Audit logging is one of the most frequently cited gaps when New York home health agencies undergo SHIN-NY compliance reviews. Not because agencies don't have logs — most EHR and Microsoft 365 environments generate audit logs automatically. But because having logs and having a compliant audit log program are two different things.
SHIN-NY requires more than passive log generation. It requires documented log retention, active periodic review, and the ability to produce specific access records when requested by the RHIO or in response to a security incident. Here is exactly what that means in practice.
What SHIN-NY Requires You to Log
At minimum, your audit log program must capture the following events for any system connected to SHIN-NY:
User Authentication Events
- Successful logins: who logged in, when, from which device or IP address
- Failed login attempts: who attempted login, when, and how many failed attempts
- MFA events: successful and failed MFA challenges
- Account lockouts
Data Access Events
- Patient record views: which patient record was accessed, by whom, when
- Record searches: queries run against SHIN-NY data
- Document downloads or exports: any ePHI extracted from the system
- Record modifications: additions, edits, or deletions to patient records
Administrative Events
- User account creation, modification, and deletion
- Permission changes: role assignments, access additions or removals
- Configuration changes to SHIN-NY-connected systems
- Privileged account activity
Security Events
- Antivirus or EDR alerts and responses
- Firewall events (at the network level if applicable)
- VPN access events
- Any alerts generated by your security monitoring platform
Retention: How Long You Must Keep Logs
SHIN-NY participation requirements align with HIPAA's documentation retention standard: audit logs must be retained for a minimum of six years from the date of creation or the date they were last in effect, whichever is later.
This is a practical challenge for many home health agencies because:
- Default log retention settings in most systems are far shorter — Microsoft 365 Business Basic retains audit logs for only 90 days; Microsoft 365 Business Premium extends this to 180 days
- EHR audit logs may be retained locally on servers that are not backed up adequately
- No centralized log management system exists, meaning logs are scattered across multiple systems
For SHIN-NY compliance, you need a centralized log management approach with at least six years of retention capacity. This can be achieved through:
- Microsoft Purview Audit (Premium) for Microsoft 365 environments, which supports extended retention
- A SIEM (Security Information and Event Management) system that ingests logs from all SHIN-NY-connected systems
- A managed security provider that includes log aggregation and retention as part of their service
Review: What "Periodic Review" Actually Means
Audit logs that are retained but never reviewed do not satisfy SHIN-NY requirements. The CSPP must document a review process, and that process must be followed.
Minimum standard: Quarterly review of audit logs for anomalies, with documented evidence of the review.
Triggered review: Immediate review of audit logs following any suspected security incident, anomalous access report, or staff report of unusual system behavior.
What to look for in routine reviews:
- Access to patient records by users whose role does not justify that access
- Access occurring at unusual times (middle of the night, weekends) when no staff are scheduled
- Bulk downloads or exports of patient data
- Multiple failed login attempts followed by successful authentication
- Access from IP addresses or geographic locations inconsistent with your agency's operations
- New forwarding rules or configuration changes in email systems
Documenting reviews: Each review must be documented — date, who conducted the review, what was reviewed, and what findings (if any) were noted. This documentation is retained with your CSPP records.
Producing Logs on Request
Your RHIO may request audit logs as part of a compliance review, security incident investigation, or routine audit. You must be able to produce specific logs — for a defined time period, specific user, or specific patient record — within a reasonable timeframe.
This capability requires that your log management system is searchable and that you understand how to query it. An audit log stored as an unindexed flat file that requires manual review to search is functionally inadequate for production on request.
How ShieldForce Manages Audit Logging for SHIN-NY Compliance
ShieldForce's managed security platform includes centralized log aggregation from all SHIN-NY-connected systems — EHR, Microsoft 365, endpoint agents, and network infrastructure. Logs are retained for six years in a searchable, compliant format. Monthly log review reports are generated and provided to your agency as documentation of the periodic review requirement. Anomalies are flagged by the 24/7 SOC in real time.
When your RHIO requests audit documentation, ShieldForce produces the requested records within 24 hours.
Make SHIN-NY audit log compliance effortless. ShieldForce manages log aggregation, six-year retention, periodic review, and on-demand production — all included in your managed service.
Explore SHIN-NY Compliance Solutions →
Assess your current audit logging posture with a free SHIN-NY readiness review.