2015 Georgia Code
Title 16 - CRIMES AND OFFENSES
Chapter 13 - CONTROLLED SUBSTANCES
Article 2 - REGULATION OF CONTROLLED SUBSTANCES
Part 2 - ELECTRONIC DATA BASE OF PRESCRIPTION INFORMATION
§ 16-13-60 - Privacy and confidentiality; use of data; security program

(a) Except as otherwise provided in subsections (c) and (d) of this Code section, prescription information submitted pursuant to Code Section 16-13-59 shall be confidential and shall not be subject to open records requirements, as contained in Article 4 of Chapter 18 of Title 50.

(b) The agency, in conjunction with the board, shall establish and maintain strict procedures to ensure that the privacy and confidentiality of patients, prescribers, and patient and prescriber information collected, recorded, transmitted, and maintained pursuant to this part are protected. Such information shall not be disclosed to any person or entity except as specifically provided in this part and only in a manner which in no way conflicts with the requirements of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, P.L. 104-191.

(c) The agency shall be authorized to provide requested prescription information collected pursuant to this part only as follows:

(1) To persons authorized to prescribe or dispense controlled substances for the sole purpose of providing medical or pharmaceutical care to a specific patient;

(2) Upon the request of a patient, prescriber, or dispenser about whom the prescription information requested concerns or upon the request on his or her behalf of his or her attorney;

(3) To local, state, or federal law enforcement or prosecutorial officials pursuant to the issuance of a search warrant pursuant to Article 2 of Chapter 5 of Title 17; and

(4) To the agency or the Georgia Composite Medical Board upon the issuance of an administrative subpoena issued by a Georgia state administrative law judge.

(d) The board may provide data to government entities for statistical, research, educational, or grant application purposes after removing information that could be used to identify prescribers or individual patients or persons who received prescriptions from dispensers.

(e) Any person or entity who receives electronic data base prescription information or related reports relating to this part from the agency shall not provide such information or reports to any other person or entity except by order of a court of competent jurisdiction pursuant to this part.

(f) Any permissible user identified in this part who directly accesses electronic data base prescription information shall implement and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards that are substantially equivalent to the security measures of the agency. The permissible user shall identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, or other compromise of the information and shall assess the sufficiency of any safeguards in place to control the risks.

(g) No provision in this part shall be construed to modify, limit, diminish, or impliedly repeal any authority existing on June 30, 2011, of a licensing or regulatory board or any other entity so authorized to obtain prescription information from sources other than the data base maintained pursuant to this part; provided, however, that the agency shall be authorized to release information from the data base only in accordance with the provisions of this part.