Home health agency boards are not cybersecurity experts. Most board members — even those with strong financial, clinical, or operational backgrounds — are not familiar with the specifics of SHIN-NY compliance, HIPAA Security Rule requirements, or what MFA means in practice.
And yet, the board bears legal responsibility for organizational governance — which increasingly includes cybersecurity governance. The CMS Conditions of Participation, New York regulatory oversight, and best practice governance frameworks all point toward board-level awareness and oversight of information security. If a breach occurs and investigators ask whether the board was engaged in cybersecurity governance, the answer needs to be yes — and documented.
This guide explains how to structure a SHIN-NY compliance report for your board: what to include, what language to use, and how to get meaningful board engagement without turning a board meeting into a technical briefing.
Why Board Engagement Matters for SHIN-NY Compliance
Regulatory expectation: The HIPAA Security Rule requires that covered entities implement a security program with appropriate administrative safeguards — which includes organizational governance. OCR investigators and SHIN-NY RHIO reviewers increasingly ask about board-level oversight of cybersecurity.
Legal liability: Board members who can demonstrate they exercised active oversight of cybersecurity risk — receiving regular reports, asking substantive questions, approving security policies — are in a significantly stronger position if a breach results in litigation than board members who never discussed cybersecurity.
Organizational accountability: Security investments require board approval. A managed security program, a cyber insurance policy, a penetration testing engagement — these are budget items that require board authorization. That authorization is meaningfully given when the board understands what it is approving and why.
The Annual SHIN-NY Compliance Report: What to Include
Present a concise SHIN-NY compliance status report at least annually — and more frequently if significant changes or incidents occur. The report should cover:
Section 1: Compliance Status — Simple Red/Yellow/Green Dashboard
Board members respond well to a simple dashboard showing where the agency stands against each major SHIN-NY requirement. A one-page table with Green (compliant), Yellow (partially compliant or in progress), and Red (gap identified, action required) for each major control:
- CSPP document: current and reviewed?
- SCPA: executed and not expired?
- MFA: enforced on all SHIN-NY access?
- Encryption: verified on all devices?
- Audit logging: configured and reviewed quarterly?
- Vulnerability scanning: completed in last six months?
- Staff training: all staff trained within the past 12 months?
- Incident response plan: current and tested?
This format allows board members to immediately see the overall posture without needing to understand the technical details of each control.
Section 2: What Has Changed Since the Last Report
What security improvements were made during the reporting period? What vulnerabilities were identified and addressed? Were there any security incidents, near-misses, or suspicious events?
Frame this in terms of risk reduction — not technical activity. "We deployed multi-factor authentication to all staff accounts, which eliminates the most common pathway for unauthorized access to patient records" is more meaningful to a board member than "We configured Azure AD Conditional Access policies with MFA enforcement."
Section 3: Current Risks and Planned Actions
What are the remaining gaps? What is the plan to address them? What is the timeline? What resources (budget, staff time, external support) does the plan require?
This is where board action may be required — approving budget for a security investment, endorsing a policy, or directing management to prioritize a specific remediation.
Section 4: Regulatory Environment Update
Has anything changed in the SHIN-NY requirements, HIPAA regulations, or New York data protection law that the board needs to know about? The 2026 HIPAA Security Rule update is a current example: the board should understand that mandatory encryption and MFA are now legally required, what the agency has done to comply, and what any remaining gaps are.
Language That Works for Board Presentations
Instead of: "We need to configure DMARC, DKIM, and SPF records to prevent domain spoofing." Say: "We are implementing email security controls that prevent attackers from sending emails that appear to come from our agency — protecting our patients and staff from phishing attacks."
Instead of: "Biannual vulnerability scans are now required by the 2026 HIPAA update." Say: "Federal regulations now require us to test our computer systems twice a year for security weaknesses and fix anything we find. We completed our first scan in [month] and addressed the [X] issues identified."
Instead of: "Our EDR deployment covers 95% of endpoints with behavioral detection capability." Say: "We have installed security software on 95% of our computers and devices that monitors for suspicious activity and stops attacks in progress — including the ransomware attacks that have disrupted other home health agencies in our region."
Build board-level cybersecurity governance into your SHIN-NY compliance program. ShieldForce provides board-ready compliance reporting and annual governance briefing materials as part of our SHIN-NY service.
Explore SHIN-NY Compliance Solutions →
Start with a free SHIN-NY assessment.