A security breach affecting a New York home health agency participating in SHIN-NY is not a single notification event — it is a coordinated response across multiple regulatory bodies with different timelines, different reporting formats, and different consequences for delay.
Understanding the notification landscape before an incident occurs is the difference between an organized, legally defensible response and a chaotic scramble that compounds the original breach with procedural violations.
The Three Notification Obligations
When a breach affects SHIN-NY data at a New York home health agency, three separate notification obligations are triggered simultaneously:
Obligation 1: RHIO Notification (24–72 Hours)
Your SHIN-NY participation agreement with your RHIO requires prompt notification of security incidents affecting SHIN-NY data. The specific timeline varies by RHIO but is typically within 24 hours for a confirmed active breach (ongoing incident) and within 72 hours for a confirmed completed breach where the immediate threat is contained.
Who to notify: Your designated RHIO contact, typically the RHIO's Security or Privacy Officer. Contact information should be in your incident response plan before an incident occurs.
What to report: A preliminary incident report including the nature of the incident, the systems affected, the data potentially involved, the estimated timeline, the containment status, and the initial response actions taken.
What happens next: The RHIO may initiate its own review of the incident, may temporarily restrict SHIN-NY access to the affected systems pending investigation, and will require updates as the investigation progresses.
Obligation 2: OCR Breach Notification (60 Days from Discovery)
If the breach involves electronic protected health information — which any breach involving SHIN-NY patient data will — HIPAA's Breach Notification Rule requires:
- Notification to the HHS Office for Civil Rights within 60 days of discovering the breach
- Notification to all affected individuals within 60 days of discovering the breach
- If 500 or more individuals in a single state are affected: notification to prominent media outlets in that state within 60 days
The "discovery" clock starts when any person in your organization (other than the attacker) first has knowledge of the breach or reasonably should have had knowledge.
Important: Even before the 60-day window expires, OCR expects organizations to promptly assess whether a breach has occurred. Delaying the determination of whether an incident qualifies as a reportable breach is a compliance risk.
Obligation 3: NY SHIELD Act Notification (Without Unreasonable Delay)
If the breach involves "private information" of New York residents — which includes health information, financial data, or account credentials — the SHIELD Act requires notification to affected New York residents without unreasonable delay.
If 500 or more New York residents are affected, the NY Attorney General must also be notified. The SHIELD Act does not specify a numeric timeline as HIPAA does; "without unreasonable delay" is interpreted in context, but significant delays without documented justification create enforcement risk.
The Notification Decision: Is This a Reportable Breach?
Not every security incident is a reportable breach. Under HIPAA, a breach is presumed to have occurred unless the covered entity demonstrates that there is a low probability that PHI was compromised, based on a four-factor risk assessment:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The identity of the unauthorized person who accessed the information
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
This risk assessment must be documented. If the documentation supports a low probability of compromise, the incident does not need to be reported. If the risk assessment cannot definitively establish low probability, the incident must be treated as a reportable breach.
For a ransomware attack — where attackers have encrypted your systems and may have exfiltrated data — the current guidance from HHS is that encryption of a covered entity's ePHI by an unauthorized person constitutes a breach because the ePHI was accessed by an unauthorized party, regardless of whether exfiltration has been confirmed.
Your Incident Response Plan Must Address All Three Timelines
An incident response plan written only to the 60-day HIPAA notification window will fail at SHIN-NY's 24–72 hour requirement. Your plan must include:
Hour 0–24: Contain the incident. Engage forensic incident response. Begin the risk assessment to determine if a breach has occurred. Assess whether SHIN-NY data is involved. Initiate internal escalation.
Hour 24–72: Provide preliminary notification to your RHIO if SHIN-NY data is involved or potentially involved. Do not wait for the forensic investigation to conclude before notifying the RHIO if there is a reasonable basis to believe SHIN-NY data was affected.
Day 1–14: Forensic investigation proceeds. Scope of the breach determined. Begin preparation of individual notification letters.
Day 14–45: Individual notification letters sent to all affected patients and individuals. Notification to NY AG if 500+ New York residents affected (SHIELD Act).
Day 45–60: OCR breach notification submitted. Media notification if 500+ individuals in a single state affected.
Build breach notification into your incident response plan before you need it. ShieldForce provides SHIN-NY-compliant incident response plans that address all three notification timelines — and the 24/7 SOC monitoring to detect breaches early enough to respond effectively. Explore SHIN-NY Compliance Solutions
Start with a free SHIN-NY readiness assessment. Get Your Free Assessment