Policy Synthesis

Medical Records and Confidentiality in GDC Facilities

Synthesized from 30 SOPs · 28 directly cited · updated May 2, 2026

Georgia Department of Corrections policy establishes comprehensive rules for creating, maintaining, securing, and transferring offender health records across all GDC-operated, private, and county facilities. Health records are GDC property but the health information within belongs to the patient and must be kept confidential under federal and state law, with access strictly limited to enumerated categories of authorized personnel. Separate but parallel frameworks govern physical health records, mental health records, and dental records, with specific provisions for record format, retention periods, transfer procedures, and offender access rights.

Overview and Legal Framework

Georgia Department of Corrections (GDC) policy requires that a permanent health record be established and maintained for every offender in GDC custody from the moment of entry. This obligation is stated in both SOP 507.02.01 (Health Record Management, Format and Contents) and SOP 507.02.02 (Confidentiality of the Health Record and Release of Information), giving advocates and attorneys two independent citation points for the same foundational requirement.

The governing legal principle is stated plainly in SOP 507.02.02: "The health record is the property of the GDC and will be maintained in accordance with professional standards and practices governing health record administration. The health information contained in the health record belongs to the patient. It will be kept Confidential and will be released in accordance with federal and state law and GDC policy." The same ownership-and-confidentiality formula is reproduced in SOP 508.09 (Mental Health Records) and SOP 508.10 (Confidentiality of Mental Health Records) for mental health information, signaling that GDC treats physical and mental health records under parallel but distinct confidentiality regimes.

The statutory authority referenced across these SOPs includes O.C.G.A. §§ 24-12-1, 24-12-13, 24-12-21, 37-3-166, 37-4-125, 50-18-71, and 50-18-72 (SOP 507.02.02), as well as O.C.G.A. §§ 24-9-40 through 24-9-43, 50-18-72(2), 24-9-47, and 37-3-162 (SOP 508.10). Federal frameworks referenced include HIPAA Administrative Simplification (SOP 105.02) and 45 C.F.R. §§ 164.512 and 164.508 (SOP 508.09).

Health Record Format and Organization

SOP 507.02.01 specifies that the physical health record must be organized into six distinct sections:

Section I: Physician Orders; History/Physical Profile (Physical Profile Form, Physical Exam, Health History, Receiving Screening Form)
Section II: Plastic ID Plate; Pending Consultation; Problem List; Progress Notes (in SOAPE format, written in black ink, including Intra-System Transfer Health Screening Forms and Use of Force Initial Exams)
Section III: Immunization Record; Lab/X-ray reports (laboratory reports, X-ray reports, EKG reports, and other procedures such as CT scans, EMGs, and EEGs)
Additional sections cover dental, mental health, and other clinical documentation

All documents within each section must be filed in reverse chronological order. Lab and diagnostic reports must be "reviewed, initialed, and dated by the responsible advanced clinical provider before filing." Loose sheets belonging to offenders who have transferred must be forwarded to the correct facility within ten (10) days (SOP 507.02.01).

The mental health record is organized into nine sections under SOP 508.09, including progress notes, treatment plans, mental health evaluations, and psychological testing results. Rosters and logs are maintained separately from the mental health record itself.

Dental records are governed by SOP 507.05.08 (Entering Dental Data in the Physical Health Record) and SOP 507.05.06 (Dental Screening, Examination, and Profiling). Dental forms are placed in the Dental Section of the health record in a prescribed bottom-up order. Initial intake entries are made in pencil; completed work is charted in ink. Progress record entries follow SOAP format (Subjective, Objective, Assessment, Plan) and must be signed and dated by the dentist for every treatment contact.

No disease or condition information — explicitly including TB and HIV — may be placed on the outside of a health record chart. "No disease/condition, including TB, HIV related information will be placed on the outside of the chart (This includes any stickers for color-coding or TB control flags)" (SOP 507.02.01).

