Kentucky Health Data Protection Requirements: A HIPAA and State Law Compliance Guide

HIPAA Compliance Requirements

Core rules at a glance

Kentucky providers and their business associates must comply with the HIPAA Privacy Rule and Security Rule. The Privacy Rule governs permitted uses and disclosures of PHI (for example, treatment, payment, and health care operations) and applies the minimum necessary standard to most non-treatment uses. The Security Rule requires an enterprise-wide risk analysis and risk management to safeguard ePHI with administrative, physical, and technical controls. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html?utm_source=openai))

HIPAA’s Breach Notification Rule requires notice to affected individuals without unreasonable delay, to HHS (and sometimes the media), following a breach of unsecured PHI. Timelines and content requirements depend on the breach size and circumstances. Maintain written policies, train staff, and document decisions to demonstrate compliance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Operational must-haves

• Maintain and annually review a written risk analysis and risk management plan (Security Rule).
• Issue and post a Notice of Privacy Practices; honor individual rights (access, amendments, accounting, restrictions, confidential communications).
• Execute Business Associate Agreements before sharing PHI with vendors.
• Apply minimum necessary, role-based access, and audit controls across systems handling ePHI.

Kentucky Consumer Data Protection Act Overview

Scope, timing, and thresholds

The Kentucky Consumer Data Protection Act (KCDPA) took effect on January 1, 2026. It applies to controllers and processors doing business in Kentucky (or targeting Kentuckians) that, in a calendar year, process personal data of 100,000+ consumers, or 25,000+ consumers while deriving over 50% of gross revenue from the sale of personal data. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/record/24rs/hb15.html))

Consumer rights and controller duties

The KCDPA grants rights to confirm, access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising, data sales, and certain profiling. Controllers must provide transparent privacy notices, honor verified requests, and bind processors via contracts that include required privacy and security terms. Data protection impact assessments are required for processing that presents heightened risk (e.g., targeted advertising, profiling, or sensitive data). ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/Statutes/statute.aspx?id=56649&utm_source=openai))

Key healthcare carve‑outs

Most HIPAA-regulated data and entities are out of scope: the KCDPA exempts protected health information under HIPAA, health records, identifiable research data under specified federal frameworks, and other categories. Covered entities and business associates, as defined by HIPAA, also benefit from entity-level or data-level exemptions, reducing overlap with HIPAA obligations. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=56648&utm_source=openai))

Medical Records Access and Retention

Patient access under Kentucky’s Medical Records Act (KRS 422.317)

Upon written request, a Kentucky hospital or health care provider must furnish a copy of the patient’s medical record without charge for the first copy; a copying fee of up to $1 per page may be charged for a second copy requested by the patient, the patient’s attorney, or authorized representative. Coordinate these state requirements with HIPAA’s Right of Access timelines and format rules. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=18145))

Record retention timelines in Kentucky

Hospitals must retain medical records for at least six years from discharge, and for minors, at least three years after reaching the age of majority, whichever is longer. Critical access hospitals must retain records for a minimum of five years (or, for minors, three years after majority, whichever is longer). Clinical laboratories have shorter, test-specific retention rules. ([law.cornell.edu](https://www.law.cornell.edu/regulations/kentucky/902-KAR-20-016))

HIPAA documentation retention

HIPAA does not set clinical record retention, but it does require retention of privacy and security documentation—policies, procedures, and required actions—for at least six years from creation or last effective date. Keep your notices, authorizations, risk analyses, training logs, and breach documentation accordingly. ([ecfr.io](https://ecfr.io/Title-45/Section-164.316?utm_source=openai))

Confidentiality and Privacy Protections

Permitted uses and minimum necessary

Use and disclose PHI for treatment, payment, and health care operations without an authorization, and apply the minimum necessary standard to most non-treatment uses. Build role-based access, routinely review user privileges, and log disclosures as required. Kentucky providers should also align with state confidentiality rules that apply to specific programs or data sets. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html?utm_source=openai))

Authorizations and sensitive categories

When disclosures fall outside HIPAA-permitted pathways, obtain a valid HIPAA authorization. Take extra care with psychotherapy notes, substance use disorder records, and other specially protected categories under federal or state law.

