SHIN-NY cybersecurity requirements do not scale based on agency size. A home health agency with 12 nurses and no IT department has the same CSPP, MFA, encryption, audit logging, and incident response obligations as a large multi-site agency with 200 staff and a full compliance department.
This creates a meaningful compliance burden for small agencies — organizations that are serving patients, managing payroll, and coordinating care with limited administrative bandwidth. Building a SHIN-NY compliance program from scratch without IT expertise or dedicated compliance staff feels overwhelming.
This guide provides a right-sized SHIN-NY compliance approach for small home health agencies — what to do first, what can be simplified, what cannot be reduced, and how to use available resources to close the gap efficiently.
What Cannot Be Reduced: The Non-Negotiable Requirements
Before discussing simplification, it is important to be clear about what SHIN-NY requires regardless of agency size:
CSPP document: Must exist, must be current, must cover all required content areas. There is no small-agency exemption to the CSPP requirement.
SCPA executed with the RHIO: Must be signed by an authorized executive. Must be renewed annually. No size-based waiver.
MFA on all SHIN-NY access: Every user accessing SHIN-NY-connected systems must use MFA. A 10-person agency has the same MFA requirement as a 200-person agency.
Encryption on all devices accessing SHIN-NY data: Every device, regardless of how small the agency. A three-device office still needs encrypted devices.
Audit logging with periodic review: Must exist, must be reviewed. The review can be done by the executive director or compliance-designated staff member — it does not require a dedicated IT analyst — but it must happen and be documented.
Annual staff training: Every staff member with SHIN-NY access must complete annual security awareness training. Documented.
These six requirements are irreducible. The complexity of implementing them, however, scales with the agency.
What Can Be Simplified for a Small Agency
Simplified CSPP
A CSPP for a 12-person home health agency with a single office location and a cloud-hosted EHR does not need to be as long or complex as a CSPP for a 150-person agency with multiple sites and a locally hosted server infrastructure. The sections of the CSPP can be shorter because:
- The scope of the risk assessment is narrower (fewer systems, fewer devices, fewer sites)
- The access control procedures are simpler (fewer roles, fewer permission levels)
- The vendor management section is more compact (typically one EHR vendor, one billing vendor)
- The network architecture section is straightforward (a single office network, a cloud EHR)
ShieldForce provides a small-agency CSPP template that is structured appropriately for agencies under 25 staff — covering all required content without unnecessary enterprise-level complexity.
Simplified Incident Response Plan
A small agency's incident response plan can use the tiered format described in our incident response planning guide with an even simpler Tier 1 runbook. For a 12-person agency, the incident response team may be the executive director alone, plus the managed security provider. The plan documents exactly that: who to call (the SOC number), what to do immediately (follow SOC guidance, call legal counsel), and what to document.
Simplified Access Review
For a small agency, the quarterly access review — checking that staff have appropriate access and former employees have been removed — may take 15 minutes. The executive director reviews the user list in the EHR and Microsoft 365 admin center. Documents the review date and any changes made. Done.
The documentation overhead is proportional to the number of users, not a fixed administrative burden.
The Three Things Small Agencies Should Do First
If your small agency is starting from scratch on SHIN-NY compliance, sequence these actions:
Action 1 (Week 1): Enable MFA on Microsoft 365 or Google Workspace.
This is the highest-impact single action, the most universally required control, and the one your RHIO is most likely to ask about first. It requires no external help — just an administrator with access to your M365 or Google Workspace admin console, or your managed IT provider.
Action 2 (Week 2): Verify device encryption.
On every device used to access SHIN-NY-connected systems, verify encryption is enabled. For iPhones and iPads: go to Settings and confirm a passcode is set (encryption is automatic). For Windows laptops: check that BitLocker is enabled. For Android: verify in Settings > Security. Document the verification for each device.
Action 3 (Week 3–4): Build the CSPP using a template.
Start with a RHIO-provided template or a ShieldForce small-agency template. Fill in the specific details of your agency's systems, staff, and procedures. The executive director can write most of this without technical expertise — it is an organizational document, not a technical configuration guide.
Using Your RHIO's Technical Assistance
Every RHIO offers technical assistance for participants working through CSPP development and SHIN-NY compliance. Small agencies should actively use these resources:
- HealtheConnections offers one-on-one technical assistance sessions
- Hixny provides scheduled compliance consultations
- Rochester RHIO offers educational webinars and participant resources
- Healthix maintains a compliance resource library and direct consultation access
These are free resources funded by the health information exchange infrastructure. Using them is not a sign of weakness — it is how small agencies access expertise that would otherwise require hiring a compliance consultant.
Why a Managed Security Provider Is Often the Right Answer for Small Agencies
For a small home health agency without IT staff, the most efficient path to SHIN-NY compliance is often a managed security provider who:
- Implements MFA enforcement (no IT expertise required on your side)
- Deploys EDR and MDM across your small device fleet (5–15 devices)
- Provides the CSPP template and walks through completion
- Conducts audit log review as part of ongoing service
- Provides annual staff training
- Is available to your RHIO as the technical point of contact
ShieldForce's per-user pricing at $35/user/month means a 12-person agency pays $420/month — approximately $5,040 annually — for a complete managed SHIN-NY compliance program. That is less than the cost of a part-time compliance consultant and delivers a fully operational compliance infrastructure.
SHIN-NY compliance for small New York home health agencies — without the enterprise complexity. ShieldForce delivers right-sized SHIN-NY compliance for agencies under 25 staff — CSPP, MFA, encryption, audit logs, training, and 24/7 monitoring.
Explore SHIN-NY Compliance Solutions →
Start with a free SHIN-NY readiness assessment.