Access Controls

SOP 507.02.02 enumerates the categories of personnel who may have direct access to physical health records:

1. Medical, dental, and mental health care providers employed by GDC or the contract vendor who are providing health care services to the patient

2. Health consultants employed or contracted by GDC or the contract vendor

3. Members of the Office of Health Services, Central Office, and the contract vendor's designated personnel involved in quality improvement studies or investigating offender health care concerns

4. Individuals conducting research approved by the Health Services Director and Commissioner

5. The Georgia Attorney General's Office or other legal agents when an offender brings suit putting medical care at issue

6. Non-medical employees to process a medical grievance, medical reprieve, comply with a valid subpoena, or fill a medical records request

7. Internal Affairs Investigators for unusual or suspicious death, excessive use of force allegations, and sexual abuse of offenders

8. Offenders or their authorized representatives (with a limited exception where the treating psychiatrist documents that disclosure would be detrimental to the patient's physical or mental health)

SOP 507.02.02 also specifies that non-medical staff may access health information — but not the full health record — for four limited purposes: classification of the offender, emergency situations, protection from infectious disease, or appointment scheduling.

Health records "will not be left unattended in areas accessible to unauthorized individuals," and an accountability system must be established for all records removed from the record room (SOP 507.02.02).

Mental health records have their own access rules under SOP 508.10. Access is limited to mental health care providers, any member of the offender's treatment team, health care providers employed or contracted by GDC, Central Office quality improvement personnel, approved researchers, the Attorney General's Office when the offender files a relevant claim, GDC's Office of Legal Services for authorized disclosures, and the offender or designated representative. SOP 508.10 additionally requires that "a sign-out card will be placed in each mental health record" — a physical accountability mechanism not explicitly described in SOP 507.02.02 for physical health records.

SOP 508.09 further specifies that "information from the offender's mental health records will not be included in institutional or central office files" except as specifically identified in that SOP.

Clinical Encounter Privacy

SOP 507.04.26 (Privacy of Care) establishes that "every reasonable effort is made to ensure Clinical Encounters are conducted in private and not observed by Custody Staff unless the offender poses a probable security risk or risk to the safety of the Health Care Staff." When custody staff must be present, "either auditory or visual privacy is provided." Custody staff observing clinical encounters "are instructed to keep confidential any health care information obtained." Rectal and pelvic examinations may only be performed with the verbal consent of the offender.

Record Transfer Procedures

SOP 507.02.03 (Transfer and Retention of Health Records) governs what happens to health records when an offender moves. Key rules:

Health records must accompany the offender during any intra-system transfer between GDC facilities, placed in a large clear plastic envelope labeled "Medical Record." Security officers are responsible for transporting the sealed record with the offender.
For transfers from a contracted vendor using an electronic health record, a one-year printout of the electronic record must be prepared and filed in the medical record jacket.
The health record does not accompany the offender for outside services. Instead, a consultation form with pertinent information is sent, and if indicated, copies of other pertinent information may be sent in a sealed envelope marked "Confidential."

SOP 507.04.25 (Health Screening-Offender Transfers) adds that a Licensed Health Care Provider must review each transferring offender's record and complete an Intra-System Transfer Form covering acute or chronic illnesses, current medications, therapeutic diet, pending appointments, physical and communication disabilities, mental health history, and allergies. Facilities must receive at least 24 hours' notice when possible.

SOP 507.04.52 (Patient Transport) reinforces that for urgent/emergent transport, an Intrasystem Transfer Health Screening Form — not the full health record — is to be completed, placed in a sealed envelope, and sent with the offender.

For offenders with serious mental illness, SOP 508.33 specifies that the mental health record "will be handled in a confidential manner during the transfer" and that offenders on mental health caseloads may only be transferred to facilities with an equivalent or higher level of mental health care.

Record Retention and Destruction

SOP 507.02.03 establishes that health records are normally retained for ten (10) years, though they may be retained longer for specific legal purposes. Upon release for reasons other than death (parole, medical reprieve, sentence completion), the health record is transferred to the State Archive. Upon death, the facility must mail physical and mental health records to the Office of Health Services within twenty (20) days. All record destruction must occur at the Central Records Archive Office in Atlanta — records cannot be destroyed at any facility under any circumstances.

