If your home healthcare agency operates in New York State, SHIN-NY compliance is not optional. It is a condition of participating in the Statewide Health Information Network for New York — and for most home health agencies, that participation is tied directly to Medicaid reimbursement, referral relationships with hospital systems, and state licensing.
The Statewide Health Information Network for New York (SHIN-NY) has evolved from a health information exchange initiative into a comprehensive cybersecurity compliance framework. The 2025–2026 enforcement cycle brought tighter requirements, specific timelines, and a clear signal from the New York State Department of Health that cybersecurity posture is now a condition of continued participation — not a future aspiration.
This guide explains every requirement, what it means in operational practice for a home health agency, and what the documentation obligations look like.
What Is SHIN-NY and Why Does It Matter for Home Healthcare?
SHIN-NY is New York State's designated health information exchange infrastructure, operated through four Regional Health Information Organizations (RHIOs): Hixny (Capital Region), Rochester RHIO, Health Connections (Central NY), and Healthix (NYC/Long Island/Hudson Valley).
Participation in SHIN-NY is required for:
- Home health agencies receiving Medicaid reimbursement through New York State
- Agencies participating in New York's Value-Based Payment (VBP) arrangements
- Agencies that exchange patient records with hospital systems participating in SHIN-NY
For the vast majority of New York home health agencies, SHIN-NY participation is not a choice — it is a contractual and regulatory requirement. And participation now comes with cybersecurity obligations that must be documented, implemented, and maintained.
The Core SHIN-NY Cybersecurity Requirements
Requirement 1: Cybersecurity Policies and Procedures Program (CSPP)
The CSPP is the foundational document of SHIN-NY compliance. It is a written security program that demonstrates your agency has a systematic, documented approach to protecting the electronic protected health information that flows through the SHIN-NY network.
A compliant CSPP must address:
Information Security Governance: Who is responsible for cybersecurity at the agency? This does not require a CISO or dedicated security staff — a designated security officer (which can be the compliance officer or a senior administrator) is sufficient, provided their responsibilities are documented.
Risk Assessment: A documented analysis of the risks to ePHI in your environment, covering the systems, devices, and processes through which SHIN-NY data flows. This must be completed at implementation and repeated when significant operational changes occur.
Access Controls: Documented procedures for granting, reviewing, and revoking access to SHIN-NY and ePHI systems. Role-based access. Procedures for handling staff departures.
Incident Response: A written plan for detecting, containing, and reporting security incidents. Specific attention to breach notification obligations under HIPAA and the New York SHIELD Act.
Workforce Training: Documented security awareness training for all workforce members with access to ePHI, including training on SHIN-NY-specific policies.
Vendor Management: Documentation of Business Associate Agreements with all vendors handling ePHI, including the SHIN-NY network participant agreement with your RHIO.
CSPP is a living document. It must be reviewed at least annually and updated to reflect changes in your environment, staffing, and technology.
Requirement 2: Multi-Factor Authentication (MFA) for All SHIN-NY Access
Every user account with access to SHIN-NY data — clinical staff, administrative staff, billing staff — must use multi-factor authentication. This is not a recommendation; it is an enforced technical requirement.
In practice, this means:
- Every user who logs into the SHIN-NY portal, your EHR that connects to SHIN-NY, or any system that queries the health information exchange must authenticate with MFA
- MFA must be implemented on the identity system (Microsoft Entra ID / Active Directory, Google Workspace, or equivalent) that controls access
- Personal devices used to access SHIN-NY must have MFA configured
For agencies using Microsoft 365, MFA enforcement via Conditional Access policies satisfies this requirement. The technical implementation is managed by your cybersecurity provider.
Requirement 3: Encryption of ePHI in Transit and at Rest
All electronic protected health information transmitted to or from SHIN-NY must be encrypted in transit using TLS 1.2 or higher. All ePHI stored on devices that access SHIN-NY must be encrypted at rest.
This requirement extends to field devices. A nurse's tablet or smartphone used to access SHIN-NY data from a patient's home must have device-level encryption enabled. For iOS devices, encryption is enabled by default when a passcode is set. For Android devices, encryption must be explicitly verified.
