Georgia Healthcare Privacy Laws: HIPAA, Patient Rights, and Medical Records Explained

Georgia law works alongside the federal HIPAA Privacy Rule to shape how your medical information is created, stored, shared, and accessed. This overview explains what HIPAA compliance looks like in Georgia, who owns medical records, how to request copies, what fees may apply, how long records must be kept, and the special protections for mental health and substance use disorder information.

Ownership of Medical Records

Who owns what

In Georgia, the healthcare provider or facility is generally the custodian and owner of the physical or electronic medical record. You do not own the physical chart, but you do own the information about you and the privacy rights attached to it. That means you have enforceable rights to access, inspect, and obtain copies, subject to narrow exceptions covered below.

Practical implications for you

Because providers are custodians, original records usually do not leave the office or hospital. Instead, you receive copies (paper or electronic). If you appoint a personal representative—such as via a healthcare power of attorney—the representative typically steps into your shoes for access authorization, unless Georgia or federal law limits access for safety or confidentiality reasons (for example, certain minor-consented services).

Patient Access to Records

How to request your records

You can submit a written or portal-based request to inspect or obtain copies of your designated record set (clinical notes, test results, problem lists, medications, and billing records). Providers may ask for reasonable identity verification and a signed access authorization for releases not covered by treatment, payment, or healthcare operations.

Timing and format

Under HIPAA, providers must act on your request without unreasonable delay and generally within 30 days, with one permitted extension if they explain the reason in writing. If records are maintained electronically, you can request an electronic copy in the format you prefer if it is readily producible; otherwise, you will be offered a reasonable alternative format.

Third-party and proxy access

You may direct a provider to send a copy to a third party (for example, a specialist or family member). Parents and legal guardians are usually personal representatives for minors, but Georgia and federal privacy rules may limit access to protect a minor’s confidentiality in specific situations, such as certain reproductive health, mental health, or substance use services.

Fees for Copies of Records

What fees are allowed

HIPAA allows only reasonable, cost-based fees for an individual’s request for access. Allowed components include labor for copying, supplies (such as paper or portable media), and postage if you request mailing. Charging separate “retrieval” or “handling” fees for patient access requests is not permitted under HIPAA. Georgia law also regulates copying charges and may set maximum amounts for certain formats.

Ways to reduce costs

• Request electronic copies when possible; they are typically faster and less expensive.
• Ask for a specific date range or documents you need most (for example, the last two years or a discharge summary) to limit volume.
• Use patient portals for self-service downloads, which are often provided at no charge.
• For continuity of care, ask your current provider to transmit records directly to your next provider; providers often exchange records for treatment without charging you.

Retention Period for Records

How long records are kept in Georgia

Georgia sets minimum medical record retention requirements for different provider types and facilities, and those state rules operate alongside payer and accreditation standards. HIPAA does not impose a universal medical record retention period, but it does require covered entities to keep certain privacy-related documentation for at least six years. Providers often retain pediatric records longer and may keep certain imaging, pathology, or operative reports for extended periods to support patient safety and medical record retention best practices.

What you should keep

Maintain your own organized file—visit summaries, medication lists, immunizations, major test results, operative notes, and advance directives. Keeping a personal copy helps you manage care transitions and protect continuity if a practice closes or changes ownership.

Confidentiality of Records

Patient confidentiality and permitted disclosures

Patient confidentiality is safeguarded by HIPAA and Georgia privacy laws. Providers may use or disclose your information without authorization for treatment, payment, and healthcare operations and in other limited circumstances (for example, certain public health reporting). Outside those situations, your written authorization is generally required, and covered entities must apply the “minimum necessary” standard to limit what is used or shared.

Breach notifications and penalties

If unsecured protected health information is breached, providers must notify affected individuals and follow federal breach-notification requirements. Violations can trigger unauthorized disclosure penalties, including corrective action, civil fines, potential criminal liability for willful misuse, and professional licensure consequences under Georgia law.

Access authorization and verification

Before releasing information, providers verify identity and authority—whether you, a personal representative, or a third party you designate. Clear, signed access authorization forms reduce delays and help ensure HIPAA compliance when a disclosure is not otherwise permitted by law.

Exceptions to Record Access

Common grounds for denial

• Psychotherapy notes kept separately from the medical record.
• Information compiled for, or in reasonable anticipation of, a legal action.
• Access reasonably likely to endanger the life or physical safety of you or another person.
• Information that would reveal a confidential source or cause substantial harm to another person referenced in the record.
• Requests by a personal representative when disclosure is reasonably likely to cause harm to the individual (such as certain abuse situations).

If your request is denied

For many denials, you have the right to a timely review by a licensed professional not involved in the initial decision. Even when full access is denied, you may be offered a summary or redacted copy to provide as much information as can be safely shared.

Mental Health and Substance Use Disorder Records

Mental health information privacy

Routine mental health treatment records (diagnoses, medications, session dates) are protected like other medical information, but psychotherapy notes—your therapist’s separate process notes—receive heightened protection and typically require your specific authorization for disclosure. Georgia law may also limit what parents or guardians can access when releasing information could jeopardize the minor’s wellbeing.

Substance use disorder confidentiality

Records from federally assisted substance use disorder programs are protected by stringent rules often referred to as 42 CFR Part 2. These rules emphasize substance use disorder confidentiality by requiring specific, written patient consent for most disclosures, with limited exceptions (for example, medical emergencies, audits, certain research, and court orders). When SUD information is included in an electronic health record, providers should segment or otherwise manage access so only properly authorized users can view it.

Taken together, Georgia privacy requirements and HIPAA establish strong protections while ensuring your care team can coordinate treatment. Knowing your rights helps you request what you need, avoid unnecessary fees, and keep sensitive information private.

FAQs.

Who owns medical records in Georgia?

The provider or facility generally owns the physical or electronic record as custodian. You own the information about you and the privacy rights attached to it, including the right to access, inspect, and obtain copies, subject to narrow legal exceptions.

What are patient rights to access their records?

You have the right to inspect or receive copies of your designated record set in a timely manner, usually within 30 days, and to request electronic copies if the records are kept electronically. You may direct copies to a third party and can authorize others to access your information unless an exception applies.

How long must healthcare providers retain medical records?

Georgia sets minimum retention periods that vary by provider type and record category, and these state requirements operate alongside payer and accreditation standards. HIPAA does not set a universal retention period for medical records, though it requires certain privacy documentation to be kept for at least six years.

What exceptions limit patient access to records?

Common exceptions include psychotherapy notes kept separately, information prepared for legal proceedings, and situations where access could endanger life or physical safety or reveal a confidential source. Some denials are reviewable by another licensed professional, and you may receive a summary or redacted copy when appropriate.