SOP 101.04 (Records Management) provides the agency-wide framework and confirms that records "designated as confidential by law or classified as containing information, the release of which, would constitute any invasion of privacy shall be so protected as to prevent unauthorized disclosure." Permanent records are transferred to the State Archives; temporary records are retained for the legally specified period.

Incident Reports and Confidentiality

SOP 507.04.76 (Incident Reporting) and SOP 507.04.46 (Medication Errors) both establish that incident reports and medication error reports are confidential files that must never be placed in the offender's health record. SOP 507.04.76 states: "The Incident will NEVER be placed or referenced in the medical record. No copies of any Incident report will be made." Incident reports are "an educational tool, not a punishment device." A factual clinical account of the event must still be recorded in the medical record, but the statement "Incident Report Filed" must not appear there.

Open Records Requests and Medical Records Exemption

SOP 101.07 (Open Records Request) states that pursuant to O.C.G.A. § 50-18-72(a)(2), "medical records are not subject to the Open Records Act." However, requests for medical and/or mental health records may still be submitted to the Office of Legal Services. The requesting party is responsible for copying, mailing, search, retrieval, and administrative costs. The SOP notes that "medical and mental health records are not kept electronically" — a statement that may be inconsistent with provisions in other SOPs describing electronic health record systems at contracted vendors.

Confidentiality During Telemedicine and Tele-Mental Health

SOP 507.04.12 (Telemedicine) and SOP 508.43 (Tele-Mental Health Services) both require that health record confidentiality be maintained during remote care delivery. SOP 508.43 specifies that the telecommunication system used for tele-mental health "will meet all Health Insurance Portability and Accountability Act (HIPAA) requirements." A "Shadow File" — a secure electronic or paper file containing key elements of the offender's medical record — may be used as a reference during tele-mental health sessions.

Forensic Information Restrictions

SOP 507.04.90 (Forensic Information) prohibits health care personnel from participating in the collection of forensic information or evidence "to be used against offenders," including body cavity searches, drug screens, psychological evaluations for adversarial proceedings, and DNA collection (with narrow exceptions for the state DNA database and court-ordered paternity testing). This policy reinforces the separation of the health record from custody and disciplinary processes.

Research Access

SOP 507.02.02 permits individuals conducting approved research to access health records only if the research is "approved by the Health Services Director and Commissioner." SOP 508.10 requires approval by "the statewide mental health program supervisor and/or Commissioner." SOP 104.75 (Research Guidelines) sets out the broader research framework, requiring that all individuals conducting research agree in writing to "the confidentiality of the information thus obtained." Experimental medical, pharmaceutical, and cosmetic testing on offenders is expressly prohibited under SOP 104.75.

HIV and Sensitive Condition Confidentiality

SOP 215.02 (Assign HIV Positive Offenders to Transitional Centers) states that GDC maintains "the confidentiality of offender medical record information," releases such information "to parties outside the agency according to established medical practices and legal requirements," and releases it internally only "as necessary for them to perform their official duties." Transitional Center staff "will not require an HIV-infected offender to disclose his/her medical condition to an employer or prospective employer" except where employment poses a real and immediate potential for injury.

Information Security Framework

SOP 105.02 (Information Security) provides the overarching technology security framework. All sensitive or confidential data "whether contained in paper, physical, or media format will be protected throughout collection, storage, retrieval, access, use, and transmission processes." The policy references HIPAA, CJIS, and NIST 800-53 compliance obligations. Violations may result in disciplinary action up to termination and referral for criminal prosecution.

Vendor Communications and PHI

SOP 507.03.16 (Health Services Vendor Communications) defines Protected Health Information (PHI) as "the personal health records of offenders related to medical care, mental health care and dental care while in the custody of the GDC." All vendor communications involving PHI must maintain confidentiality and adhere to HIPAA requirements. Clinical matters must be routed through the Statewide Medical Director and the Assistant Commissioner for Health Services.

