Multi-factor authentication is required for all access to SHIN-NY data under the current participation framework — and the 2026 HIPAA Security Rule update has made MFA mandatory across all ePHI-connected systems. For New York home health agencies, MFA is no longer optional on any account touching patient data.
For administrators who have been briefed on MFA and understand the security rationale, the practical question is: how does this actually work for a field nurse who is not technical, who is at a patient's home, and who needs to access a patient record quickly?
This guide answers that question — explaining what MFA is, how it works in the context of a home health workflow, and how to implement it in a way that secures your systems without making your care team's day harder.
What Multi-Factor Authentication Is (and Is Not)
MFA requires that a user prove their identity using two or more of these factors before gaining access to a system:
- Something they know: A password or PIN
- Something they have: A smartphone with an authenticator app, a hardware token, or a text message code
- Something they are: A fingerprint or face scan (biometrics)
The most common implementation for home health agencies using Microsoft 365 or Google Workspace is: password + Microsoft Authenticator / Google Authenticator app prompt.
A nurse logs into the EHR or email on her phone. She enters her username and password. A push notification appears on her Microsoft Authenticator app (typically already on the same phone). She taps "Approve." Access is granted.
Total added time: approximately 5–10 seconds after the user is enrolled.
This is what MFA looks like in practice for a field worker. It is not a complex technical process. The barrier is enrollment and habit formation — not ongoing friction.
The SHIN-NY MFA Requirement in Detail
SHIN-NY requires MFA for all accounts with access to the health information exchange — which in practice means any account used to access:
- The SHIN-NY portal provided by your RHIO (Hixny, Rochester RHIO, HealtheConnections, Healthix)
- Your EHR system, if it connects to SHIN-NY or contains data exchanged via SHIN-NY
- Email accounts that receive or transmit SHIN-NY data
- Any VPN or remote access system used to access SHIN-NY-connected infrastructure
The practical scope for a home health agency is: every employee who can access any SHIN-NY-connected system must have MFA on their account. This includes clinical staff, billing staff, administrative staff, and any contractors with access.
Implementing MFA Without Disrupting Care
Step 1: Choose the Right MFA Method
For field staff on smartphones, push notification via Microsoft Authenticator or Google Authenticator is the lowest-friction option. Text message (SMS) codes are an alternative but are considered less secure (SMS can be intercepted via SIM-swapping) and should not be the primary method for high-value accounts.
Hardware tokens (physical devices that generate time-based codes) are appropriate for users without smartphones or in situations where phone use is restricted, but they add cost and logistics complexity.
Step 2: Configure MFA Through Your Identity Platform
For agencies that utilize Microsoft 365, MFA is configured through Microsoft Entra ID (formerly Azure Active Directory). Conditional Access policies enforce MFA for all sign-ins from any device, any location. This is a one-time configuration that applies to all current and future accounts.
Step 3: Enroll Users Before Go-Live
The most disruptive MFA implementations are those that surprise users. Successful rollouts communicate in advance, provide clear enrollment instructions, and include a brief support window when MFA goes live. For a 75-person agency, enrollment typically takes one to two weeks when managed proactively.
Step 4: Plan for Edge Cases
- Nurse without a smartphone: Provide a hardware token or configure phone call authentication
- Staff with a new phone: Have a documented re-enrollment process
- Lost authenticator device: Have an account recovery process that does not create a security bypass
What "Phishing-Resistant MFA" Means and When It Matters
Standard push notification MFA (the "tap Approve" model) is highly effective against password theft. However, it can be defeated by a sophisticated attack called MFA fatigue or push bombing — where an attacker with a stolen password sends repeated MFA push notifications until a tired user taps Approve.
For highest-value accounts — IT administrators, executive directors, billing supervisors — consider phishing-resistant MFA methods: FIDO2 hardware security keys (like a YubiKey) or certificate-based authentication. These cannot be defeated by MFA fatigue attacks.
For standard clinical and administrative staff, standard push MFA is appropriate and significantly more secure than no MFA. The 2026 HIPAA Security Rule and SHIN-NY requirements are satisfied by standard push MFA for general users.
Implement SHIN-NY-compliant MFA across your entire care team — without disruption. ShieldForce manages the full MFA deployment: configuration, enrollment, edge case planning, and ongoing support. Explore SHIN-NY Compliance Solutions →
Schedule a free assessment to review your current MFA posture. Get Your Free SHIN-NY Assessment →