Workforce training is required by both HIPAA and SHIN-NY — but the training most home health agencies provide falls short of what either framework demands. A 15-minute annual video about password hygiene, completed on a shared office computer, does not meet the standard. Neither does a HIPAA privacy training module that was designed for hospital staff working at fixed desks.
The workforce training requirement for SHIN-NY compliance is specific: it must be documented, it must cover SHIN-NY-relevant security topics, and it must be tailored to the actual work environment of the people being trained. For home health agencies, that means field nurses, home health aides, care coordinators, and billing staff who work in patient homes, on personal devices, and in distributed environments that bear no resemblance to a hospital or clinic setting.
What SHIN-NY Requires for Workforce Training
Your CSPP must document a workforce security awareness training program that includes:
Coverage: All workforce members with access to SHIN-NY data or SHIN-NY-connected systems. This includes clinical staff (nurses, aides, therapists), administrative staff (scheduling, coordination), billing staff, and any contractors with system access.
Content: Training covering the policies and procedures relevant to your CSPP — which means the specific security obligations that SHIN-NY participation creates, not just general HIPAA awareness.
Documentation: Completion records for every trained staff member. Name, date of training, training content covered, and assessment results if applicable. These records must be retained and available for RHIO review.
Frequency: At minimum annually. The CSPP should specify the training schedule, and the documentation should confirm that every staff member has completed training within the required period.
Relevance: Training that addresses the actual risks staff face in their specific role. Field staff need training relevant to field scenarios. Billing staff need training relevant to billing-specific threats (BEC, Medicare portal phishing).
What the Training Must Actually Cover
Module 1: SHIN-NY and Why It Matters
Staff who understand what SHIN-NY is — that it connects your agency to a statewide network of patient health records — understand why their individual security behavior matters to the entire network. Training should explain:
- What SHIN-NY is and what data flows through it
- Why SHIN-NY data is sensitive and what happens if it is breached
- What your agency's obligations are as a SHIN-NY participant
- The individual staff member's role in protecting SHIN-NY data
Module 2: Phishing Recognition — Mobile-First
Most HIPAA and security awareness training presents phishing examples on desktop email clients. Your field staff primarily access email on smartphones. Mobile phishing looks different — sender addresses are often hidden, links are harder to inspect, and the urgency of mobile communication works in the attacker's favor.
Training must include:
- How to identify a phishing email on a mobile device
- How to report a suspicious email to your security team
- What NOT to do if you suspect a phishing attempt (do not click, do not reply, do not call the number in the message)
- Specific examples relevant to home health: Medicare portal phishing, scheduling system alerts, payroll notifications
Module 3: Device Security in the Field
- What to do if a work device is lost or stolen (call who, within what timeframe)
- Why personal devices used for work must follow agency security policies
- How the MDM container on their phone works and what the agency can and cannot see
- Why public WiFi is a risk and when to use VPN
- The importance of keeping devices updated (OS and app updates)
Module 4: Password and Account Security
- What MFA is and why it is required
- How to respond to an MFA request they did not initiate (deny immediately and report)
- Why password reuse is dangerous
- How to use a password manager
Module 5: Incident Reporting
- What constitutes a security incident (device lost, suspicious email clicked, unusual system behavior)
- How to report an incident at your agency (specific contact, specific process)
- Why reporting quickly matters — and that reporting will not result in punishment for honest mistakes
Making Training Work for a Distributed Field Team
The logistical challenge for home health agencies is delivering training to staff who are rarely in the office. Effective approaches:
On-demand mobile-optimized training modules: Short (5–10 minute) training modules accessible on a smartphone, completable between patient visits, with completion tracked in a system that generates documentation.
Annual in-person training at team meetings: If your agency holds quarterly or annual staff meetings, build a 30-minute security training session into the agenda. Use real examples — actual phishing emails that targeted home health organizations, actual incidents at similar agencies.
Role-specific phishing simulations: Quarterly simulated phishing emails tailored to each role's threat profile. Field staff get phishing simulations mimicking scheduling alerts. Billing staff get BEC simulations mimicking payer communications. Results are used to focus remedial training.
New hire onboarding: Every new staff member completes security training within their first week, before being granted access to SHIN-NY-connected systems. This is both a compliance requirement and the most effective moment to establish secure habits.
Deliver SHIN-NY-compliant security training across your entire distributed care team. ShieldForce provides role-specific security awareness training, phishing simulations, and documented completion records — all mobile-optimized for field staff.
Start with a free readiness assessment to identify your current training gaps.