Key Findings

SOP 507.02.02 establishes that while the health record is GDC property, the health information within it belongs to the patient and must be kept confidential, with direct access limited to eight enumerated categories of authorized personnel.
SOP 507.02.01 requires the physical health record to be organized into six specific sections in reverse chronological order, and expressly prohibits placing any disease or condition information — including TB and HIV — on the outside of the chart.
SOP 507.02.03 requires health records to accompany offenders during all intra-system transfers in a sealed plastic envelope transported by security officers, but prohibits the full health record from traveling with offenders to outside medical services.
SOP 507.02.03 sets the standard health record retention period at ten years, requires records of deceased offenders to be mailed to the Office of Health Services within 20 days of death, and mandates that all record destruction occur exclusively at the Central Records Archive Office in Atlanta.
SOP 508.10 and SOP 508.09 establish a parallel but distinct confidentiality framework for mental health records, requiring sign-out accountability cards and prohibiting mental health information from appearing in institutional or Central Office files except as specifically authorized.
SOP 507.04.76 and SOP 507.04.46 both require that medical incident reports and medication error reports be maintained in confidential files entirely separate from the offender health record and may never be referenced in the medical record.
SOP 101.07 states that medical records are exempt from Georgia's Open Records Act under O.C.G.A. § 50-18-72(a)(2), but requests for medical and mental health records may still be submitted to the Office of Legal Services, with costs borne by the requestor.
SOP 507.04.26 requires that clinical encounters be conducted in private, that custody staff present at clinical encounters keep all health information confidential, and that rectal and pelvic examinations be performed only with the verbal consent of the offender.
SOP 507.04.90 prohibits GDC health care personnel from collecting forensic information or evidence to be used against offenders, including drug screens, body cavity searches for contraband, and psychological evaluations for adversarial proceedings.
SOP 508.43 requires that tele-mental health telecommunication systems meet all HIPAA requirements, and SOP 507.04.12 requires health record confidentiality to be maintained during all telemedicine encounters.

Gaps & Conflicts

Where SOPs contradict each other, leave standards ambiguous, or fail to address something the broader policy framework would suggest they should.

SOP 101.07 states that 'medical and mental health records are not kept electronically,' but SOP 507.02.03 explicitly addresses scenarios where contracted vendors use electronic health record systems and requires printing a one-year record for transfer. These provisions are in direct conflict regarding the electronic nature of GDC health records.
SOP 507.02.02 requires an 'accountability system' for health records removed from the record room but does not specify a sign-out card mechanism. SOP 508.10 is more specific for mental health records, requiring an individual sign-out card in each record. The physical health record SOP is silent on the precise accountability format, creating an inconsistency in the level of documentation required.
SOP 507.02.02 permits non-medical staff to access health information (not the full record) for classification, emergency situations, infectious disease protection, and appointment scheduling, but the SOP does not define what health information may be shared or establish any documentation requirement for such access, leaving the scope of this exception ambiguous.
SOP 507.02.02 provides an exception to offender access to their own records where a treating psychiatrist believes disclosure would be detrimental, but neither SOP 507.02.02 nor SOP 508.10 specifies any process for the offender to challenge that determination or seek independent review.
SOP 508.10 requires researcher access to be approved by 'the statewide mental health program supervisor and/or Commissioner,' while SOP 507.02.02 requires approval by 'the Health Services Director and Commissioner' for physical health records. The different approval authorities and the use of 'and/or' in SOP 508.10 create ambiguity about who must approve mental health research access.
SOP 507.02.03 states records are 'normally' retained for ten years but does not define what circumstances other than specific legal purposes would justify shorter retention, nor does it specify what 'specific legal purposes' warrant longer retention beyond a general statement.
SOP 507.04.25 requires the transferring facility to give medical staff 'at a minimum twenty-four (24) hours' notice' of a transfer 'when possible,' but provides no guidance on what constitutes adequate compliance when 24-hour notice is not possible, potentially allowing the continuity-of-care review to be bypassed in practice.
The SOPs do not specify any mechanism for offenders to request correction or amendment of inaccurate entries in their health records, a right recognized under HIPAA for covered entities. Whether GDC's status as a covered entity triggers this obligation is not addressed in any of the reviewed SOPs.