Today, the Home Care Association of Florida (HCAF) submitted formal comments to the Florida Agency for Health Care Administration (AHCA) regarding the proposed creation of Rule 59A-35.112, Data Breach Transparency. These comments, informed by direct feedback from HCAF members, follow last week’s public rule development workshop and reflect the voice of Florida’s home health care provider community.

As the leading advocate for Florida’s 2,300+ licensed home health agencies, HCAF supports appropriate safeguards for patient data but cautions that the rule, as drafted, poses significant compliance challenges — particularly for small- and mid-sized agencies.

What the Rule Proposes

According to the draft text, Rule 59A-35.112 would require licensed providers to:

• Report an “information technology (IT) incident” to AHCA within 24 hours of reasonably believing one may have occurred.
• Submit the report using a new form through the adverse incident reporting system.
• Maintain a written continuity plan that includes both secure on-site and off-site data backups, along with documentation available for AHCA review upon request.

Key Concerns from HCAF

In our comments, HCAF notes that while timely breach reporting is important, the 24-hour reporting requirement is unrealistic for many home health agencies.

“The proposed 24-hour clock triggered by mere suspicion is an extreme outlier," wrote Executive Director Denise Bellville, RN. "It would impose a uniquely burdensome compliance regime on Florida health care providers without delivering added value for patients or regulators.”

Among the key concerns:

• Lack of IT Capacity: Many agencies, particularly smaller or rural providers, do not have 24/7 information technology support. Confirming whether a disruption constitutes unauthorized access often requires third-party forensic analysis, which cannot be secured and completed within 24 hours.
• Risk of Over-Reporting: The threshold of “reasonable belief” without confirmed breach status could lead to premature reporting of non-issues, creating administrative burdens for both providers and AHCA.
• Patient Care Impact: Redirecting limited resources toward rapid reporting could detract from clinical operations and patient care.

Out of Step With Federal and State Law

HCAF strongly urges AHCA to align the rule’s requirements with the Florida Information Protection Act (FIPA) and the Health Insurance Portability and Accountability Act (HIPAA):

• HIPAA allows up to 60 days from confirmation of a breach to notify affected individuals and federal authorities.
• FIPA requires notification to affected parties and the Florida Department of Legal Affairs within 30 days of confirming a breach.
• Peer states including New York, Washington, Ohio, Georgia, and Texas offer timelines ranging from 30 to 60 days following confirmation — not suspicion.

Recommendations from HCAF

To balance transparency with operational feasibility, HCAF recommends:

• Aligning reporting deadlines with FIPA — 30 days from discovery of a confirmed breach.
• Clarifying the definition of “information technology incident” to avoid including routine outages or suspected issues that are not confirmed breaches.
• Providing flexibility and implementation support for small and mid-sized agencies in developing continuity plans and secure backup systems.
• Pilot-testing the reporting system with a representative group of providers before full implementation.

Click here to read the comments.

As always, HCAF remains committed to advocating for policies that promote high-quality, sustainable in-home care while ensuring compliance standards are both meaningful and manageable. We appreciate AHCA’s willingness to engage stakeholders throughout this process.