Fla. Admin. Code R. 64ER22-7
(1) For the purposes of this rule, the terms below shall have the following meanings:
(5) An MMTC may only offer website purchasing on the MMTC’s department-approved website.
(b) An MMTC must ensure that personal identifying information obtained in the website purchasing process remains confidential. To ensure all personal identifying information remains confidential, an MMTC must comply with the following security standards:
1. The MMTC must secure the user interface of the website using Hypertext Transfer Protocol Security (HTTPS) to ensure that the data transfer between the user and server is secured with Transport Level Security Protocol (TLS) and Secure Socket Layer Cryptographic Protocol (SSL).
2. The MMTC must use an anti-virus system to prevent software intrusions on the servers and MMTC computers that access the MMTC’s servers. The anti-virus system must be updated regularly and must utilize the most current version.
3. The MMTC must utilize a firewall that employs network monitoring and intrusion detection systems at the server level and that deploys intrusion prevention systems at the server level.
4. The MMTC must employ a system that will authenticate all website users who access website purchasing information and that will assign access privileges based on each user’s specific permissions. The ability to access information on the MMTC’s website must be limited to the scope of the user’s specific permission level.
a. For MMTC employees, the ability to access information on the MMTC’s servers must be limited to the scope of the individual’s specific permission level, which must be based on the employee’s duties. Privilege levels for employees must be reevaluated by the MMTC every three months to ensure appropriate access.
b. The MMTC must maintain records of all system access. These records must be made available to the department within 48 hours of the Department’s request.
5. The MMTC’s servers must be housed in a secure location, which may include a data center. Such secured location must be Standards for Attestation Engagements (SSAE) System and Organization Controls (SOC) Type III certified.
(d) Upon becoming aware of any data breach that includes personal identifying information obtained in the website purchasing process, an MMTC shall:
1. Immediately notify patients and caregivers affected, or potentially affected, by the breach; and
2. Submit a written corrective action plan to the department within seven days of the incident. The corrective action plan must include, at a minimum, the action steps the MMTC intends to take to correct the data breach, the specific deadlines for each action step, and the additional steps the MMTC intends to take to prevent a data breach in the future.
(8) An MMTC with an existing department-approved website must submit a “Request for Website or Website Purchasing” form with the website’s current URL within 60 days of the effective date of this rule.
Rulemaking Authority Art. X, § 29, Fla. Const., 381.986(8)(k) FS. Law Implemented Art. X, § 29, Fla. Const., 381.986(8)(h), 381.986(8)(i) FS. History – New 8-9-22.