Kentucky Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Kentucky.
Kentucky's breach-notification law — KRS §365.732 — gives medical practices one of the clearer Southeast windows to work with: notification "as soon as reasonably practicable but no later than 60 days after discovery," with the Kentucky Attorney General and affected individuals both required to be notified. Penalties under the Consumer Protection Act reach $10,000 per violation. Kentucky also operates KASPER — the Kentucky All Schedule Prescription Electronic Reporting program — one of the oldest prescription monitoring programs in the United States, established in 1998 and the model on which several other state PMPs were built. KASPER is administered by the Cabinet for Health and Family Services through the Office of Inspector General, and queries are mandatory before every controlled-substance prescription. Lexington and Louisville-area pain-management and behavioral-health practices operate under a particularly rigorous Kentucky Board of Medical Licensure posture in the wake of the opioid crisis: KASPER pattern review is one of the more common drivers of board inquiry, and "failure to check KASPER" is independently a Class D felony with fines up to $10,000. The 60-day breach clock, the 5-year hospital retention floor under 902 KAR 20:016, and KASPER's depth combine to make Kentucky's framework precise rather than maximalist.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made as soon as reasonably practicable but no later than 60 days after discovery. AG and affected individuals must be notified.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $10,000 per violation under Consumer Protection Act
Enforcement Posture
The Kentucky Office of the Attorney General is largely reactive on healthcare-privacy enforcement, opening investigations on breach notifications rather than pursuing proactive sweeps. The Consumer Protection Division will pursue §365.732 violations when notifications are late or incomplete, and the $10,000-per-violation ceiling has shaped settlement posture. The more active state regulator on healthcare matters is the Kentucky Board of Medical Licensure, which has built KASPER pattern review into its routine prescribing-investigation workflow. Pain-management and behavioral-health practices in particular should treat KASPER documentation as audit-grade — failure-to-check is a Class D felony, independent of any patient-harm outcome. Document your 60-day breach clock, your harm-analysis worksheet, and your KASPER query log meticulously.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 5 years | Discharge |
Controlled-Substance Prescription Monitoring (KASPER)
KASPER — the Kentucky All Schedule Prescription Electronic Reporting program — is one of the oldest PMPs in the United States, established in 1998. KASPER is deeply integrated into Kentucky EHR platforms and is administered through the Cabinet for Health and Family Services. A query is required before every controlled-substance prescription. Delegation to licensed designees is permitted. Registration at ekasper.ky.gov is mandatory for all DEA registrants prescribing in Kentucky. Exemptions cover hospice, cancer treatment, ≤3-day ER supplies, inpatient and nursing-facility administration, and medication-assisted treatment. Failure to check is a Class D felony with fines up to $10,000.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; Class D felony for failure to check; fines up to $10,000
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or nursing facility, medication-assisted treatment
How Kentucky Rules Hit by Specialty
Pain management
Kentucky pain-management practice is one of the most aggressively regulated in the country post-opioid-crisis. KASPER must be queried at every controlled-substance prescription; failure to check is a Class D felony with fines up to $10,000. The Kentucky Board of Medical Licensure reviews KASPER pattern data proactively.
Behavioral health
Behavioral-health practices prescribing buprenorphine, methadone, or benzodiazepines fall fully under KASPER's check-every-prescription requirement. Medication-assisted treatment is exempted in narrow circumstances; document the exemption rationale in the chart.
Pharmacy/compounding
Pharmacies dispensing Schedule II–V controlled substances report into KASPER on a 24-hour cadence. The Kentucky Board of Pharmacy reviews dispensing patterns flagged in KASPER and uses pattern data for licensing review independent of practitioner-side complaints.
Mandatory Reporting Obligations
Mandated reporters
Any person including physicians, nurses, dentists, psychologists, and all healthcare professionals
Report to
Department for Community Based Services (DCBS) or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor; Class D felony if abuse results in serious injury or death
Immunity provision
Good faith reporters immune from civil and criminal liability under KRS 620.050
Mandated reporters
Any person including all healthcare professionals
Report to
Adult Protective Services, Cabinet for Health and Family Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers are mandatory reporters when treating injuries from domestic violence (Kentucky mandates for healthcare professionals)
Report to
Local law enforcement or Commonwealth Attorney
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Physicians, laboratories, healthcare facilities, and infection control professionals
Report to
Kentucky Department for Public Health, local health department
Timeline
Within 24 hours
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class B misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Kentucky Compliance FAQs
As soon as reasonably practicable but no later than 60 days after discovery. The Kentucky Attorney General and affected individuals must both be notified. Penalties under the Consumer Protection Act reach $10,000 per violation, and late notifications are a recurring driver of follow-up AG inquiry.
Yes. KASPER must be queried before every Schedule II–V controlled-substance prescription. Exemptions cover hospice, cancer treatment, ≤3-day ER supplies, inpatient or nursing-facility administration, and medication-assisted treatment. Failure to check is a Class D felony — one of the harshest PDMP-noncompliance penalties in the country — with fines up to $10,000 and Kentucky Board of Medical Licensure discipline.
Hospitals: 5 years from discharge under 902 KAR 20:016 §3. Independent physician practices should default to HIPAA's 6-year minimum, which exceeds the state hospital floor — most Kentucky carriers recommend the 6-year HIPAA standard in practice.
Any person, including all healthcare professionals, is a mandatory reporter under KRS §620.030. Reports go to the Department for Community Based Services (DCBS) or local law enforcement. Failure to report is a Class A misdemeanor, escalating to a Class D felony if the abuse results in serious injury or death.
Not in posture, but the 60-day day count tracks HIPAA's federal floor rather than relaxing it, and the AG-notification track adds a parallel filing obligation. The KASPER failure-to-check felony penalty, however, is independently among the strictest PDMP regimes in the country.
Guides & Articles
Neighboring State Compliance Guides
Stay audit-ready in Kentucky
GuardWell tracks Kentucky-specific breach deadlines, retention periods, KASPER PDMP queries, and mandatory reporting obligations automatically.