Kentucky strengthens consumer data protections with HIPAA compliance considerations

Kentucky Consumer Data Protection Act was signed on April 4, 2024, and will come into effect on January 1, 2026. This law sets rules to keep personal data safe and provides guidance for businesses in Kentucky. It focuses on companies that manage the personal data of at least 100,000 Kentucky consumers. It also applies to businesses handling the personal data of at least 25,000 consumers if more than 50% of their revenue.

With this new law, Kentucky joins other states working to protect consumer privacy, even though there isn’t a national data protection law yet. The goal is to balance protecting consumer rights while also considering business needs, promoting transparency, security, and accountability in handling data.

One important part of the KCDPA is focusing on data protection impact assessments. Companies that do things with data that might risk consumer rights, like targeted ads or profiling, must conduct these assessments. Kentucky’s definition of “risk” includes more than just financial harm or identity theft; it also covers “unfair treatment of consumers” and “unlawful, disparate impacts on consumers.” This broader view ensures businesses look at potential harms beyond just security issues.

Strengthening consumer data rights

In addition to needing a DPIA, the law amplifies consumer rights protections. Kentucky residents can access their personal data, ask for corrections, delete unneeded information, and get copies of their data in a portable format. Consumers also have the right to opt out of data sales and refuse participation in targeted advertising using personal info for commercial benefit.

For businesses, compliance is crucial. The Kentucky Attorney General oversees enforcement, has the power to investigate breaches, and can penalize companies not meeting legal standards. Businesses handling large amounts of data must adopt thorough data management plans to comply with KCDPA rules.

Amendments address compliance and healthcare data

On March 15, 2025, Governor Andy Beshear signed an amendment to the KCDPA, refining the law’s scope to address concerns from the healthcare sector. A key provision of this amendment is the explicit exemption of data collected and processed by healthcare providers covered under the Health Insurance Portability and Accountability Act. This means that protected health information managed by hospitals, clinics, and other HIPAA-covered entities will not fall under the jurisdiction of the KCDPA.

Filed my first bill for the last time this afternoon, as BR-1 became SB 15, the proposed Kentucky Consumer Data Protection Act. Kentucky is way behind a number of other states in protecting consumers in the digital age, but we can fix that. #kyga24 #privacy #CyberSecurity pic.twitter.com/Oa7nBf449C

— Whitney Westerfield (@KyWhitney) January 2, 2024

The amendment was introduced to prevent unnecessary regulatory overlap that could create compliance challenges for healthcare organizations already subject to strict federal privacy laws. HIPAA imposes rigorous security, privacy, and breach notification standards on healthcare entities, and the new amendment ensures that those regulations remain the governing framework for medical data protection in Kentucky.

Beyond the exemption of HIPAA-covered entities, the amendment expands the definition of excluded information to include limited data sets used for research and healthcare operations. Limited data sets, which contain de-identified information under HIPAA guidelines, are often utilized for medical studies, clinical trials, and healthcare analytics.

By clarifying that such datasets are not subject to additional KCDPA compliance requirements, Kentucky legislators have ensured that medical research and healthcare operations can continue without unnecessary legal burdens.

This development has been widely praised by healthcare organizations and legal experts. Many argue that applying state privacy laws to HIPAA-regulated data could create confusion and conflicting compliance obligations, ultimately hindering the delivery of healthcare services. By incorporating HIPAA compliance considerations into the KCDPA, Kentucky has adopted a harmonized approach to data protection that supports both consumer privacy and healthcare efficiency.

HIPAA security rule and training requirements

Despite the KCDPA’s exemption for HIPAA-covered data, healthcare organizations must continue to adhere to stringent security and privacy requirements under federal law. The HIPAA Security Rule, which establishes national standards for protecting electronic PHI, mandates that covered entities implement comprehensive security measures to safeguard sensitive patient information.

Under this rule, healthcare providers must develop and enforce a security management process that includes risk analysis, remediation plans, and regular security assessments. Organizations are required to assess potential vulnerabilities in their data protection practices and implement safeguards to mitigate risks such as cyberattacks, unauthorized access, and data breaches.

In addition to security measures, HIPAA compliance necessitates ongoing workforce training to ensure that employees understand data privacy regulations, cybersecurity best practices, and breach response protocols. Training programs should educate staff on recognizing phishing attempts, securely handling patient data, and responding effectively to security incidents.

Workforce training is particularly critical in light of rising cybersecurity threats targeting the healthcare sector, including ransomware attacks and data exfiltration schemes that compromise patient records.

Another essential requirement under HIPAA is the implementation of data access policies that restrict information access to authorized personnel only. Healthcare organizations must enforce the principle of least privilege, ensuring that employees can only access the minimum amount of data necessary for their job functions. This reduces the risk of internal data misuse and unintentional exposure of sensitive information.

Healthcare providers that engage with third-party vendors must also comply with HIPAA’s Business Associate Agreement requirements. Any vendor that processes, stores, or transmits PHI on behalf of a covered entity must enter into a legally binding agreement to ensure compliance with HIPAA standards. This includes cloud service providers, billing companies, and medical transcription services, among others.

In addition to these security measures, HIPAA’s minimum necessary standard remains a fundamental principle for data protection. This standard requires that only the least amount of PHI necessary for a specific purpose be used or disclosed. By enforcing these stringent access controls and data minimization practices, healthcare organizations can effectively mitigate risks while ensuring compliance with federal privacy regulations.

Future compliance and enforcement timeline

The KCDP Act will have businesses time to get ready. Another rule states that after June 1, 2026, new data activities should have a preemptive data protection review before they begin. This is to spot privacy risks early and make sure businesses handle data responsibly from the start.

For healthcare and other businesses dealing with sensitive information, the combination of HIPAA and KCDPA highlights the need for strong data security. Companies must watch for changes in the law and update their compliance plans to avoid fines and keep consumer trust.

As regulations change, businesses should think about investing in strong data management programs, advanced cybersecurity, and legal advice to handle state and federal privacy laws. As states update their data protection rules, businesses need to stay ahead to protect consumer data, meet industry standards, and build public trust in their security efforts.