The Agency for Health Care Administration (AHCA) has proposed several significant rules that may directly affect your facility’s operations and compliance obligations.
AHCA is proposing a requirement for nursing home licensees to appoint a medical director who is certified in medical direction. Beginning on January 1, 2026, a medical director must be certified or actively seeking such certification. AHCA identifies the American Medical Directors Association, now known as the Post-Acute and Long-Term Care Medical Association (PALTC Med), as a recognized certifying organization. Under the proposed rule, “actively seeking certification" means the medical director is enrolled and participating in the PALTC Med Core Curriculum on Medical Direction in Post-Acute and Long-Term Care or another approved certification program covering clinical or management topics for post-acute and long-term care. Previously appointed medical directors must complete certification by December 31, 2028. Newly appointed medical directors will have three years from the date of appointment to do so. Each licensed nursing home facility will also be required to report medical director information to AHCA at the time of licensure application or upon any change in medical director.
In addition, AHCA has proposed a new "Data Breach Transparency" regulation that would apply to all AHCA-licensed entities. Under this proposed rule, all AHCA licensees must "report an information technology incident to the Agency no later than 24 hours after the provider reasonably believes an information technology incident may have occurred." The proposed regulation defines key terms as follows:
"Information technology incident" means an observable occurrence or data disruption or loss in an information technology system or network that permits or is caused by unauthorized access of data in electronic form. Good faith access by an authorized employee does not constitute an information technology incident, provided that the data is not used in an unauthorized manner or for an unauthorized purpose.
The proposed regulation also broadly defines “information technology" to mean "equipment, hardware, software, firmware, programs, systems, networks, infrastructure, media and related material used to automatically, electronically, or wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge, interface, switch, or disseminate data of any kind or form." Following an information technology incident, AHCA may request the following from the licensee: (a) a police report, incident report, or computer forensics report; (b) a copy of the licensee’s policies regarding information technology incidents; (c) a description of the information disclosed; (d) the steps taken to rectify the incident; and (e) a continuity plan.
The proposed regulation further requires all licensees to maintain a "continuity plan" that addresses: (a) procedures for the restoration of critical operations and essential patient care services and (b) procedures for the secure restoration of backed-up data and reporting of information technology incidents.
Notably, the proposed regulation’s 24-hour reporting timeline may require notification before an investigation is fully complete. This requirement will demand that even small and mid-sized facilities develop stronger information technology security practices. Health care providers subject to AHCA licensure should also consider designating a Privacy Officer—whether employed directly or engaged as an outside resource—who has sufficient expertise to manage incident response, regulatory reporting, and ongoing compliance.
For more information on the AHCA's proposed changes to licensing rules, please contact Grant Dearborn or another member of Shumaker's Health Law Service Line.