25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

New HIPAA Exemption Added to Kentucky Consumer Data Protection Act

Posted By on Mar 18, 2025

In April 2024, Kentucky joined the growing number of states that have adopted comprehensive consumer privacy and data protection laws. The Kentucky Consumer Data Protection Act was signed into law on April 4, 2024, and is due to take effect on January 1, 2026. The Kentucky Consumer Data Protection Act applies to individuals and legal entities that control or process the personal data of at least 100,000 Kentucky consumers or control or process the personal data of 25,000 Kentucky consumers and derive over 50% of gross revenue from the sale of personal data.

An amendment to the law has been signed by state governor Andy Beshear that narrows the scope of the law, exempting information collected by healthcare providers covered under HIPAA that maintain protected health information in compliance with the HIPAA Rules and other related regulations. The amendment also expands the excluded information to include information collected in a limited data set, as defined in 45 C.F.R. 8 164.514(e) to the extent the information is used, disclosed, and maintained as specified in 45 C.F.R. 8 164.514(e).

The exemption for small telephone utilities and municipally owned utilities that do not sell or share personal data with any third-party processor has also been updated, changing “any third-party processor” to “any third party.” The Kentucky Consumer Data Protection Act requires controllers to conduct and document a data protection impact assessment of certain processing activities involving personal data. Data protection impact assessments are required for the processing of personal data for the purposes of profiling, where the profiling presents reasonably foreseeable risks. The definition of risks has been amended to include unlawfulness, with the update now covering risks of “unfair or deceptive treatment of consumers or unlawful, disparate impact on consumers.”

Governor Beshear signed the amendment into law on March 15, 2025. The amendments will take effect on January 1, 2026, and the law’s data protection assessment requirements will apply to processing activities created or generated on or after June 1, 2026.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist