The Florida Agency for Health Care Administration (AHCA) has proposed a new administrative rule that would impose significant incident-reporting and data-continuity obligations on nearly every provider it licenses. Proposed Rule 59A-35.112, titled “Data Breach Transparency,” would require covered providers to report information technology incidents to AHCA within twenty-four hours and maintain written continuity plans addressing data backup, restoration, and patient care operations. The rule remains in active development following a public workshop held on September 17, 2025. Providers subject to AHCA licensure should begin evaluating their existing incident response and business continuity frameworks now.

Scope of Covered Providers

Proposed Rule 59A-35.112 applies to all “Providers” as defined in Section 408.803(12), Florida Statutes. This encompasses virtually every entity licensed by AHCA, including hospitals, ambulatory surgical centers, nursing homes, assisted living facilities, home health agencies, hospices, nurse registries, clinical laboratories, health care clinics, intermediate care facilities for persons with developmental disabilities, home medical equipment providers, health care services pools, and organ procurement organizations, among others. In short, most entities delivering health care services in Florida or participating in Medicaid would be subject to the rule.

The Twenty-Four-Hour Reporting Obligation

Under the proposed rule, a provider must report an “information technology incident” to AHCA no later than twenty-four hours after the provider “reasonably believes” such an incident “may have occurred.” The rule defines an “information technology incident” as “an observable occurrence or data disruption or loss in an information technology system or network that permits or is caused by unauthorized access of data in electronic form.” Good faith access by an authorized employee does not trigger the obligation, provided the data is not used in an unauthorized manner or for an unauthorized purpose. Reports must be submitted using AHCA Form 3180-XXXX (as finalized) through the Agency’s adverse incident reporting system which can only be accessed through the AHCA’s Single Sign On Portal.

Two features deserve particular attention. First, the twenty-four-hour clock begins upon a “reasonable belief” that an incident “may have” occurred, not upon confirmation of a breach. Second, the reporting timeline is dramatically compressed compared to Florida Information Protection Act’s (FIPA) thirty-day notification window (Section 501.171(3)(a), Florida Statutes) and the Health Insurance Portability and Accountability Act’s (HIPAA) sixty-day requirement for breaches of unsecured protected health information (PHI) (45 C.F.R. § 164.404(b)). Industry stakeholders, including the Home Care Association of Florida, have recommended alignment with FIPA’s timeline, raising concerns that the twenty-four-hour window may create compliance difficulties for smaller providers with limited IT resources.

Continuity Plan Requirements

The proposed rule requires each covered provider to maintain a written “continuity plan,” defined as “a written policy detailing procedures and information designed to maintain critical operations and essential patient care services during an interruption of normal operations.” The plan must include: (1) procedures for the regular performance of secure, redundant on-site and off-site data backups and verification of the restorability of backed-up data; (2) procedures for the restoration of critical operations and essential patient care services; and (3) procedures for the secure restoration of backed-up data and reporting of information technology incidents. The rule further mandates that off-site data backups must not be stored outside the continental United States. Providers utilizing offshore or international cloud infrastructure will need to assess whether their current configurations satisfy this geographic restriction.

Post-Incident Documentation

Upon request following an incident, a provider must furnish AHCA with: (a) a police report, incident report, or computer forensics report; (b) a copy of the provider’s IT incident policies; (c) a description of the information disclosed; (d) steps taken to rectify the incident; and (e) the provider’s continuity plan.

How “Data” Differs from HIPAA and FIPA Definitions

One of the most significant aspects of the proposed rule is its expansive definition of “data”: “information and representations of information, knowledge, facts, concepts, documents, instructions, images and recordings whether humanly-perceivable or machine-readable, in any form, and whether in use, storage, physical or electronic transit, or presented on a display device.”

