Georgia HIPAA Laws: An Overview

Georgia HIPAA Laws

Healthcare providers subject to HIPAA in Georgia are also subject to Georgia state laws providing for privacy and security of medical data. Georgia HIPAA laws differ slightly from the federal HIPAA law in several aspects. Georgia HIPAA laws are discussed below.

Georgia HIPAA Laws: HIPAA Authorization Form Georgia

The HIPAA Authorization Form rule requires that providers obtain written patient authorization before certain uses and disclosures of protected health information (PHI) can be made. 

There is no special language for a “HIPAA Georgia Authorization Form.” A form developed the HIPAA Privacy Rule is valid in Georgia, provided it contains specific core HIPAA elements. 

These elements include:

  • A description of the specific information to be used or disclosed
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure
  • The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure
  • A description of each purpose of the requested use or disclosure 
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure
  • The signature of the individual and the date 

Georgia HIPAA laws, like federal HIPAA, require written patient authorization for otherwise prohibited uses and disclosures. In Georgia, one instance where written authorization must first be obtained is when a patient makes an application for benefits under the Georgia Crime Victims Compensation Program. This requirement is unique to Georgia HIPAA laws. 

Georgia runs the program on the state level without federal assistance. The Georgia Crime Victims Compensation Program (GCVCP) assists crime victims with expenses they incurred due to a violent crime. Submitting a HIPAA Georgia written patient authorization form (also called a Georgia HIPAA medical release form) is part of the benefits application process. 

Under Georgia HIPAA laws, a patient must provide specific written authorization for the following disclosures:

  1. Information regarding the diagnoses or treatment of HIV/AIDS
  2. Information regarding the diagnoses or treatment of sexually transmitted diseases
  3. Information regarding drug and/or alcohol abuse diagnoses or treatment
  4. Information regarding diagnoses of mental illness
  5. Information regarding psychiatric treatment 

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

Georgia HIPAA Privacy Rule vs. Federal HIPAA Privacy Rule

HIPAA has special rules covering who can request the PHI of someone who has died. 

Under HIPAA, a covered entity may disclose a deceased person’s PHI to any of the following personal representatives:

  • A family member who was involved in the individual’s care or payment for healthcare prior to the individual’s death
  • Another relative who was involved in the individual’s care or payment for healthcare prior to the individual’s death
  • A close personal friend of the deceased who was involved in the individual’s care or payment for healthcare prior to the individual’s death
  • Any other person identified by the individual before death who was involved in the individual’s care or payment for healthcare prior to the individual’s death

There is a limit to the amount and type of PHI that may be disclosed to these individuals, though. Only that PHI relevant to the person’s involvement in the deceased’s care or payment for healthcare may be disclosed. 

In addition, a provider may not disclose this PHI to any of these people if the deceased person had told the provider, before death, that the deceased person did not want the family member, relative, or close personal friend to receive the information.

That’s HIPAA.

What does Georgia HIPAA law have to say on this subject? HIPAA Georgia law allows a broader class of people to receive PHI than federal HIPAA. 

Georgia allows a provider having custody and control of a deceased patient’s record to furnish a complete and current copy of a patient’s medical record to the following individuals: 

  • The executor, administrator, or temporary administrator for the decedent’s (deceased person’s) estate, if such person has been appointed
  • The surviving spouse, if an executor, administrator, or temporary administrator for the decedent’s estate has not been appointed
  • Any surviving child, if there is no surviving spouse
  • Any parent, if there is no surviving child

Georgia HIPAA Laws: Georgia Data Breach Notification Law 

Georgia has a data breach notification law, which requires information brokers that maintain computerized data to disclose certain breach information. When an information broker incurs a breach that discloses the personally identifying information of a Georgia resident, the information broker must disclose the fact of the breach and provide notification of breach details to affected residents.

Under the Georgia data breach notification law, an “information broker” means:

“any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to non-affiliated third parties.” 

In other words, under the Georgia data breach notification law, an information broker gives computerized personal information (information stored in electronic form) to another entity.

Under the Georgia data breach notification law, personally identifying information includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements (when either the name or the data elements are not encrypted or redacted):

  • Social security number
  • Driver’s license number or state identification card number 
  • Account number, credit card number, or debit card number, if that number can be used without additional identifying information, access codes, or passwords
  • Account passwords or personal identification numbers, or other access codes

Under HIPAA law Georgia, the information broker must provide individual notification without unreasonable delay. No specific time is set. 

However, if a broker maintaining data on behalf of another business incurs the breach, that other business must be notified within 24 hours. The Georgia data breach notification law requires notification to occur without unreasonable delay but does not set a specific time limit. However, if the data is maintained on behalf of another business, that business must be notified within 24 hours.

Under the Georgia data breach notification law, if notification is required for more than 10,000 individuals, then the notification must also be sent to all nationwide consumer reporting agencies.

Georgia Recordkeeping: Georgia Medical Record Retention Laws

Federal HIPAA law does not require providers to maintain medical records for any fixed period of time. Under Georgia medical record retention laws, a Georgia provider having custody and control of any evaluation, diagnosis, prognosis, laboratory report, or biopsy slide in a patient’s record must retain the information item for not less than ten years from the date the information was created.

Meet All Your HIPAA Requirements

Our software provides everything you need to satisfy state and federal HIPAA laws.

Global CTAs Image