Alabama Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Alabama.
Alabama healthcare practices operate under the Alabama Data Breach Notification Act of 2018 (Ala. Code §8-38-1 et seq.), one of the youngest state breach statutes in the country and the last of the 50 states to enact such a law. The act sets a 45-day outer notification limit and requires Attorney General notification when 1,000 or more Alabama residents are affected. Penalties can reach $5,000 per day of continuing violation, with a per-breach cap of $500,000 — significant exposure relative to many neighboring Gulf-coast states. The Alabama Attorney General is the primary enforcer, with parallel licensure discipline through the Alabama Board of Medical Examiners and the Alabama State Board of Pharmacy. Medical record retention defaults to the HIPAA 6-year minimum since Alabama does not impose a longer state floor. Practices in Birmingham, Huntsville, Mobile, and Montgomery should also account for the Alabama PMP AWARxE every-Rx check requirement and the Alabama Department of Public Health's 24-hour communicable-disease reporting deadline. The Alabama Department of Human Resources is the recipient for child-abuse and elder-abuse mandatory reports. The combination of a 45-day breach window plus the $5,000-per-day continuing-violation structure means a delayed notification can stack penalties faster than in most regional peers.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made as expeditiously as possible and without unreasonable delay, no later than 45 days after determination of breach.
AG notification threshold
1000+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $5,000 per day, max $500,000 per breach
Enforcement Posture
Alabama's enforcement posture is best characterized as reactive but well-funded — the Attorney General's Consumer Protection Division has the authority to pursue per-day continuing violations under the 2018 Act, but the office has not historically driven proactive audit programs against healthcare entities. Most providers will encounter friction first through the Alabama Board of Medical Examiners or the Alabama State Board of Pharmacy if a PHI incident is paired with a controlled-substance or PMP issue. The penalty structure under Ala. Code §8-38-9 is what most distinguishes Alabama from its regional peers: $5,000 per day for the first 30 days of a violation, escalating to $50,000 per day thereafter, with the $500,000-per-breach cap. Practices should not interpret the relative quiet of the AG's healthcare enforcement docket as evidence of light penalty exposure if a notable breach surfaces.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 6 years | Last treatment |
Controlled-Substance Prescription Monitoring (PMP AWARxE)
The Alabama PMP AWARxE is administered by the Alabama Department of Public Health Bureau of Professional Affairs and accessed at alabama.pmpaware.net. Prescribers must check the database before every Schedule II–V controlled-substance prescription, with delegation to office staff permitted. Exemptions cover hospice, inpatient hospital administration, and short office-administered supplies up to 3 days. Penalties include licensing-board discipline and possible misdemeanor charges for willful noncompliance. Retain query evidence with the prescription record.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Disciplinary action by licensing board; possible misdemeanor charges
Exemptions
Hospice patients, inpatient hospital administration, ≤3 day supply administered in office
How Alabama Rules Hit by Specialty
Pharmacy/compounding
Alabama PMP AWARxE requires every-Rx checks for Schedule II–V prescriptions, with delegation to office staff permitted. Compounding pharmacies should layer Alabama State Board of Pharmacy compounding rules over USP <795>/<797>, retain PMP query records, and document the rationale for any exemption (hospice, cancer treatment, ≤3-day office administration).
Hospital systems
Alabama hospital records inherit the HIPAA 6-year minimum since the state does not impose a longer retention floor. Hospitals should default to their internal policy minimum (often 10 years) for risk-management reasons even though state law does not require it.
Behavioral health
Alabama behavioral-health providers face 42 CFR Part 2 segregation on top of HIPAA, plus Alabama Department of Mental Health licensing-driven recordkeeping. Substance-use treatment records require explicit patient consent for disclosure to other treating providers in most non-emergency scenarios.
Mandatory Reporting Obligations
Mandated reporters
All healthcare professionals including physicians, nurses, dentists, mental health professionals, and any person called upon to render aid
Report to
Department of Human Resources (DHR) or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to 6 months jail and/or $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
All physicians, nurses, social workers, and other healthcare professionals
Report to
Department of Human Resources, Adult Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries caused by weapons or criminal acts
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, nurses, laboratory directors, and other healthcare providers
Report to
Alabama Department of Public Health
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $500 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Alabama Compliance FAQs
Yes. The Alabama Data Breach Notification Act of 2018 sets a 45-day outer notification limit measured from determination of a breach, with Attorney General notification when 1,000 or more Alabama residents are affected. The clock starts at determination of the breach, not at discovery of the incident — but practices should treat the two dates conservatively as the same.
Alabama imposes up to $5,000 per day of continuing violation for the first 30 days, escalating to $50,000 per day after the 30-day mark, with a $500,000 per-breach cap under Ala. Code §8-38-9. A 60-day delay on a multi-thousand-record breach can stack to the cap quickly.
Alabama does not impose a state retention floor beyond the federal HIPAA 6-year minimum measured from the date of creation of the record or the date when last in effect. Hospitals and larger practices typically default to 10 years for risk-management reasons.
Yes. Every Schedule II–V controlled-substance prescription requires a PMP AWARxE check unless an exemption applies (hospice, inpatient administration, ≤3-day office administration). Delegation to office staff is permitted, but the prescriber remains accountable.
The Alabama Attorney General's Consumer Protection Division is the primary enforcer, with civil penalties up to $5,000/day for the first 30 days and $50,000/day thereafter. The Alabama Board of Medical Examiners and Alabama State Board of Pharmacy can pursue parallel licensure discipline.
Guides & Articles
Stay audit-ready in Alabama
GuardWell tracks Alabama-specific breach deadlines, retention periods, PMP AWARxE PDMP queries, and mandatory reporting obligations automatically.