New York home healthcare agencies operate in the most complex cybersecurity compliance environment of any state in the country. Three distinct legal frameworks create overlapping — and sometimes diverging — obligations for the same underlying security activities. Navigating all three without a clear map leads to either compliance gaps or redundant effort.
This guide maps each framework's requirements, identifies where they overlap, where they diverge, and how to build a single compliance program that satisfies all three efficiently.
The Three Frameworks
Framework 1: HIPAA Security Rule (Federal)
The Health Insurance Portability and Accountability Act applies to all covered entities — which includes home health agencies transmitting ePHI in standard electronic transactions — and their business associates.
The HIPAA Security Rule requires a comprehensive set of administrative, physical, and technical safeguards for all electronic protected health information. The 2026 update made several previously "addressable" safeguards mandatory, including encryption and MFA.
OCR enforces HIPAA. Penalties range from $100 to $50,000 per violation, with annual caps up to $1.9 million for willful neglect.
Jurisdiction: All ePHI in your organization — every system, device, and process.
Framework 2: NY SHIELD Act (State)
The New York Stop Hacks and Improve Electronic Data Security Act, effective March 2020, requires any person or entity that owns or licenses "private information" of New York residents to implement a reasonable data security program.
The SHIELD Act defines "private information" broadly — it includes not just Social Security numbers and financial account data but also usernames and passwords for online accounts, and biometric data. For a home health agency, virtually all patient data qualifies.
The NY AG enforces the SHIELD Act. The enforcement standard is "reasonable security" which is calibrated to the size and nature of the organization and the sensitivity of the data.
Jurisdiction: Private information of New York residents — which for a home health agency means essentially all patient data.
Framework 3: SHIN-NY Participation Requirements (State Program)
SHIN-NY participation requirements are not a statute — they are contractual obligations in the RHIO participation agreement. But because SHIN-NY participation is effectively a condition of Medicaid reimbursement and referral relationships for most NY home health agencies, the participation requirements have practical mandatory force.
The SHIN-NY technical requirements — CSPP, MFA, encryption, audit logging, vulnerability management, incident reporting — are enforced by the RHIOs, which can suspend or terminate access for non-compliant participants.
Jurisdiction: Systems and data flows connected to SHIN-NY participation.
Where the Three Frameworks Overlap
The good news is that the three frameworks have extensive overlap. A requirement that satisfies HIPAA typically satisfies both SHIN-NY and SHIELD Act for the same activity.
| Requirement | HIPAA | SHIN-NY | SHIELD Act |
|---|---|---|---|
| Risk analysis | Required | Required (SHIN-NY scoped) | Implied by "reasonable security" |
| Written security program | Required | Required (CSPP) | Required |
| MFA | Required (2026) | Required | Implied for sensitive systems |
| Encryption at rest and in transit | Required (2026) | Required | Required for "private information" |
| Incident response plan | Required | Required | Required |
| Breach notification to regulators | Required (OCR, 60 days) | Required (RHIO, 24–72 hours) | Required (NY AG, "expedient") |
| Breach notification to individuals | Required (60 days) | N/A | Required ("expedient") |
| Workforce training | Required | Required | Implied |
| Vendor management (BAAs) | Required (BAAs) | Required for licenses | — |
Where the Three Frameworks Diverge
Breach Notification Timelines
This is the most practically significant divergence across the three frameworks:
- HIPAA: Notify OCR within 60 days of discovering a reportable breach. Notify affected individuals within 60 days. If 500+ individuals in a state, notify media.
- SHIN-NY: Notify your RHIO within 24–72 hours of a confirmed breach affecting SHIN-NY data.
- SHIELD Act: Notify affected New York residents "in the most expedient time possible and without unreasonable delay." Notify NY AG if 500+ New York residents are affected.
In practice, your incident response plan must accommodate the fastest timeline — SHIN-NY's 24–72-hour RHIO notification — while also managing the 60-day HIPAA notification process and the SHIELD Act's expedient notification obligation.
Scope of "Protected Information"
HIPAA protects "electronic protected health information" — a specific definition tied to health data created or transmitted by a covered entity.
The SHIELD Act protects "private information" — a broader definition that includes account credentials, financial data, and biometric data that may not qualify as HIPAA-covered PHI.
For a home health agency, this means a breach of employee HR records (Social Security numbers, bank account data for payroll) is a SHIELD Act event even though it may not involve HIPAA-covered PHI. Your security program must protect both categories.
The "Reasonable Security" Standard vs. Specific Safeguards
HIPAA specifies the safeguards required. The SHIELD Act uses a "reasonable security" standard that is calibrated to the size and nature of the organization. The practical implication is that a HIPAA-compliant security program almost always satisfies the SHIELD Act's reasonable security standard for a home health agency — but the reverse is not guaranteed.
An agency that implements only SHIELD Act "reasonable security" measures and neglects specific HIPAA requirements (risk analysis, audit controls, BAAs) is not HIPAA-compliant even if it meets the SHIELD Act threshold.
Building One Program That Satisfies All Three
The efficient approach is a layered compliance program:
Layer 1 (Foundation) — HIPAA Security Rule compliance covering all ePHI.
This is the broadest requirement and the most technically specific. Building to HIPAA's 2026 standard satisfies virtually all SHIN-NY technical requirements and exceeds the SHIELD Act's reasonable security standard.
Layer 2 (SHIN-NY specific) — CSPP documentation and SCPA execution.
The CSPP specifically frames your security program for SHIN-NY participation. It covers the same substantive ground as your HIPAA compliance program but is organized around SHIN-NY participation requirements. Annual renewal with your RHIO.
Layer 3 (Incident response layering) — A single IR plan that addresses all three notification timelines.
Your incident response plan must include: RHIO notification within 24–72 hours (SHIN-NY), individual and OCR notification within 60 days (HIPAA), and NY AG notification without unreasonable delay if 500+ New Yorkers are affected (SHIELD Act).
Layer 4 (Scope expansion for SHIELD Act) — Extend security controls to employees and vendor private information.
Your HIPAA program covers patient ePHI. Your SHIELD Act obligation extends to all private information of New York residents your agency holds — including employee data, payroll records, and vendor contact data.
ShieldForce and the Three-Framework Approach
ShieldForce delivers an integrated compliance program designed specifically for New York home health agencies. The managed service addresses all three frameworks simultaneously:
- HIPAA Security Rule compliance including the 2026 update requirements
- CSPP development and annual review for SHIN-NY participation
- Incident response plans that address RHIO, OCR, and SHIELD Act notification obligations in a single document
- Security controls covering both patient ePHI and employee private information
One program. One provider. Three frameworks satisfied.
Stop managing three compliance frameworks separately. ShieldForce delivers one integrated compliance program for New York home health agencies.
Explore SHIN-NY Compliance Solutions →
Start with a free assessment to map your current posture against all three frameworks.