New York State's Medicaid managed care landscape is one of the most complex in the country. Home health agencies serving Medicaid beneficiaries through Managed Long Term Care plans, Health Home partnerships, and Value-Based Payment arrangements operate under multiple layers of contractual and regulatory requirements — federal HIPAA, state SHIN-NY, the NY SHIELD Act, and increasingly, managed care organization (MCO) cybersecurity requirements embedded in provider contracts.
This last layer — MCO contract requirements — is the most recent addition and the one most home health agency administrators are least prepared for.
What New York MCOs Are Adding to Provider Contracts
New York's major Medicaid managed care organizations — including MetroPlusHealth, Fidelis Care (now Centene), CDPHP, and Molina Healthcare of New York — have updated their provider agreements in 2024 and 2025 to include security-specific language.
While requirements vary by plan, the common elements appearing across NY MCO provider contracts include:
Minimum security standards: Specific technical controls required of providers, including MFA on all systems accessing member data, encryption of ePHI at rest and in transit, and a written security program. These mirror HIPAA Security Rule requirements but are enforceable independently through the provider contract.
Breach notification timelines: Shorter notification windows than HIPAA's 60-day requirement. Several MCO contracts require notification to the plan within 5–10 business days of discovering a breach affecting member data — significantly faster than the federal standard.
Security questionnaire completion: Annual security self-assessment questionnaires completed by providers, covering controls, training, incident history, and vendor management. Some MCOs are adding third-party verification requirements for high-volume providers.
Right to audit: MCOs reserving the right to audit provider security programs, either directly or through a contracted third party. For high-volume home health providers, MCO security audits are increasingly a realistic occurrence.
Certification requirements: Some MCOs are moving toward requiring providers to complete specific compliance frameworks — most commonly HITRUST or SOC 2 — as a condition of maintaining preferred provider status.
The Practical Implications for NY Home Health Agencies
Your MCO contracts may have different breach notification timelines than HIPAA. If your provider agreement with MetroPlusHealth or Fidelis requires you to notify them within 7 business days and you have a breach on a Friday, your weekend incident response plan must be capable of meeting that deadline.
Review your current MCO provider agreements. Identify the breach notification timeline in each agreement. Ensure your incident response plan addresses the fastest timeline — typically the MCO contract requirement, not the HIPAA 60-day window.
Security questionnaire responses must be accurate. MCO provider security questionnaires create a documented record of your security representations. If you certify that MFA is enforced on all systems accessing member data and a subsequent audit or breach reveals it was not, you face potential contract termination, clawback of payments, and fraud exposure in addition to HIPAA penalties.
Complete security questionnaires honestly. If your controls do not meet the stated standard, disclose that and provide a remediation timeline — this is more defensible than misrepresentation.
SHIN-NY compliance strengthens your MCO security position. For NY home health agencies, SHIN-NY compliance documentation — the CSPP, SCPA, and evidence of implemented controls — is directly relevant to MCO security requirements. An agency that has completed its SHIN-NY CSPP has most of the documentation MCO security questionnaires ask for.
Preferred provider status increasingly requires security investment. MCOs are not just checking a compliance box — they are making economic decisions about which providers to route their highest-acuity (and highest-reimbursement) members to. Agencies that can demonstrate a strong security posture will increasingly be preferred for high-value referrals.
How ShieldForce Supports NY MCO Contract Compliance
ShieldForce's managed security program for New York home health agencies delivers the technical controls, documentation, and incident response capabilities that satisfy both SHIN-NY and MCO provider contract requirements simultaneously:
- MFA enforcement on all systems accessing Medicaid member data
- Encryption at rest and in transit on all devices
- Written security program and CSPP documentation
- Incident response plan with configurable notification timelines for multiple contracts
- Annual security questionnaire documentation support
- 24/7 SOC monitoring ensuring rapid breach detection within MCO notification windows
Stay compliant with New York MCO provider security requirements. ShieldForce delivers the cybersecurity controls and documentation that NY Medicaid managed care contracts require — alongside SHIN-NY compliance support.
Explore SHIN-NY Compliance Solutions →
Get a free assessment covering your MCO contract security requirements.