The Agency for Health Care Administration (AHCA) has released draft language for Rule 59A-35.112, Data Breach Transparency, which would establish new obligations for licensed health care providers in Florida when responding to data breaches or information technology (IT) incidents. A public workshop is scheduled for September 17, 2025, at 3:00 PM ET at AHCA headquarters in Tallahassee, with remote participation available.

Key Provisions of the Draft Rule

• Mandatory Reporting: Providers must report an IT incident to AHCA within 24 hours of reasonably believing an incident may have occurred. Reports must be submitted using a new AHCA form (Form 3180-XXXX) through the Agency’s online adverse incident reporting system.
• Continuity Plans: Providers must maintain a written continuity plan detailing how critical operations and patient care services will continue during IT disruptions. Plans must include secure, redundant on-site and off-site backups, with off-site data storage restricted to within the continental United States.
• Incident Documentation: Upon request, providers must furnish AHCA with documentation such as police reports, forensics reports, IT policies, information disclosed, remediation steps, and a copy of their continuity plan.

Click here to read the draft rule language.

Impact on Providers

The 24-hour reporting mandate is raising concerns among providers, particularly smaller home health agencies with limited compliance and IT resources. Cyber events often require time to investigate, consult with vendors, insurers, and legal counsel, and confirm details. Under the proposed rule, providers could be compelled to submit incomplete or preliminary reports to avoid penalties.

Additionally, the continuity plan requirements may require significant new investments in data storage, cybersecurity, and staff training, adding further administrative and financial burdens.

Next Steps

Providers are encouraged to review the draft language carefully and provide feedback to AHCA during the September 17 workshop or by submitting written comments to HQARuleComments@ahca.myflorida.com.

You may participate in this workshop in person at AHCA headquarters, 2727 Mahan Drive, Tallahassee, FL 32308, Building 3, Conference Room B, or by dialing the Open Voice conference line at (888) 585-9008 and entering conference room number 998-518-088# when prompted.

HCAF will continue to engage with members and AHCA to ensure the final rule balances data security and transparency with practical compliance standards for providers.