Telehealth and Data Security

Telehealth informed consent

Kentucky law requires informed consent and confidentiality protections when delivering telehealth. For example, nursing and medical statutes mandate obtaining the patient’s informed consent before telehealth services and maintaining confidentiality through appropriate processes, practices, and technology consistent with federal law. Include privacy risks, technology limits, alternatives, and how records are protected in your Telehealth Informed Consent. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=30935&utm_source=openai))

Security-by-design for virtual care

• Use HIPAA-compliant, non–public-facing platforms with encryption in transit and at rest.
• Authenticate patients, confirm their physical location, and document consent, modality, and participants in the medical record.
• Harden endpoints, apply MFA, and restrict recording features to approved workflows.

Recording virtual visits and One-Party Consent Recording

Kentucky is a one‑party consent state: recording a conversation is permissible if at least one party to the communication consents. Even so, do not record clinical encounters without clear patient consent and a compliant purpose; reflect any recording in the record and retain or dispose of it under your retention and disposal policies. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=19948&utm_source=openai))

PHI Disposal and Security

Protected Health Information Disposal: defensible methods

HIPAA requires reasonable safeguards during disposal. For paper, use cross‑cut shredding, pulping, or incineration. For electronic media, HHS endorses methods aligned to NIST SP 800‑88—clear, purge, or destroy—based on media type and risk. Maintain destruction logs showing media type/serial, method, operator, date, and witness (when applicable). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?utm_source=openai))

Lifecycle and vendor controls

Apply media controls from acquisition to retirement. Before reuse or disposal, sanitize drives and removable media. Treat shredding and IT asset disposition firms as business associates if they handle PHI, and verify their processes meet NIST-based standards.

Exemptions under Kentucky Data Laws

Under the KCDPA, HIPAA PHI, health records, certain research data, and other designated categories are exempt. The law’s entity- and data-level carve‑outs mean most traditional providers focus on HIPAA, while non‑HIPAA health apps or consumer-facing programs may fall under the KCDPA if thresholds are met. Keep an eye on “sensitive data” (e.g., precise geolocation, biometrics, mental or physical health diagnosis) and obtain consent where required. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=56648&utm_source=openai))

FAQs.

What are the key HIPAA rules for Kentucky providers?

Focus on the Privacy Rule (permitted uses/disclosures, minimum necessary, patient rights), the Security Rule (risk analysis, access controls, audit controls, incident response), and the Breach Notification Rule (timely notice to individuals, HHS, and sometimes media). Coordinate these with state-specific obligations like KRS 422.317 for medical record copies. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html?utm_source=openai))

How does KCDPA affect health data?

HIPAA PHI and many health records are exempt from the KCDPA, so covered entities typically remain governed by HIPAA. However, non‑HIPAA data (for example, consumer health data in apps) may be in scope if thresholds are met. The Attorney General enforces the KCDPA, with a 30‑day cure period and civil penalties for unresolved violations. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=56648&utm_source=openai))

What are patient rights to medical record access?

Under KRS 422.317, patients are entitled to a free first copy of their medical record upon written request, with capped per‑page fees for a second copy. HIPAA’s Right of Access also requires timely access to PHI in a designated record set in the requested format if readily producible. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=18145))

When can health data be shared without consent?

Common HIPAA pathways include treatment, payment, and health care operations; disclosures required by law; specific public interest activities (such as certain public health and law enforcement purposes); and limited data sets under data use agreements. Apply the minimum necessary standard where applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?Channel=Google_PPC&field_insight_category_target_id=2&utm_source=openai))

How must PHI be disposed of properly?

Use reasonable safeguards. For paper, shred, burn, or pulp so PHI is unreadable. For electronic media, apply NIST SP 800‑88–aligned sanitization: clear, purge, or destroy. Keep destruction records and validate vendor methods if outsourcing. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?utm_source=openai))