The Florida Company for Well being Care Administration (AHCA) has proposed a brand new administrative rule that will impose vital incident-reporting and data-continuity obligations on almost each supplier it licenses. Proposed Rule 59A-35.112, titled “Information Breach Transparency,” would require lined suppliers to report info expertise incidents to AHCA inside twenty-four hours and keep written continuity plans addressing information backup, restoration, and affected person care operations. The rule stays in energetic improvement following a public workshop held on September 17, 2025. Suppliers topic to AHCA licensure ought to start evaluating their present incident response and enterprise continuity frameworks now.
Scope of Coated Suppliers
Proposed Rule 59A-35.112 applies to all “Suppliers” as outlined in Part 408.803(12), Florida Statutes. This encompasses just about each entity licensed by AHCA, together with hospitals, ambulatory surgical facilities, nursing properties, assisted dwelling services, dwelling well being businesses, hospices, nurse registries, medical laboratories, well being care clinics, intermediate care services for individuals with developmental disabilities, dwelling medical gear suppliers, well being care companies swimming pools, and organ procurement organizations, amongst others. In brief, most entities delivering well being care companies in Florida or taking part in Medicaid could be topic to the rule.
The Twenty-4-Hour Reporting Obligation
Underneath the proposed rule, a supplier should report an “info expertise incident” to AHCA no later than twenty-four hours after the supplier “fairly believes” such an incident “might have occurred.” The rule defines an “info expertise incident” as “an observable incidence or information disruption or loss in an info expertise system or community that allows or is brought on by unauthorized entry of information in digital kind.” Good religion entry by a licensed worker doesn’t set off the duty, supplied the information just isn’t utilized in an unauthorized method or for an unauthorized objective. Stories should be submitted utilizing AHCA Type 3180-XXXX (as finalized) by means of the Company’s opposed incident reporting system which might solely be accessed by means of the AHCA’s Single Signal On Portal.
Two options deserve explicit consideration. First, the twenty-four-hour clock begins upon a “cheap perception” that an incident “might have” occurred, not upon affirmation of a breach. Second, the reporting timeline is dramatically compressed in comparison with Florida Data Safety Act’s (FIPA) thirty-day notification window (Part 501.171(3)(a), Florida Statutes) and the Well being Insurance coverage Portability and Accountability Act’s (HIPAA) sixty-day requirement for breaches of unsecured protected well being info (PHI) (45 C.F.R. § 164.404(b)). Business stakeholders, together with the Residence Care Affiliation of Florida, have really helpful alignment with FIPA’s timeline, elevating issues that the twenty-four-hour window might create compliance difficulties for smaller suppliers with restricted IT assets.
Continuity Plan Necessities
The proposed rule requires every lined supplier to take care of a written “continuity plan,” outlined as “a written coverage detailing procedures and data designed to take care of crucial operations and important affected person care companies throughout an interruption of regular operations.” The plan should embrace: (1) procedures for the common efficiency of safe, redundant on-site and off-site information backups and verification of the restorability of backed-up information; (2) procedures for the restoration of crucial operations and important affected person care companies; and (3) procedures for the safe restoration of backed-up information and reporting of data expertise incidents. The rule additional mandates that off-site information backups should not be saved exterior the continental United States. Suppliers using offshore or worldwide cloud infrastructure might want to assess whether or not their present configurations fulfill this geographic restriction.
Put up-Incident Documentation
Upon request following an incident, a supplier should furnish AHCA with: (a) a police report, incident report, or pc forensics report; (b) a duplicate of the supplier’s IT incident insurance policies; (c) an outline of the knowledge disclosed; (d) steps taken to rectify the incident; and (e) the supplier’s continuity plan.
How “Information” Differs from HIPAA and FIPA Definitions
One of the crucial vital facets of the proposed rule is its expansive definition of “information”: “info and representations of data, information, information, ideas, paperwork, directions, photos and recordings whether or not humanly-perceivable or machine-readable, in any kind, and whether or not in use, storage, bodily or digital transit, or introduced on a show machine.”
That is far broader than both federal or present Florida legislation. Underneath 45 C.F.R. § 160.103, HIPAA’s “protected well being info” is proscribed to individually identifiable well being info regarding well being circumstances, the supply of well being care, or fee for well being care. Underneath Part 501.171(1)(g), Florida Statutes, FIPA’s “private info” requires a person’s first title or first preliminary and final title together with enumerated information components akin to Social Safety numbers, government-issued identification numbers, monetary account numbers with entry credentials, medical historical past, medical insurance identifiers, biometric information, or geolocation information.
Against this, the proposed rule imposes no requirement that accessed information be individually identifiable, health-related, or tied to a named particular person. A ransomware assault that encrypts operational (however non-clinical) information, or unauthorized entry to inner enterprise communications, may set off the reporting obligation even when no PHI or private info is compromised.
Rulemaking Authority and Present Standing
AHCA cites Part 408.821(4), Florida Statutes, as each the rulemaking authority and the legislation applied. The Company held its preliminary rule improvement workshop on September 17, 2025, and is reviewing stakeholder feedback. The rule has not but been formally proposed by means of a Discover of Proposed Rule. Suppliers and their counsel ought to monitor AHCA’s rulemaking web page and the Florida Administrative Register for updates.
Supplier Commentary and Suggestions
The Residence Care Affiliation of Florida (HCAF) submitted formal feedback to AHCA relating to the proposed rule. Their main concern is that the twenty-four-hour reporting requirement is unrealistic, as many suppliers, particularly smaller or rural suppliers, should not have 24/7 info expertise assist. Moreover, HCAF suspects that the “cheap perception” threshold with out confirmed breach standing may result in untimely reporting of non-issues, creating administrative burdens for each suppliers and AHCA. HCAF is recommending that AHCA align the rule’s necessities with FIPA, HIPAA, and peer rules: (i) HIPAA permits as much as sixty days from affirmation of a breach to inform affected people and federal authorities; (ii) FIPA requires notification to affected events and the Florida Division of Authorized Affairs inside thirty days of confirming a breach; and (iii) peer states together with New York, Washington, Ohio, Georgia, and Texas provide timelines starting from thirty to sixty days following affirmation. See right here for full feedback from HCAF.
Sensible Compliance Issues
Healthcare organizations and their advisors ought to start getting ready now:
- Speed up incident response timelines. Organizations accustomed to HIPAA’s sixty-day or FIPA’s thirty-day home windows will want considerably quicker detection and escalation protocols. Inner escalation chains, after-hours protocols, and decision-making authority for reporting needs to be outlined upfront.
- Consider continuity plan adequacy. Many AHCA-licensed services keep Complete Emergency Administration Plans (CEMPs), however these give attention to bodily catastrophe restoration. The proposed rule’s necessities are IT-specific: information backup, restorability verification, and safe restoration. Present CEMPs seemingly won’t suffice with out supplementation.
- Audit backup storage geography. Suppliers should affirm that cloud and managed service suppliers retailer backup information completely throughout the continental United States. Vendor contracts needs to be reviewed and amended as vital.
- Broaden monitoring scope. As a result of the rule’s definition of “information” extends properly past PHI and private info, suppliers might want to monitor for unauthorized entry throughout all digital methods. This broadens the universe of incidents that will set off the twenty-four-hour clock.
- Incorporate into M&A due diligence. Acquirers of AHCA-licensed suppliers ought to consider the goal’s continuity planning, backup infrastructure, and incident response capabilities as a part of operational due diligence. Non-compliance may end in regulatory publicity post-closing.
Conclusion
Proposed Rule 59A-35.112 would layer a brand new, state-level incident reporting and continuity planning regime on high of present HIPAA and FIPA obligations, with a quicker reporting clock and a broader definition of lined information than both framework requires. Though the rule stays in improvement, the breadth of its necessities warrants early preparation by all AHCA-licensed suppliers.
For additional info relating to AHCA’s proposed information breach transparency rule, please contact the writer at mclare@foxrothschild.com or 941-308-2676.
Mark Clare is an lawyer and member of the Well being Regulation Apply Group and the Well being Care Transactions Apply Group at Fox Rothschild LLP. Mark is predicated in Sarasota, Florida and makes a speciality of helping shoppers with company, well being legislation, and M&A issues.