A new regulation may soon require Florida healthcare providers to report IT security incidents within 24 hours and maintain written contingency plans.
Florida’s Agency for Health Care Administration (AHCA) has proposed a rule under the Florida Administrative Code directed at strengthening healthcare providers’ response to data breaches and IT disruptions. If adopted, the rule would require providers to report any qualifying information technology (IT) incident to AHCA within 24 hours of detection and to implement a formal contingency plan.
The proposed rule is part of an effort to enhance transparency and operational resilience following cyber incidents. A public rule development workshop is scheduled for September 17, 2025.
The rule applies to a wide range of healthcare entities, including hospitals, nursing homes, clinics, hospices, assisted living facilities, and others regulated by AHCA. These providers would need to maintain a written contingency policy outlining procedures for sustaining operations and patient care during IT-related disruptions.
The contingency plan must include:
The regulation defines an “information technology incident” as any data loss or disruption caused by unauthorized access, including both external threats (like cyberattacks) and internal misuse (even by authorized employees acting inappropriately).
Additionally, providers must be able to produce supporting documents if requested by AHCA, such as forensics reports, police reports, and copies of their contingency policies and incident response steps.
According to Shumaker, Loop & Kendrick, the new rule does not override existing HIPAA requirements, it adds a layer of state-specific oversight. Providers will still need to meet federal data breach reporting obligations alongside the new 24-hour state-level reporting rule, if adopted.
HIPAA already requires breach notification to the Department of Health and Human Services, but Florida’s proposed rule introduces a separate 24-hour reporting obligation to AHCA, creating a dual-reporting responsibility for covered providers.
Any unauthorized data access or system disruption, including insider misuse, even by authorized personnel is considered reportable under the proposed rule, not just large-scale cyberattacks.
The proposed rule focuses on notification to AHCA, not directly to patients. However, providers may still be required to notify patients under HIPAA or other applicable laws depending on the severity and nature of the breach.
Failure to comply could result in administrative penalties from AHCA, including possible license violations, sanctions, or increased scrutiny during audits or investigations.