State health department surveys of home health agencies have traditionally focused on clinical quality, care delivery, and regulatory compliance with Conditions of Participation. Cybersecurity has been a background concern at best — the domain of HIPAA compliance officers and IT vendors, not surveyors reviewing clinical records and care plans.
That is changing. State surveyors — particularly in New York, Massachusetts, and California — are increasingly reviewing health information security documentation as part of routine and complaint-driven surveys. The combination of high-profile breaches, SHIN-NY implementation in New York, and CMS's expanded interest in health information security is bringing cybersecurity into the survey process.
What Triggers Cybersecurity Review During a Survey
Complaint-driven surveys following a breach. If your agency has reported a HIPAA breach, state health departments in many states conduct a follow-up assessment to determine whether the breach affected care delivery, whether patients were appropriately notified, and what remediation has been implemented.
State HIE compliance reviews. In New York, RHIO compliance reviews of SHIN-NY participation may be coordinated with or followed by state Department of Health review. Agencies with SHIN-NY compliance gaps that also have clinical quality findings may face coordinated regulatory attention.
Routine survey expansion. Several states have expanded their routine survey protocols to include a brief review of health information security practices — specifically, whether the agency has a written security program and evidence of staff training.
National survey protocol updates. CMS updates survey protocols periodically. Expect cybersecurity-related questions to appear in CMS's home health survey protocols within the next 2–3 years as HHS aligns its regulatory frameworks.
What Surveyors Actually Review
Based on the emerging survey practice in states with active cybersecurity oversight:
Written security program or HIPAA security policies. Surveyors request evidence that a written security program exists — not for a detailed technical review, but to confirm that the agency has addressed the HIPAA Security Rule requirement for documented policies. The existence of the document, its date, and who approved it are the primary review points.
Staff training documentation. Survey evidence of HIPAA security awareness training — specifically, completion records showing all staff have been trained within the past 12 months. Surveyors have found agencies where office staff were trained but field nurses and aides were not — a gap that is straightforward to cite.
Incident response procedures. Does the agency have a written incident response plan? Was it followed during any prior incidents? For agencies that have experienced a breach, surveyors may review whether the incident response procedures were implemented as documented.
Access controls for clinical records. At a practical level, surveyors review whether clinical records are appropriately protected — whether EHR accounts are individual (not shared), whether departing staff access is revoked, and whether physical documents containing ePHI are secured appropriately.
Patient notification after a breach. For agencies that have experienced and reported a breach, surveyors confirm that required patient notifications were sent, in the required timeframe, with the required content.
Survey Preparation: The Cybersecurity File
Maintain a "survey ready" cybersecurity documentation file that can be produced immediately when surveyors arrive. This file contains:
- [ ] Current HIPAA Security Rule risk analysis (dated, signed)
- [ ] Written information security program / security policies (dated, signed by executive)
- [ ] Designation of HIPAA Security Officer (written, named)
- [ ] Staff security awareness training completion records (past 12 months, all staff)
- [ ] Business Associate Agreement list and confirmation of current BAAs
- [ ] Incident response plan (dated, includes breach notification procedures)
- [ ] Any prior breach documentation and remediation evidence (if applicable)
- [ ] Evidence of MFA enforcement (screenshot or configuration report)
- [ ] Most recent vulnerability scan results
This file mirrors what OCR requests in a desk audit — and if it is ready for OCR, it is ready for a state surveyor.
What to Say When a Surveyor Asks About Cybersecurity
Surveyors are not IT professionals. They are assessing whether the organization is taking cybersecurity seriously, whether leadership is aware of their obligations, and whether documentation exists. Your responses should:
Name your HIPAA Security Officer. "Our HIPAA Security Officer is [name]. She is responsible for our security program and maintains our compliance documentation."
Reference your security provider. "We work with ShieldForce, a managed cybersecurity provider that specializes in home healthcare. They manage our security program and provide our compliance documentation."
Point to the file. "Our security documentation is maintained in [location]. I can pull it up immediately."
Demonstrate awareness, not anxiety. Surveyors form impressions based on how leadership engages with questions. A confident, informed response — "yes, we take that seriously, here is our documentation" — communicates competence. An anxious, uncertain response — "I'm not sure, let me call our IT person" — communicates the opposite.
Stay survey-ready year-round with ShieldForce's managed security program. Our service includes all compliance documentation — maintained, current, and ready to produce when surveyors arrive.
Explore Home Healthcare Cybersecurity →
Get a free assessment of your current survey readiness.