Georgia Healthcare Compliance: Breach Notification + State Medical Records Rules
8 min read · Last reviewed May 23, 2026
Georgia layers two patient-data statutes on top of HIPAA: the breach-notification regime at O.C.G.A. § 10-1-910 et seq. and the medical records access rule at O.C.G.A. § 31-33-2. The two practical divergences from HIPAA: Georgia's per-page records-release fee cap at § 31-33-3 and the UDTPA private-right-of-action overlay at O.C.G.A. § 10-1-372 that HIPAA does not provide.
What Georgia statutes actually require
Georgia has no single comprehensive medical-privacy statute analogous to California's CMIA or Texas's HB300. Instead, the medical-data regime is built from three Code provisions:
- Breach notification at O.C.G.A. § 10-1-910 to § 10-1-915. Applies to "information brokers" and "data collectors" — defined broadly to capture any business that handles computerized personal information of Georgia residents.
- Medical records access at O.C.G.A. § 31-33-2. Governs patient access to medical records held by Georgia providers, with a 30-day window under § 31-33-2(b).
- Records retention at O.C.G.A. § 31-33-2(a)(1)(A). Specified record items retained for at least 10 years from the date of creation.
Core obligations:
- Breach definition. § 10-1-911(6) — unauthorized acquisition of unencrypted computerized data containing personal information. "Personal information" includes name combined with SSN, driver's license or state ID, account number with access credential, or password/PIN/access code.
- Individual notification. § 10-1-912(a) — notice to affected Georgia residents in the most expedient time possible, subject to law-enforcement hold. No fixed numeric deadline.
- Consumer reporting agency notification at >10,000 affected. § 10-1-912(d) — written notice to all nationwide consumer reporting agencies. Georgia does not require AG notification by statute.
- Records access. § 31-33-2(b) — copy of medical record within 30 days of written request.
- Fee caps on copies. § 31-33-3 — specific per-page and per-record caps for copies provided to patients.
Where Georgia is stricter than HIPAA
The single comparative table a Georgia practice needs:
| Topic | HIPAA | Georgia | Stricter | |---|---|---|---| | Patient records access | 30 days, +30-day extension (45 CFR § 164.524(b)(2)) | 30 days under O.C.G.A. § 31-33-2(b) | Comparable | | Records retention | 6 years for compliance docs (45 CFR § 164.530(j)); clinical retention deferred to state law | 10 years from creation for specified items (O.C.G.A. § 31-33-2(a)(1)(A)) | Georgia on clinical retention | | Breach individual notice | 60 days from discovery (45 CFR § 164.404(b)) | "Most expedient time possible" (O.C.G.A. § 10-1-912(a)) | HIPAA gives fixed ceiling; Georgia practically faster | | CRA notification threshold | None for CRAs; HHS at any size | Notice to nationwide CRAs at >10,000 Georgia residents (O.C.G.A. § 10-1-912(d)) | Georgia on CRA path | | UDTPA exposure | None | Individual claims for unfair business practice (O.C.G.A. § 10-1-372) | Georgia | | Encryption safe harbor | Encrypted-data exclusion (45 CFR § 164.402) | Unencrypted-data trigger (O.C.G.A. § 10-1-911(6)) | Comparable | | Civil penalty per violation | Tier-1 $145–$73,011; higher tiers use $1,461 / $14,602 / $73,011 minimums and a $2,190,294 annual cap per identical violation (penalties assessed on or after Jan. 28, 2026 — 45 CFR § 102.3; 91 FR 3665) | Fair Business Practices Act civil penalties up to $5,000 per violation under O.C.G.A. § 10-1-397 | HIPAA per-violation higher |
Where Georgia practices most often trip is the records-release fee cap at § 31-33-3. The statute prescribes tiered per-page and per-record caps for copies furnished to patients; a flat copying fee or a vendor-pass-through charge can violate the cap and trigger UDTPA exposure or Composite Medical Board complaints. A Georgia practice running a generic HIPAA workflow without state-specific fee-cap review is the most common pattern we see.
The other consistent surprise is the 10-year records retention floor under § 31-33-2(a)(1)(A). HIPAA's six-year retention applies to compliance documentation, not to clinical records — clinical retention is governed by state law. Georgia's 10-year floor (running from creation of the specified items) is the binding requirement, and a practice that purges clinical records on a six-year HIPAA-shaped schedule has likely violated Georgia retention.
Where HIPAA is stricter than Georgia
The three areas where federal law is the harder rule:
- Security Rule technical safeguards. Georgia has no analogous statute. HIPAA's Security Rule at 45 CFR Part 164, Subpart C prescribes a structured technical, administrative, and physical safeguards program — annual risk analysis, audit logging, encryption decisions, contingency planning, sanction policy.
- Breach risk assessment methodology. HIPAA's four-factor analysis at 45 CFR § 164.402 governs whether a security incident qualifies as a reportable breach. Georgia's breach statute does not impose a comparable methodology; Georgia regulators look to the federal framework when reviewing § 10-1-912 filings.
- Authorization specificity. HIPAA's authorization rules at 45 CFR § 164.508 prescribe content, format, and expiration. Georgia has no parallel statutory authorization form.
Breach notification timeline
A Georgia practice that discovers a breach affecting GA residents runs three parallel notifications:
- Individual notice "in the most expedient time possible" under O.C.G.A. § 10-1-912(a). No fixed numeric outer deadline; AG enforcement and best practice treat 45 days as the working ceiling absent investigative complexity. The notice must describe the categories of personal information involved and provide contact information for the major credit bureaus.
- Consumer reporting agency notification at >10,000 affected under O.C.G.A. § 10-1-912(d) — written notice to all nationwide consumer reporting agencies. Under the 10,000 threshold, CRA notice is not required.
- Processor-to-owner notice within 24 hours under O.C.G.A. § 10-1-912(b) — applies only when the entity that suffers the breach maintains the data on behalf of a separate data owner.
- HHS report and individual notice under HIPAA at 45 CFR § 164.408 and 45 CFR § 164.404 — 60-day individual notice; HHS report within 60 days for 500+ affected.
Substitute notice via statewide media is available under O.C.G.A. § 10-1-912 when the cost of direct notice would exceed $250,000 or more than 500,000 Georgia residents are affected.
Penalties + private right of action
The numbers a Georgia practice needs:
- Fair Business Practices Act penalties. O.C.G.A. § 10-1-397 — up to $5,000 per violation in AG enforcement under the FBPA; up to $5,000 per intentional violation plus injunctive relief.
- UDTPA injunctive relief. O.C.G.A. § 10-1-372 — individual plaintiffs can seek injunctive relief and attorney's fees for unfair business practices, using a § 10-1-912 breach-notification violation as the predicate.
- Common-law negligence claims. Georgia recognizes negligence per se where a statutory standard is violated; plaintiffs in medical-data breach cases often plead negligence per se with the breach statute as the predicate.
- Medical Board discipline. Failure to comply with § 31-33-2 records access can trigger Composite Medical Board action against the physician's license, independent of any civil claim.
- HIPAA OCR penalties continue to apply in parallel under 45 CFR § 160.404.
Georgia's enforcement environment is less aggressive than CA or WA, but UDTPA layering and Medical Board action are the practical levers plaintiffs and patients use. The dollar exposure is modest compared to CMIA or BIPA, but the volume of records-access complaints filed with the Medical Board is meaningful for any practice with a slow records-release workflow.
Compliance checklist for in-state practices
A Georgia-specific overlay to a HIPAA program:
- Records release SLA at 30 days under O.C.G.A. § 31-33-2(b). Train front-desk and HIM staff to log the request date and the release date for every patient records request.
- Records retention at 10 years from creation under § 31-33-2(a)(1)(A). Replace any six-year HIPAA-derived purge cycle with the 10-year Georgia floor.
- Fee-cap documentation under § 31-33-3 for every records-release fee charged. The cap is per-page tiered; a flat copying fee can violate the statute.
- Encryption posture documentation for every device and database holding personal information of Georgia residents — for invoking the § 10-1-911(6) safe harbor if a breach occurs.
- Breach response runbook that triggers individual notice within 45 days absent investigative complexity, CRA notice at >10,000 affected, processor-to-owner notice within 24 hours where applicable, and HHS notice on the 60-day HIPAA track.
- Workforce training on Georgia statutes at hire and annually, separately documented from HIPAA training. Cover the 10-business-day continuity rule and the 10-year retention floor specifically.
- UDTPA exposure review — periodic counsel review of any patterns of records-access delays or breach-notification timing that could form the basis of UDTPA claims.
- Composite Medical Board complaint monitoring — Board complaints driven by records-access delays are the most common direct discipline path; a quarterly review of records-release metrics reduces this exposure.
The d3rx compliance binder state-overlay branches on Georgia and produces the 30-day records-release SLA, the 10-year retention policy, the § 31-33-3 fee-cap reference, and the breach response template a Georgia practice runs alongside the federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for executing the controls.
Cross-references: see Florida FIPA for medical practices and Texas HB300 for the neighboring-state regimes a Southeastern multi-state practice often runs alongside Georgia compliance.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Georgia Healthcare Compliance: Breach Notification + State Medical Records Rules. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does Georgia's breach notification statute apply to medical practices?
