Proposed Rule Requires Florida Healthcare Providers to Have a Continuity Plan

The Florida Agency for Health Care Administration (AHCA) has recently proposed a new rule (59A-35.112) that, if passed, will introduce new reporting requirements for information technology incidents and will require all providers licensed by the AHCA to have a continuity plan for data and information technology disruptions.

Cyberattacks on healthcare providers in the state have increased considerably in recent years. These incidents, including ransomware attacks, can cause considerable disruption to healthcare operations and negatively impact patient care. Having a continuity plan will help to ensure that disruption is minimized in the event of a cyberattack or other event that disrupts IT systems or access to patient data.

The continuity plan is defined as “a written policy detailing procedures and information designed to maintain critical operations and essential patient care services during an interruption of normal operations.” The plan must include procedures for performing regular secure, redundant on-site and off-site data backups, verification of the restorability of backed-up data, and procedures for restoring backed-up data. The new rule stipulates that any off-site backups must be stored within the continental United States. The continuity plan must also include procedures for restoring critical operations and essential patient care services.

Providers should note that the definition of “data” in the new rule is not limited to information protected under HIPAA – ePHI. Data is defined as “information and representations of information, knowledge, facts, concepts, documents, instructions, images and recordings, whether humanly-perceivable or machine-readable, in any form, and whether in use, storage, physical or electronic transit, or presented on a display device.” The definition encompasses data for business and clinical operations.

The rule introduces new reporting requirements. When an information technology incident is detected, covered providers will be required to report the incident to AHCA within 24 hours. While not required in the initial breach report, AHCA must be provided with further information on request. That includes a copy of the police report, incident report, or computer forensics report; a copy of policies relating to information technology incidents; a list of the information disclosed in the incident; the steps taken to mitigate the incident; and a copy of the continuity plan.

An information technology incident is defined as “an observable occurrence or data disruption or loss in an information technology system or network that permits or is caused by unauthorized access of data in electronic form. Good faith access by an authorized employee does not constitute an information technology incident, provided that the data is not used in an unauthorized manner or for an unauthorized purpose.”

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Under the proposed rule, the following types of providers will be required to comply with the new requirements if they are licensed by AHCA:

  • Laboratories authorized to perform testing under the Drug-Free Workplace Act
  • Birth centers
  • Abortion clinics
  • Crisis stabilization units
  • Short-term residential treatment facilities
  • Residential treatment facilities
  • Residential treatment centers for children and adolescents
  • Hospitals
  • Ambulatory surgical centers
  • Nursing homes
  • Assisted living facilities
  • Home health agencies
  • Nurse registries
  • Companion services or homemaker services providers
  • Adult day care centers
  • Hospices
  • Adult family-care homes
  • Homes for special services
  • Transitional living facilities
  • Prescribed pediatric extended care centers
  • Home medical equipment providers
  • Intermediate care facilities for persons with developmental disabilities
  • Health care services pools
  • Health care clinics
  • Organ, tissue, and eye procurement organizations

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/