A new regulation may soon require Florida healthcare providers to report IT security incidents within 24 hours and maintain written contingency plans.
What happened
Florida’s Agency for Health Care Administration (AHCA) has proposed a rule under the Florida Administrative Code directed at strengthening healthcare providers’ response to data breaches and IT disruptions. If adopted, the rule would require providers to report any qualifying information technology (IT) incident to AHCA within 24 hours of detection and to implement a formal contingency plan.
The proposed rule is part of an effort to enhance transparency and operational resilience following cyber incidents. A public rule development workshop is scheduled for September 17, 2025.
Going deeper
The rule applies to a wide range of healthcare entities, including hospitals, nursing homes, clinics, hospices, assisted living facilities, and others regulated by AHCA. These providers would need to maintain a written contingency policy outlining procedures for sustaining operations and patient care during IT-related disruptions.
The contingency plan must include:
- Protocols to continue main services during downtime
- Procedures for secure, redundant, and geographically limited data backups
- Verification that backed-up data can be restored
-
The regulation defines an “information technology incident” as any data loss or disruption caused by unauthorized access, including both external threats (like cyberattacks) and internal misuse (even by authorized employees acting inappropriately).
Additionally, providers must be able to produce supporting documents if requested by AHCA, such as forensics reports, police reports, and copies of their contingency policies and incident response steps.
The big picture
According to Shumaker, Loop & Kendrick, the new rule does not override existing HIPAA requirements, it adds a layer of state-specific oversight. Providers will still need to meet federal data breach reporting obligations alongside the new 24-hour state-level reporting rule, if adopted.
FAQs
How does this proposed rule interact with HIPAA requirements?
HIPAA already requires breach notification to the Department of Health and Human Services, but Florida’s proposed rule introduces a separate 24-hour reporting obligation to AHCA, creating a dual-reporting responsibility for covered providers.
What qualifies as a reportable “information technology incident”?
Any unauthorized data access or system disruption, including insider misuse, even by authorized personnel is considered reportable under the proposed rule, not just large-scale cyberattacks.
Will providers need to notify patients as part of this rule?
The proposed rule focuses on notification to AHCA, not directly to patients. However, providers may still be required to notify patients under HIPAA or other applicable laws depending on the severity and nature of the breach.
What are the consequences of not complying with the rule if adopted?
Failure to comply could result in administrative penalties from AHCA, including possible license violations, sanctions, or increased scrutiny during audits or investigations.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod
