Intellectual Property Blog

Kentucky’s Comprehensive Data Privacy Law: What Healthcare Providers Need to Know

Kentucky’s Consumer Data Protection Act (KCDPA) took effect January 1, 2026. As the state’s inaugural comprehensive data privacy law, joining 19 others, it will significantly impact businesses that handle consumer information. Specifically, any business that collects 100,000 or more consumer data points, or collects at least 25,000 and derives 50% of its revenue from selling that data, must comply.

Who’s Covered and Who’s Exempt

While HIPAA-covered entities and their business associates remain exempt, many healthcare providers will still feel the effects, especially in hybrid scenarios. For example:

• A sleep specialist reviewing data from a patient’s Apple Watch, Oura ring, or other wearable device makes the provider subject to both HIPAA and KCDPA.

In such cases, wearable-device data, which is considered consumer data under the KCDPA, would trigger new compliance obligations beyond traditional healthcare privacy rules.

Controllers vs. Processors: Why That Distinction Matters

Under the KCDPA, entities fall into one or both of two roles:

• Data Controllers: Those who collect data directly from consumers. They must comply with transparency standards such as disclosures around data usage and implement safeguards to protect consumer privacy.
• Data Processors: Those who handle data on behalf of controllers. Though their responsibilities differ slightly, the line between processors and controllers can blur.

Bottom line: Organizations need to implement robust privacy safeguards across the board and ensure their contracts, whether with partners or vendors, clearly define each party’s responsibilities under these new rules. 

What Healthcare Providers Should Do Now

1. Assess patient data practices
   Determine whether your organization collects wearable or biometric data, or if patients share such data directly with you.
2. Review contracts and agreements
   Many business associate agreements (BAA) have not yet accounted for KCDPA requirements. Contracts may need to be amended to allocate responsibility in the event of a breach or privacy concern.
3. Apply dual compliance
   If you collect consumer wearable data, HIPAA alone will not suffice. You will also need to meet KCDPA obligations.
4. Seek legal guidance
   Even large healthcare-adjacent organizations may struggle to classify data correctly under HIPAA versus KCDPA. Just because data is not explicitly “protected health information” does not mean it is outside regulatory scope. Biometric or other sensitive personal data may still fall under the KCDPA. Meeting with a McBrayer attorney is essential to assess your data-collection practices, understand your obligations, and ensure full compliance.

Final Takeaway

Kentucky’s KCDPA marks a major advance in data privacy regulation. For some healthcare providers, especially those working with consumer wearables, the law introduces new layers of responsibility beyond HIPAA. Now is the time to evaluate your data flows, update contracts, and align your practices with Kentucky’s new requirements.

Ameena Khan Per is an Associate of McBrayer PLLC, practicing in the firm's Louisville office. Her law practice primarily focuses on data privacy and security, intellectual property, and trademarks. Mrs. Per can be reached at aper@mcbrayerfirm.com.

Valerie Michael is an Associate at McBrayer's Lexington office. Her practice mainly revolves around healthcare law, covering a broad range of issues including defense of healthcare professional licensure, compliance, and regulatory matters. She also manages civil and criminal cases involving Medicare and Medicaid fraud, as well as facility licensing and certification. Ms. Michael can be reached at vmichael@mcbrayerfirm.com. 

Services may be performed by others.