Georgia Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Georgia.
Georgia healthcare practices operate under O.C.G.A. §10-1-912, the Georgia Personal Identity Protection Act, with no statutory hard deadline but a uniform "most expedient time possible and without unreasonable delay" standard. There is no statutory AG-notification threshold under the consumer-data-breach statute (unlike Florida's 500 or California's 500), but the Georgia Attorney General retains broader consumer-protection authority that has been used historically against major healthcare breaches in the state. Medical record retention sits at 10 years from last treatment under Ga. Comp. R. & Regs. 290-9-6-.14, with pediatric records held until age 23 or 10 years post-treatment, whichever is later. Practices in Atlanta, Augusta, Savannah, Columbus, and Macon should also account for the Georgia PDMP every-Rx check requirement administered by the Georgia Drugs and Narcotics Agency under the Georgia Department of Public Health. Georgia pain-management practices face Pain Management Clinic licensure under O.C.G.A. §43-34-280 et seq., a post-opioid-crisis regulatory framework similar in spirit to Tennessee's. The Georgia Composite Medical Board and Georgia State Board of Pharmacy run parallel licensure-discipline lanes.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expedient time possible and without unreasonable delay.
AG notification threshold
Not explicitly required
Harm analysis required
Penalty range
Enforced by AG under general consumer protection authority
Enforcement Posture
Georgia's enforcement posture is moderate — neither as active as Florida's nor as reactive as Mississippi or Alabama. The Georgia Attorney General has consumer-protection authority and has historically pursued major breaches involving Georgia residents, but the office does not run a dedicated proactive audit program. The Georgia Composite Medical Board and the Georgia State Board of Pharmacy carry the bulk of healthcare-specific discipline activity, and Pain Management Clinic licensure under O.C.G.A. §43-34-280 is where most outpatient pain-management practices feel the heaviest regulatory pressure. Civil penalty exposure under the general consumer-protection authority is open-ended in the sense that damages stack per affected resident, which means a multi-thousand-record breach can scale quickly. Practices should expect more aggressive scrutiny if a breach affects more than 1,000 Georgia residents and crosses HHS-portal thresholds.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 5 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (Georgia PDMP)
The Georgia PDMP is administered by the Georgia Drugs and Narcotics Agency under the Georgia Department of Public Health, accessed at georgia.pmpaware.net. Prescribers must register and check the database before every Schedule II–V controlled-substance prescription, with delegation permitted. Exemptions cover hospice, cancer treatment, ≤3-day ER supplies, and inpatient or long-term care administration. Penalties include licensing-board sanctions, misdemeanor charges for willful failure, and fines up to $1,000.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board sanctions; misdemeanor charge for willful failure; fines up to $1,000
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or long-term care administration
How Georgia Rules Hit by Specialty
Pain management
Georgia Pain Management Clinic licensure under O.C.G.A. §43-34-280 et seq. requires separate state licensure with medical-director, ownership, and prescribing-protocol requirements beyond standard medical-practice regulation. The Georgia Composite Medical Board enforces both standard medical-practice rules and pain-clinic-specific requirements.
Dental practices
Georgia dental practices fall under the Georgia Board of Dentistry alongside HIPAA and the Personal Identity Protection Act. Mandatory child-abuse reporting under O.C.G.A. 19-7-5 attaches to all healthcare professionals including dental hygienists, with 24-hour reporting timelines. Pediatric dental records carry the 10-year retention floor plus the age-23 minimum.
Pharmacy/compounding
Georgia PDMP every-Rx checks are required for Schedule II–V prescriptions, with delegation to office staff permitted. Compounding pharmacies should layer Georgia Board of Pharmacy compounding rules over USP <795>/<797> and retain PDMP query evidence with the prescription record. Penalties include misdemeanor exposure for willful failure to check.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, counselors, social workers, and all healthcare professionals
Report to
Division of Family and Children Services (DFCS) or local law enforcement
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to 12 months jail and/or $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability under O.C.G.A. 19-7-5
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals
Report to
Adult Protective Services, Division of Aging Services
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers when treating injuries from suspected criminal violence
Report to
Local law enforcement
Timeline
Within 24 hours
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, healthcare facilities, and other healthcare providers
Report to
Georgia Department of Public Health, District Health Director
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $500 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Every person treating or having knowledge of gunshot wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Georgia Compliance FAQs
Georgia does not impose a hard numerical deadline under O.C.G.A. §10-1-912. Notification must be made 'in the most expedient time possible and without unreasonable delay.' Practices should treat 60 days as a soft outer limit consistent with the federal HIPAA Breach Notification Rule under 45 CFR §164.404 to avoid AG scrutiny.
Ga. Comp. R. & Regs. 290-9-6-.14 sets a 10-year retention floor measured from the date of last treatment. Pediatric records should be retained until age 23 or 10 years from treatment, whichever is later.
O.C.G.A. §43-34-280 et seq. requires Georgia pain-management clinics to obtain separate state licensure with medical-director requirements, ownership rules, and prescribing-protocol documentation. The Georgia Composite Medical Board enforces both general medical-practice rules and pain-clinic-specific requirements. Licensure suspension can result from documentation failures alone.
Yes. Every prescriber of controlled substances must register with the Georgia PDMP through georgia.pmpaware.net and check the database before each Schedule II–V prescription. Delegation to office staff is permitted but the prescriber remains accountable for the check.
The Georgia Attorney General's Consumer Protection Division enforces the Personal Identity Protection Act under general consumer-protection authority. The Georgia Composite Medical Board and Georgia State Board of Pharmacy can pursue parallel licensure discipline. There is no fixed statutory penalty cap; civil penalties accrue per affected resident.
Guides & Articles
Stay audit-ready in Georgia
GuardWell tracks Georgia-specific breach deadlines, retention periods, Georgia PDMP PDMP queries, and mandatory reporting obligations automatically.