Yes, in most cases. O.C.G.A. § 10-1-911 applies to any 'information broker' or 'data collector' that maintains computerized personal information of Georgia residents. The statute defines those terms broadly enough to capture medical practices that hold electronic patient records containing names plus SSNs, driver's license or state ID numbers, account numbers with access credentials, or passwords/PINs/access codes. The HIPAA-covered status of the practice does not exempt it from O.C.G.A. § 10-1-912.
What's the Georgia breach notification window?
There is no fixed numeric deadline. O.C.G.A. § 10-1-912(a) requires notice 'in the most expedient time possible and without unreasonable delay,' subject to law-enforcement holds. Georgia AG enforcement has treated this as approximately 45 days absent documented investigative complexity. HIPAA's [45 CFR § 164.404(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404) imposes a fixed 60-day outer deadline for individual notice — the HIPAA clock is the practical ceiling for HIPAA-covered Georgia practices.
How fast must Georgia practices respond to a patient records request?
Comparable to HIPAA, with the records-release fee cap as the real divergence. O.C.G.A. § 31-33-2(b) requires a provider to furnish a complete and current copy of the medical record to the patient within 30 days of a written request, and § 31-33-2(d) addresses provider reliance on a signed patient authorization. HIPAA's [45 CFR § 164.524(b)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524) also gives 30 days, extendable once. The substantive Georgia divergence is the per-page/per-record fee cap at § 31-33-3, not the timeline.
Is there a private right of action under Georgia breach or records law?
Through Georgia's Uniform Deceptive Trade Practices Act. Georgia's breach statute at O.C.G.A. § 10-1-913 designates the AG as the primary enforcer but does not foreclose individual claims under the UDTPA at O.C.G.A. § 10-1-372, which allows individuals to seek injunctive relief and attorney's fees for unfair business practices. Standalone civil claims for negligent disclosure of medical information also exist under Georgia common law. HIPAA itself has no private right of action — only the layered Georgia UDTPA gives individuals a direct litigation lever.
Does Georgia have an encryption safe harbor?
Yes. O.C.G.A. § 10-1-911(6) defines a breach as unauthorized acquisition of *unencrypted* computerized data containing personal information. If the data was encrypted and the encryption key was not also compromised, individual notice is not required under § 10-1-912. The safe harbor is comparable to NJ's and similar to HIPAA's encrypted-data exclusion at [45 CFR § 164.402](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402), but the Georgia safe harbor attaches only if the encryption was operative at the time of the incident.
Does Georgia require notice to the Attorney General after a breach?
No. Georgia's breach statute does not require notice to the Attorney General. Under O.C.G.A. § 10-1-912(d), breaches affecting more than 10,000 Georgia residents require written notice to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis — but not to the AG. Separately, § 10-1-912(b) requires a data processor that does not own the data to notify the data owner within 24 hours of discovery. For HIPAA-covered Georgia practices, HHS reporting under [45 CFR § 164.408](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408) remains the regulator-facing channel.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- O.C.G.A. § 10-1-910 to § 10-1-915https://law.ga.gov/
- 45 CFR Part 164, Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402
- 45 CFR § 164.508https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508
- 45 CFR § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
- 45 CFR § 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Florida Healthcare Compliance: FIPA Breach Notification + State Specifics
10 min readState ComplianceTexas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAA
8 min readState CompliancePennsylvania Healthcare Compliance: Breach Notification + Practice Operations
11 min readRelated across the archive
- ComplianceFlorida Healthcare Compliance: FIPA Breach Notification + State SpecificsFlorida Information Protection Act (F.S. § 501.171) vs HIPAA: 30-day breach window, AG notice at 500 residents, $500k penalty cap, F.S. § 456.057 records rules.
- CompliancePennsylvania Healthcare Compliance: Breach Notification + Practice OperationsPennsylvania Breach of Personal Information Notification Act (73 Pa. C.S. § 2301) vs HIPAA: the concurrent AG notice rule, medical record retention, and where state law bites a PA practice.
- ComplianceOhio Healthcare Compliance: Data Protection Act + State SpecificsOhio Data Protection Act (Ohio Rev. Code § 1354) vs HIPAA: the affirmative defense framework, named cybersecurity frameworks, and what Ohio breach notification adds.
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- RegulationHIPAA Authorization Requirements (45 CFR 164.508)Required elements and statements for a valid HIPAA authorization, plus the prohibition on combining authorizations with other documents in most circumstances.
- SRAChange Healthcare Ransomware: What Small Practices Took AwayThe February 2024 Change Healthcare cyberattack, what HHS and UnitedHealth Group disclosed, and the small-practice lessons about clearinghouse concentration risk, contingency planning, and the Security Rule's information system activity review.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- StateGeorgia healthcare compliance overlayGeorgia has no comprehensive state-specific medical-information privacy statute beyond HIPAA.