own regulations and is the final state to do so.

Read the Alabama Breach Notifcation Act of 2018 at http://arc-sos.state.al.us/PAC/SOSACPDF.001/A0012674.PDF.

The Alabama law requires covered entities and "third party agents" to notify the state of within 10 days of the breach, which is a very quick turnaround for impacted practices. The law follows similar rulings from other states and includes descriptions on identifying violations, penalties, and more.

"Although many breach notification laws contain similar language, the definition of a breach and the proactive and reactive duties related to breach response vary depending upon the affected individual's state of residence," noted Heck. "Alabama is similar to its breach notification brethren in many ways, but includes specific reasonable security measurement requirements, possible notification to the Attorney General, and a short ten day period for Third-Party Agents to notify a Covered Entity of a breach."

Resource: To access every state's data-breach guidance and rules, visit www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.