(a) Except as otherwise provided in subsections (c), (c.1), and (d) of this Code section, prescription information submitted pursuant to Code Section 16-13-59 shall be confidential and shall not be subject to open records requirements as contained in Article 4 of Chapter 18 of Title 50.
(b) The department, in conjunction with the board, shall establish and maintain strict procedures to ensure that the privacy and confidentiality of patients, prescribers, and patient and prescriber information collected, recorded, transmitted, and maintained pursuant to this part are protected. Such information shall not be disclosed to any person or entity except as specifically provided in this part and only in a manner which in no way conflicts with the requirements of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, P.L. 104-191. Nothing in this subsection shall be construed to prohibit the agency or department from accessing prescription information as a part of an investigation into suspected or reported abuses or regarding illegal access of the data. Such information may be used in the prosecution of an offender who has illegally obtained prescription information.
(c) The department shall be authorized to provide requested prescription information collected pursuant to this part only as follows:
(1) To persons authorized to prescribe or dispense controlled substances for the sole purpose of providing medical or pharmaceutical care to a specific patient;
(2) Upon the request of a patient, prescriber, or dispenser about whom the prescription information requested concerns or upon the request on his or her behalf of his or her attorney;
(3) To local or state law enforcement or prosecutorial officials pursuant to the issuance of a search warrant from an appropriate court or official in the county in which the office of such law enforcement or prosecutorial officials are located or to federal law enforcement or prosecutorial officials as allowed by federal law by the issuance of a search warrant, a grand jury subpoena, an administrative subpoena, or a civil investigative demand;
(4) To the agency, the Georgia Composite Medical Board or any other state regulatory board governing prescribers or dispensers in this state, or the Department of Community Health for purposes of the state Medicaid program, for health oversight purposes, or upon the issuance of a subpoena by such agency, board, or Department of Community Health pursuant to their existing subpoena power or to the federal Centers for Medicare and Medicaid Services upon the issuance of a subpoena by the federal government pursuant to its existing subpoena power;
(5) (A) To not more than two individuals who are members per shift or rotation of the prescriber's or dispenser's staff;
(B) Such individuals may retrieve and review such information strictly for the purpose of:
(i) Providing medical or pharmaceutical care to a specific patient; or
(ii) Informing the prescriber or dispenser of a patient's potential use, misuse, abuse, or underutilization of prescribed medication;
(C) All information retrieved and reviewed by such individuals shall be maintained in a secure and confidential manner in accordance with the requirements of subsection (f) of this Code section; and
(D) The delegating prescriber or dispenser may be held civilly liable and criminally responsible for the misuse of the prescription information obtained by such individuals;
(6) To not more than two individuals, per shift or rotation, who are employed or contracted by the health care facility in which the prescriber is practicing so long as the medical director of such health care facility has authorized the particular individuals for such access;
(7) In any hospital which provides emergency services, each prescriber may designate two individuals, per shift or rotation, who are employed or contracted by such hospital so long as the medical director of such hospital has authorized the particular individuals for such access; and
(8) To a prescription drug monitoring program operated by a government entity in another state or an electronic medical records system operated by a prescriber or health care facility, provided the program or system, as determined by the department, contains legal, administrative, technical, and physical safeguards that meet or exceed the security measures of the department for the operation of the PDMP pursuant to this part.
(c.1) An individual authorized to access PDMP prescription information pursuant to this part may:
(1) Communicate concerns about a patient's potential usage, misuse, abuse, or underutilization of a controlled substance with prescribers and dispensers that are involved in the patient's health care;
(2) Report potential violations of this article to the agency for review or investigation. Following such review or investigation, the agency shall:
(A) Refer instances of a patient's possible personal misuse or abuse of controlled substances to the patient's primary prescriber to allow for potential intervention and impairment treatment;
(B) Refer probable violations of controlled substances being acquired for illegal distribution, and not solely for a patient's personal use, to the appropriate authorities for further investigation and potential prosecution; or
(C) Refer probable regulatory violations by prescribers or dispensers to the regulatory board governing such person; or
(3) Include PDMP prescription information in a patient's electronic health or medical record.
(d) The department may provide data that has been processed to remove personal identifiers from the health information in compliance with the standard and implementation rules of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, P.L. 104-191, to government entities and other entities for statistical, research, educational, instructional, drug abuse prevention, or grant application purposes after removing information that could be used to identify prescribers.
(e) Any person or entity that receives PDMP prescription information or related reports relating to this part from the department shall not disclose such information or reports to any other person or entity except by order of a court of competent jurisdiction or as otherwise permitted pursuant to this part.
(f) Any permissible user identified in this part who directly accesses PDMP prescription information shall implement and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards that are substantially equivalent to the security measures of the department. The permissible user shall identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, or other compromise of the information and shall assess the sufficiency of any safeguards in place to control the risks.
(g) No provision in this part shall be construed to modify, limit, diminish, or impliedly repeal any authority of a licensing or regulatory board or any other entity so authorized to obtain prescription information from sources other than the PDMP maintained pursuant to this part; provided, however, that the department shall be authorized to release information from the PDMP only in accordance with the provisions of this part.