The incident response plan is a required component of your SHIN-NY Cybersecurity Policies and Procedures Program. Every RHIO that reviews CSPP documentation looks for it. But a plan that exists on paper and a plan that actually functions during a 2am security incident are very different things — and your RHIO's reviewers have seen enough ineffective plans to know the difference.
This guide explains what a SHIN-NY-compliant incident response plan must contain, how to structure it so it is actually usable under pressure, and the specific RHIO notification requirements it must address.
What Makes an Incident Response Plan SHIN-NY-Compliant
A SHIN-NY-compliant incident response plan addresses four distinct phases of incident management and three distinct notification obligations. Getting all seven components right is what distinguishes an acceptable plan from a deficient one.
Phase 1: Detection and Initial Assessment (0–4 Hours)
The plan must specify:
How incidents are detected. What monitoring tools are in place? Who receives alerts? What constitutes an incident versus a routine event? For a home health agency using a managed security provider like ShieldForce, the 24/7 SOC is the detection mechanism. The plan should name the detection capability and specify how it alerts the agency.
Who is notified first. The designated incident response coordinator — named, not just titled. For most home health agencies this is the compliance officer or executive director. The plan should include a backup if the primary contact is unavailable.
Initial assessment criteria. How does the first responder determine whether this is a real incident or a false alarm? What questions does the assessment answer: What systems are affected? Is access to SHIN-NY data possible? Is the incident contained or ongoing?
Phase 2: Containment and Documentation (4–24 Hours)
Containment procedures. What actions are taken to stop the incident from spreading? For a ransomware attack: which systems are isolated? For a credential compromise: which accounts are suspended? For a lost device: when and how is remote wipe initiated? These should be specific, actionable steps — not general principles.
Evidence preservation. Security forensics require preserved evidence. The plan should specify what not to do (don't reimage systems before forensic analysis, don't delete email logs) to ensure the organization can conduct a proper investigation.
Documentation requirements. What is recorded? The incident timeline, systems affected, actions taken, and personnel involved must be documented contemporaneously — this is both a HIPAA requirement and essential for the post-incident report.
Phase 3: Notification (0–72 Hours — Concurrent With Phases 1 and 2)
This is the section your RHIO reviews most carefully. The notification phase must address three separate obligations simultaneously:
RHIO notification (within 24–72 hours): The plan must specify:
- The RHIO contact information (name, email, phone for your specific RHIO)
- What information is included in the initial notification: nature of the incident, systems affected, estimated scope of SHIN-NY data involved, containment status, actions taken
- Who in your organization makes the notification
- The format of notification (most RHIOs have a specific form or email template)
HIPAA OCR notification (within 60 days of discovery): The plan must specify:
- The process for determining whether the incident is a reportable breach under HIPAA
- Who conducts the four-factor risk assessment required to make that determination
- The process for OCR notification if the incident qualifies as a reportable breach
- The individual notification process for affected patients
NY SHIELD Act notification (without unreasonable delay): The plan must specify:
- The process for determining whether SHIELD Act notification obligations are triggered (affects private information of New York residents)
- Who is notified (affected individuals, NY AG if 500+ New Yorkers affected)
Phase 4: Recovery and Post-Incident Review (Days 3–30)
Recovery procedures. How are affected systems restored? What verification is required before systems are brought back online? What is the recovery priority sequence?
Post-incident review. Within 30 days of resolution, the plan should require a documented review of: what happened, what the root cause was, whether the incident was identified by existing controls or discovered by chance, and what changes to security controls or procedures are warranted.
CSPP update requirement. If the post-incident review identifies that the existing CSPP did not adequately address the risk exploited in the incident, the plan must be updated and the RHIO notified of material changes.
The Practical Format: What Works at 2am
An incident response plan that is a 30-page policy document is not useful at 2am when the executive director has just received a call from the SOC. The most effective format is a tiered structure:
Tier 1 (1–2 pages): The immediate response runbook. Who to call, in what order, what to say. Decision tree: is this a suspected breach? Go to Step 3. Is SHIN-NY data potentially affected? Initiate RHIO notification process. Laminate this and post it in the server room or administrator's office.
Tier 2 (5–10 pages): The detailed procedures. Each phase is fully documented with specific steps, decision criteria, and responsible parties. This is the document the incident response coordinator works from after the initial emergency is stabilized.
Tier 3 (attachments): Contact lists, notification templates, regulatory guidance references. Pre-populated RHIO notification email templates, individual patient notification letter templates, and OCR notification form locations save critical time during incident response.
Get a SHIN-NY-compliant incident response plan your RHIO will accept. ShieldForce provides incident response plan development as part of every SHIN-NY compliance engagement — and the 24/7 SOC to execute it when needed.
Explore SHIN-NY Compliance Solutions →
Start with a free SHIN-NY readiness assessment.