Requirement 4: Audit Logging for All SHIN-NY Data Access
Your agency must maintain audit logs that record:
- Who accessed SHIN-NY data
- What data was accessed
- When access occurred
- From which system or device
These logs must be retained for a minimum of six years (aligned with HIPAA's record retention requirement). They must be reviewed periodically — SHIN-NY guidance suggests quarterly review as a minimum — and reviewed immediately following any suspected security incident.
Audit log review is an active compliance obligation, not a passive one. Having logs that are never reviewed does not satisfy the requirement.
Requirement 5: Vulnerability Management
Participating organizations must conduct regular vulnerability assessments of the systems through which SHIN-NY data flows. The 2026 HIPAA Security Rule update aligns this to biannual automated scanning and annual penetration testing — and SHIN-NY compliance officers are increasingly referencing the updated HIPAA requirements as the applicable standard.
Vulnerability scan results and remediation actions must be documented. Open vulnerabilities must have a documented remediation timeline. Critical vulnerabilities must be patched within a defined window.
Requirement 6: Incident Reporting to the RHIO
In the event of a security incident that affects SHIN-NY data — unauthorized access, data breach, ransomware affecting systems connected to SHIN-NY — your agency must notify your RHIO within the timeframe specified in your participation agreement. This is typically 24–72 hours for a confirmed breach, depending on the severity.
This is in addition to HIPAA's 72-hour internal notification requirement and the 60-day OCR notification obligation. New York's SHIELD Act may also impose independent notification obligations if New York residents' private information is exposed.
The Security Compliance Plan and Agreement (SCPA)
In addition to the CSPP, SHIN-NY participants execute a Security Compliance Plan and Agreement (SCPA) with their RHIO. The SCPA is a formal attestation that your agency has implemented the required controls and agrees to maintain them as a condition of SHIN-NY participation.
The SCPA typically requires:
- Executive signature from an authorized representative of the agency
- Attestation that an up-to-date CSPP exists and is available for review
- Agreement to notify the RHIO of security incidents affecting SHIN-NY data
- Agreement to cooperate with security assessments if requested by the RHIO
The SCPA is renewed periodically — annually in most RHIOs — and requires fresh attestation that your controls remain in place.
SHIN-NY and HIPAA: The Relationship
SHIN-NY compliance does not replace HIPAA compliance — it builds on it. Every SHIN-NY requirement is either directly drawn from HIPAA's Security Rule or goes further. An agency that is fully HIPAA-compliant per the 2026 Security Rule update will meet virtually all SHIN-NY technical requirements.
The reverse is not true: an agency that has only addressed SHIN-NY requirements may not be fully HIPAA-compliant if their broader ePHI environment — systems not connected to SHIN-NY — has gaps.
The practical guidance is build a HIPAA compliance program that covers all ePHI in your environment. SHIN-NY compliance will follow naturally from that foundation.
What Happens If Your Agency Is Not Compliant
RHIO participation agreements include suspension and termination provisions for organizations that do not maintain the required security posture. The consequences of SHIN-NY suspension for a home health agency are significant:
- Loss of real-time access to patient health records from hospital systems
- Inability to participate in VBP arrangements that require SHIN-NY participation
- Potential impact on Medicaid contracting and reimbursement
- Reputational consequences with hospital referral partners who expect SHIN-NY participation as a baseline condition
Enforcement of SHIN-NY cybersecurity requirements intensified in 2025 and is expected to continue increasing through 2026.
How ShieldForce Delivers SHIN-NY Compliance for Home Healthcare Agencies
ShieldForce is the SHIN-NY compliance partner for home health agencies in New York. Our service delivers every technical requirement of SHIN-NY — MFA enforcement, encryption, audit logging, vulnerability management, incident response — as a managed service. We also provide the CSPP template, SCPA preparation support, and the ongoing documentation your agency needs for annual renewal.
Agencies working with ShieldForce can attest to SHIN-NY compliance with confidence, backed by documented controls and a signed Business Associate Agreement.
Is your New York home healthcare agency SHIN-NY compliant? ShieldForce provides a free SHIN-NY readiness assessment — identifying your specific gaps against every CSPP and SCPA requirement. Get Your Free SHIN-NY Assessment →
Ready to achieve full SHIN-NY compliance with a managed service? Explore SHIN-NY Compliance Solutions → | View Pricing →