Blog Post

AHCA Proposes New Rule Requiring Providers to Implement Data Breach Continuity Plans

September 4, 2025

By Elizabeth F. Hodge, Thomas A. Range, and John C. Hood

The Florida Agency for Health Care Administration (AHCA or the Agency) recently issued a new proposed rule that would require all “providers” licensed by AHCA to have a “continuity plan” for data and information technology disruptions. The proposed rule would also mandate the reporting of certain information to AHCA upon the occurrence of an “information technology incident.” 

Continuity Plans

Many providers that would be subject to the proposed rule (see section on Applicability below) are currently required by AHCA to have a Comprehensive Emergency Management Plan (CEMP) in place for patient care and operations in the event of a disaster or emergency. To satisfy the proposed rule’s continuity plan requirement, a provider would need to adopt a written policy detailing procedures and information designed to maintain critical operations and essential patient care services during an interruption of normal operations. In particular, the rule contemplates three specific types of procedures that continuity plans must address:

  1. Procedures for the regular performance of secure, redundant on-site and off-site data backups and verification of the restorability of backed-up data;
  2. Procedures for the restoration of critical operations and essential patient care services; and
  3. Procedures for the secure restoration of backed-up data and reporting of information technology incidents.

The proposed rule would require the off-site data backups addressed in a provider’s continuity plan to be stored within the continental United States.

Importantly, the proposed rule’s broad definition of “data” is not limited to information that would constitute “protected health information” under HIPAA or even “personal information” under the Florida Information Protection Act of 2014 (FIPA). Instead, it would apply to data used for both business and clinical operations. 

Incident Reporting

The proposed rule’s “information technology incident” reporting requirements would be triggered upon the occurrence of any “observable occurrence or data disruption or loss in an information technology system or network that permits or is caused by unauthorized access of data in electronic form.” However, good faith access by authorized employees would be exempt so long as the applicable data is not used in an unauthorized manner or for unauthorized purpose.

Providers would be required to report the occurrence of an information technology incident to AHCA no later than 24 hours after the provider reasonably believes such an incident may have occurred. Note that this 24-hour reporting deadline is much more aggressive than other breach-reporting deadlines. For example, the HIPAA breach-notification rule generally allows up to 60 days from the breach’s discovery to report the breach, and FIPA allows up to 30 days to report certain breaches involving confidential personal information.

Additionally, providers would be required to provide the following information to AHCA upon the Agency’s request:

  1. A police report, incident report, or computer forensics report;
  2. A copy of the policies in place regarding information technology incidents;
  3. Information disclosed in the information technology incident;
  4. Steps that have been taken to rectify the incident; and
  5. The provider’s continuity plan.

Notably, the proposed rule does not specify whether the documents a provider must produce to AHCA would remain confidential and exempt from a public records request.

Applicability

The proposed rule would apply to all “providers” licensed by AHCA, including the following:

  • Laboratories authorized to perform testing under the Drug-Free Workplace Act
  • Birth centers
  • Abortion clinics
  • Crisis stabilization units
  • Short-term residential treatment facilities
  • Residential treatment facilities
  • Residential treatment centers for children and adolescents
  • Hospitals
  • Ambulatory surgical centers
  • Nursing homes
  • Assisted living facilities
  • Home health agencies
  • Nurse registries
  • Companion services or homemaker services providers
  • Adult day care centers
  • Hospices
  • Adult family-care homes
  • Homes for special services
  • Transitional living facilities
  • Prescribed pediatric extended care centers
  • Home medical equipment providers
  • Intermediate care facilities for persons with developmental disabilities
  • Health care services pools
  • Health care clinics
  • Organ, tissue, and eye procurement organizations

Next Steps

AHCA will hold a rulemaking workshop on September 17, 2025, from 3:00 – 4:00 p.m. Participation information is available in the Agency’s Notice of Development of Rulemaking. Akerman’s Healthcare Practice Group will continue to monitor this proposed rule and stands ready to answer any questions about how this proposed rule could affect your organization.

This information is intended to inform firm clients and friends about legal developments, including recent decisions of various courts and administrative bodies. Nothing in this Practice Update should be construed as legal advice or a legal opinion, and readers should not act upon the information contained in this Practice Update without seeking the advice of legal counsel. Prior results do not guarantee a similar outcome.

Related People

Related Work

Related Offices

Health Law Rx

Akerman Perspectives on the Latest Developments in Healthcare Law

Read blog posts

People
Perspectives
Work
Firm
700+ Lawyers
25 Offices
To navigate our site
To search our site

Welcome to our new site

Click anywhere to enter