This is far broader than either federal or existing Florida law. Under 45 C.F.R. § 160.103, HIPAA’s “protected health information” is limited to individually identifiable health information relating to health conditions, the provision of health care, or payment for health care. Under Section 501.171(1)(g), Florida Statutes, FIPA’s “personal information” requires an individual’s first name or first initial and last name in combination with enumerated data elements such as Social Security numbers, government-issued identification numbers, financial account numbers with access credentials, medical history, health insurance identifiers, biometric data, or geolocation data.

By contrast, the proposed rule imposes no requirement that accessed data be individually identifiable, health-related, or tied to a named individual. A ransomware attack that encrypts operational (but non-clinical) data, or unauthorized access to internal business communications, could trigger the reporting obligation even if no PHI or personal information is compromised.

Rulemaking Authority and Current Status

AHCA cites Section 408.821(4), Florida Statutes, as both the rulemaking authority and the law implemented.   The Agency held its initial rule development workshop on September 17, 2025, and is reviewing stakeholder comments.   The rule has not yet been formally proposed through a Notice of Proposed Rule. Providers and their counsel should monitor AHCA’s rulemaking page and the Florida Administrative Register for updates.

Provider Commentary and Feedback

The Home Care Association of Florida (HCAF) submitted formal comments to AHCA regarding the proposed rule. Their primary concern is that the twenty-four-hour reporting requirement is unrealistic, as many providers, especially smaller or rural providers, do not have 24/7 information technology support. Additionally, HCAF suspects that the “reasonable belief” threshold without confirmed breach status could lead to premature reporting of non-issues, creating administrative burdens for both providers and AHCA. HCAF is recommending that AHCA align the rule’s requirements with FIPA, HIPAA, and peer regulations: (i) HIPAA allows up to sixty days from confirmation of a breach to notify affected individuals and federal authorities; (ii) FIPA requires notification to affected parties and the Florida Department of Legal Affairs within thirty days of confirming a breach; and (iii) peer states including New York, Washington, Ohio, Georgia, and Texas offer timelines ranging from thirty to sixty days following confirmation. See here for full comments from HCAF.

Practical Compliance Considerations

Healthcare organizations and their advisors should begin preparing now:

  • Accelerate incident response timelines. Organizations accustomed to HIPAA’s sixty-day or FIPA’s thirty-day windows will need substantially faster detection and escalation protocols. Internal escalation chains, after-hours protocols, and decision-making authority for reporting should be defined in advance.
  • Evaluate continuity plan adequacy. Many AHCA-licensed facilities maintain Comprehensive Emergency Management Plans (CEMPs), but those focus on physical disaster recovery. The proposed rule’s requirements are IT-specific: data backup, restorability verification, and secure restoration. Existing CEMPs likely will not suffice without supplementation.
  • Audit backup storage geography. Providers must confirm that cloud and managed service providers store backup data exclusively within the continental United States. Vendor contracts should be reviewed and amended as necessary.
  • Broaden monitoring scope. Because the rule’s definition of “data” extends well beyond PHI and personal information, providers will need to monitor for unauthorized access across all electronic systems. This broadens the universe of incidents that may trigger the twenty-four-hour clock.
  • Incorporate into M&A due diligence. Acquirers of AHCA-licensed providers should evaluate the target’s continuity planning, backup infrastructure, and incident response capabilities as part of operational due diligence. Non-compliance could result in regulatory exposure post-closing.

Conclusion

Proposed Rule 59A-35.112 would layer a new, state-level incident reporting and continuity planning regime on top of existing HIPAA and FIPA obligations, with a faster reporting clock and a broader definition of covered data than either framework requires. Although the rule remains in development, the breadth of its requirements warrants early preparation by all AHCA-licensed providers.

For further information regarding AHCA’s proposed data breach transparency rule, please contact the author at mclare@foxrothschild.com or 941-308-2676.

Mark Clare is an attorney and member of the Health Law Practice Group and the Health Care Transactions Practice Group at Fox Rothschild LLP. Mark is based in Sarasota, Florida and specializes in assisting clients with corporate, health law, and M&A matters.