Kentucky Healthcare Breach Notification Law: Requirements, Deadlines, and Who to Notify

Kentucky regulates healthcare breach notification through two parallel frameworks: the state’s general computerized data breach statute for private-sector “information holders” and a governmental breach notification statute for public agencies. Most private healthcare organizations also follow HIPAA, which sets separate federal timelines and recipients. This guide explains who is covered, what counts as a personal information compromise, and the precise notification duties, deadlines, and exceptions.

By the end, you’ll know when identity theft risk triggers notice, when Kentucky Attorney General notification applies, and when consumer reporting agencies notification is required.

Covered Entities in Kentucky

HIPAA‑regulated healthcare providers and plans

Most private Kentucky hospitals, physician groups, clinics, health plans, and their business associates are HIPAA‑regulated. Kentucky’s general breach statute excludes persons subject to HIPAA, so these organizations follow HIPAA’s breach rules for protected health information (PHI) rather than the state’s private‑sector statute. They may still maintain other data, but the state’s general notification statute does not apply to HIPAA‑subject entities.

Public healthcare agencies and facilities

State and local government entities—such as public hospitals, local health departments, university clinics, and other “agencies”—are governed by Kentucky’s governmental breach notification statute. That law includes specific deadlines, required recipients, and content for notices when a personal information compromise occurs.

Health‑adjacent companies and vendors

Organizations doing business in Kentucky that are not HIPAA‑regulated—such as certain health apps, wellness platforms, or analytics firms—are “information holders” under the state’s private‑sector statute for a computerized data breach. Vendors that handle personal information for a Kentucky public agency are “nonaffiliated third parties” with separate duties to the agency.

Definition of Data Breach

Private sector (general breach statute)

A breach is the unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personal information in a multi‑individual database and actually causes—or leads you to reasonably believe has caused or will cause—identity theft or fraud against a Kentucky resident. Good‑faith acquisition by your employee or agent is not a breach if there is no further unauthorized use or disclosure.

Public agencies (governmental breach notification statute)

A security breach includes the unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data (and encrypted data if the key is compromised) that compromises personal information and is likely to harm one or more individuals. Good‑faith acquisition for agency purposes without further unauthorized disclosure is excluded.

Personal Information Covered

Private sector “information holders”

• First name or first initial and last name plus one of the following unredacted data elements: Social Security number; driver’s license number; or account/credit/debit card number with any required security code, access code, or password.
• Medical or health data alone is not a trigger category under this statute unless combined with the listed identifiers.

Public agencies (governmental breach notification statute)

• Name (or personal mark/unique biometric or genetic print/image) plus one or more: account/credit/debit number with security code; Social Security number; taxpayer identification number incorporating an SSN; driver’s license or state ID; passport or other U.S. government ID; or individually identifiable health information as defined by HIPAA.
• This broader definition explicitly covers healthcare data held by government entities.

Notification Requirements and Deadlines

HIPAA‑covered healthcare entities

For unsecured PHI, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. If a breach affects 500 or more residents in a single state or jurisdiction, you must also notify prominent media for that area within the same 60‑day window and report to HHS; smaller breaches are logged annually with HHS. These federal duties apply regardless of Kentucky’s state‑law exemptions.

Private sector under Kentucky’s general breach statute

• Who to notify: Affected Kentucky residents whose covered personal information was acquired or is reasonably believed to have been acquired by an unauthorized person.
• Deadline: In the most expedient time possible and without unreasonable delay, consistent with law enforcement needs and measures to determine scope and restore system integrity.
• Method: Written or electronic notice; substitute notice (email, website posting, and major statewide media) is permitted if costs exceed $250,000, the affected class exceeds 500,000, or contact data is insufficient.
• Additional recipient: If notice will go to more than 1,000 people, you must also provide consumer reporting agencies notification—informing nationwide credit bureaus of the timing, distribution, and content of your notice.

