This checklist is structured around the actual requirements of the SHIN-NY Cybersecurity Policies and Procedures Program (CSPP) and Security Compliance Plan and Agreement (SCPA). It is designed for home healthcare compliance officers and administrators conducting an internal SHIN-NY readiness review.
Every item is a real requirement — drawn from SHIN-NY participation agreements, RHIO guidance, and the HIPAA Security Rule requirements that underpin SHIN-NY compliance. Work through this list before your next RHIO renewal.
Section 1: Governance and Documentation
- [ ] Designated Security Officer identified and documented — a named individual responsible for cybersecurity oversight at your agency. Does not require a dedicated IT hire; can be the compliance officer or executive director with documented responsibility.
- [ ] CSPP document drafted, approved, and dated — a written Cybersecurity Policies and Procedures Program covering all requirements in Sections 1–5 of this checklist. Signed by an authorized agency executive. Reviewed within the past 12 months.
- [ ] SCPA executed with your RHIO — a current, signed Security Compliance Plan and Agreement with your Regional Health Information Organization (Hixny, Rochester RHIO, Health Connections, or Healthix). Not expired.
- [ ] Business Associate Agreement in place with your RHIO — separate from the SCPA; governs the ePHI handling relationship between your agency and the health information exchange.
- [ ] Risk assessment documented — covering all systems through which SHIN-NY data flows. Updated when significant operational changes occur (new EHR, new device types, new access points).
Section 2: Technical Controls — Access and Authentication
- [ ] MFA enforced for all SHIN-NY portal access — every user account that logs into SHIN-NY or connected EHR systems requires multi-factor authentication. No exceptions for any user role.
- [ ] MFA enforced for all Microsoft 365 / Google Workspace accounts — if your email platform contains ePHI or is used for SHIN-NY-related communication, MFA must be enforced via Conditional Access or equivalent policy.
- [ ] Role-based access controls implemented — staff can only access SHIN-NY data relevant to their care role. Administrative staff do not have clinical record access; billing staff are restricted to billing-relevant data.
- [ ] Access review completed within past 12 months — former employees and contractors removed from all SHIN-NY-connected systems. Current staff permissions reviewed and confirmed as appropriate.
- [ ] Session timeout configured — SHIN-NY portal sessions and connected EHR sessions lock after a defined period of inactivity (typically 15–30 minutes).
Section 3: Technical Controls — Data Protection
- [ ] Encryption at rest confirmed on all devices accessing SHIN-NY data — office workstations (BitLocker or FileVault), laptops, tablets, and smartphones used by field staff to access SHIN-NY-connected systems.
- [ ] Encryption in transit confirmed — all data transmission to and from SHIN-NY uses TLS 1.2 or higher. Verified with your EHR vendor and confirmed in system documentation.
- [ ] Audit logging enabled on all SHIN-NY-connected systems — recording who accessed data, what data was accessed, when, and from which device or location. Logs retained for six years minimum.
- [ ] Audit log review process documented and current — logs reviewed at minimum quarterly. Review documented. Most recent review within the past three months.
Section 4: Vulnerability and Patch Management
- [ ] Vulnerability scan completed within past six months — automated scan of systems connected to SHIN-NY. Results documented. Remediation actions tracked.
- [ ] Critical and high vulnerabilities patched within documented timeline — your CSPP defines a remediation timeline for critical vulnerabilities (typically 30 days) and high vulnerabilities (60–90 days). Open items have documented status.
- [ ] Software update and patch management policy documented — covers operating systems, EHR software, browsers, and endpoint agents on all devices accessing SHIN-NY.
Section 5: Incident Response and Workforce
- [ ] Incident response plan documented and includes RHIO notification — written plan specifies the timeline and process for notifying your RHIO following a confirmed security incident affecting SHIN-NY data. Typically 24–72 hours.
- [ ] Annual security awareness training completed by all staff with SHIN-NY access — training covers phishing awareness, secure device handling, incident reporting, and SHIN-NY-specific policies. Completion documented for every staff member.
Scoring Your Readiness
16–18 checked: Strong SHIN-NY compliance posture. Review the unchecked items and create a remediation timeline for any gaps.
11–15 checked: Moderate posture with meaningful gaps. Prioritize Sections 2 and 3 (technical controls) first — these are the items RHIO reviewers check first and that carry the highest risk if missing.
10 or fewer checked: Significant compliance risk. Your agency's SHIN-NY participation could be at risk at the next renewal. Engage a healthcare-specialized cybersecurity provider immediately to close gaps before your next RHIO interaction.
A Note on RHIO Variability
Each of New York's four RHIOs — Hixny, Rochester RHIO, Health Connections, and Healthix — implements SHIN-NY participation requirements with some variation in documentation formats, renewal timelines, and audit processes. The 18 controls in this checklist are substantively consistent across all four, but your specific SCPA and CSPP requirements should be reviewed against your RHIO's current guidance.
ShieldForce has experience working with all four New York RHIOs and can help your agency navigate RHIO-specific documentation requirements.
Use this checklist with expert guidance — get your free SHIN-NY readiness assessment. ShieldForce walks your agency through every item on this checklist and delivers the controls and documentation you need. Get Your Free SHIN-NY Assessment →
Already know your gaps? ShieldForce closes them — fast. Explore SHIN-NY Compliance Solutions → | View Pricing →