Cybersecurity & Privacy Blog

Health data privacy is entering a new era—and the warning signs are already here. While the Health Information Privacy Reform Act (HIPRA) proposed by Senator Bill Cassidy may not make its way through Congress, its message to digital health companies and HIPAA-covered entities is unmistakable: the regulatory gap around consumer health data is closing fast.

As businesses prepare for the holiday season and the new year inches closer, now is the time to revisit Indiana and Kentucky’s comprehensive data privacy laws taking effect on January 1, 2026.  As data privacy laws travel east and become effective across the Midwest, many businesses that target consumers in Indiana and Kentucky will have increased risk despite previous efforts to comply with more onerous regulations.  In addition to Indiana, nine other state AGs have joined a Bipartisan Consortium of regulators intending to coordinate and share resources to enforce their respective state privacy laws. These laws will have an impact on businesses, including those based in Ohio, that collect or process personal data from residents of these neighboring states. The laws establish new consumer rights, impose obligations on businesses, and set forth substantial penalties for non-compliance. Below is an overview of the key provisions in each law and what businesses should do to prepare for the new year.