Public agencies under Kentucky’s governmental breach notification statute

• Who to notify within 72 hours of determining or being notified of a breach: the Kentucky Attorney General, the Commissioner of the Kentucky State Police, and the Auditor of Public Accounts (plus designated oversight offices depending on the agency type).
• Post‑investigation updates: Within 48 hours after completing your breach investigation, re‑notify the same officials and the Department for Libraries and Archives.
• Individuals: Within 35 days after the 48‑hour agency notifications, notify all impacted individuals with a clear, conspicuous notice that includes required content and resources.
• High‑volume events: If 1,000+ individuals will be notified, alert the appropriate oversight office(s) and all nationwide consumer credit reporting agencies at least seven days before sending individual notices.
• Delays: Written law‑enforcement delay is allowed; the Attorney General may approve limited delays needed to restore system integrity.

Notification to Attorney General

Private‑sector, HIPAA‑regulated healthcare providers and their business associates have no state‑law duty to provide Kentucky Attorney General notification under the general breach statute; that law excludes persons subject to HIPAA. Your primary duties are under HIPAA, plus any contractual or sector‑specific obligations.

Public agencies—including state and local health departments, public hospitals, and public university clinics—must notify the Attorney General within 72 hours of breach determination or notice, provide a 48‑hour post‑investigation update, and include the Office in certain delay approvals. If a vendor to a public agency is breached, the vendor must alert the agency promptly so the agency can fulfill the Attorney General notification duties.

Exceptions and Exemptions

• Breach notification exemption for HIPAA/GLBA entities under the private‑sector statute; governmental entities are also excluded from that statute and instead follow the governmental breach notification statute.
• Encryption safe harbor: For private entities, only unencrypted and unredacted computerized data qualifies; for agencies, encrypted data is exempt unless the key or process is compromised.
• Good‑faith employee/agent acquisition without further unauthorized disclosure is not a breach under either framework.
• Agency “no‑likelihood‑of‑harm” outcome: After a prompt investigation, if misuse has not occurred and is not likely to occur, agencies may forgo individual notice but must document the basis and notify required officials.
• Existing security policy: Private entities that maintain their own notification procedures consistent with the statute’s timing are deemed compliant when they follow that policy.

Third-Party Data Holder Obligations

Private sector

If you maintain computerized data containing personal information that you do not own, you must notify the data’s owner or licensee as soon as reasonably practicable after discovery of a breach. The owner then determines consumer notice obligations.

Public agencies and their vendors

Nonaffiliated third parties that access or maintain personal information for a Kentucky agency must implement written security and breach investigation practices and notify the agency in the most expedient time possible and without unreasonable delay—but no later than 72 hours after determining a breach. Contracts must address security standards and how costs for investigation and notification will be allocated.

Summary

In Kentucky, HIPAA‑regulated healthcare entities follow federal timelines and recipients, while non‑HIPAA health‑adjacent businesses follow the private‑sector statute and its “unreasonable delay” standard and credit‑bureau notice for large events. Public healthcare agencies face strict 72‑hour, 48‑hour, and 35‑day requirements and must make Kentucky Attorney General notification. Map your data, determine which framework applies, and act quickly to contain harm and meet all notice duties.

FAQs.

What triggers notification under Kentucky healthcare breach law?

For HIPAA‑regulated entities, a breach of unsecured PHI triggers notice under HIPAA. For private non‑HIPAA “information holders,” unauthorized acquisition of unencrypted, unredacted computerized personal information that creates an identity theft risk triggers notice to affected residents. For public agencies, a security breach likely to harm one or more individuals triggers multi‑party notifications and individual notice.

Who must notify the Attorney General of a breach?

Public agencies—including state and local health entities—must notify the Kentucky Attorney General within 72 hours of breach determination and again within 48 hours after completing the investigation. Private‑sector, HIPAA‑regulated healthcare providers have no state‑law duty to notify the Attorney General.

Are government entities subject to this breach notification law?

Yes. Government entities follow Kentucky’s governmental breach notification statute, which sets detailed security, investigation, and notice obligations with specific deadlines. They are exempt from the private‑sector statute that applies to businesses.

What personal information qualifies as protected under this law?

For businesses, covered data is a name plus one of these: Social Security number, driver’s license number, or financial account/credit/debit card number with any required code. For government entities, the list is broader and includes those elements plus taxpayer ID (with SSN), passport or other government IDs, certain biometrics/genetic identifiers, and individually identifiable health information.