If you have received a SHIN-NY compliance notification from your Regional Health Information Organization and seen the term "CSPP," you may be wondering exactly what this document is, who writes it, what it needs to contain, and whether your agency already has something that satisfies the requirement.
This guide answers all of those questions. The CSPP — Cybersecurity Policies and Procedures Program — is the cornerstone of SHIN-NY compliance. Understanding what it is, and what it is not, is the starting point for every New York home health agency participating in the statewide health information exchange.
What the CSPP Is
The Cybersecurity Policies and Procedures Program is a written document — or organized set of documents — that describes your agency's security governance structure, policies, and operational procedures for protecting electronic protected health information, with specific attention to data accessed through or transmitted via SHIN-NY.
It is not a checklist, although it may include checklists. It is not a technical configuration guide, although it references technical controls. It is a governance document: it establishes who is responsible for security at your agency, what policies are in place, and how those policies are implemented and enforced.
Think of it as the organizational equivalent of a HIPAA Security Rule compliance program — because that is exactly what it is, with specific framing for SHIN-NY participation.
What a Compliant CSPP Must Contain
Section 1: Scope and Applicability
Defines what the CSPP covers — which systems, data types, and personnel. For a home health agency, this typically covers: EHR systems connected to SHIN-NY, email systems containing ePHI, devices used to access SHIN-NY data (including field devices), and all workforce members with access to SHIN-NY-connected systems.
Section 2: Security Governance
Designated Security Officer. The CSPP must identify a named individual responsible for cybersecurity at your agency. For most home health agencies, this is the compliance officer, executive director, or a senior administrator. The role does not require technical expertise — it requires organizational authority to enforce security policies.
Roles and Responsibilities. Documents who is responsible for specific security functions: who approves access requests, who reviews audit logs, who handles incident response, who conducts staff training.
Section 3: Risk Assessment
A documented risk assessment covering the systems and data flows relevant to SHIN-NY participation. Must include: identified threats and vulnerabilities, likelihood and impact ratings, and the controls implemented to address each risk. Must be updated when significant changes occur.
Section 4: Access Control Policies
Documents how access to SHIN-NY data is granted, managed, and revoked. Covers: user provisioning procedures, role-based access definitions, MFA requirements, session management, and off-boarding procedures for departing staff.
Section 5: Encryption and Data Protection
Documents encryption controls: what is encrypted, how, and what the verification process is. Confirms that field devices are encrypted and that data in transit uses TLS 1.2 or higher.
Section 6: Audit Logging
Documents what is logged, where logs are stored, how long they are retained, who reviews them, and how often. Includes the process for reviewing logs following a suspected security incident.
Section 7: Vulnerability and Patch Management
Documents the vulnerability scanning schedule, who conducts scans, how results are reviewed, and the remediation timelines for critical, high, and medium vulnerabilities.
Section 8: Incident Response
A written incident response procedure, including how incidents are detected and reported internally, the escalation path, the timeline and process for notifying your RHIO following a confirmed breach, and the interface with HIPAA breach notification obligations.
Section 9: Workforce Training
Documents the security awareness training program: what is covered, how often it is conducted, how completion is documented, and how the training addresses SHIN-NY-specific policies.
Section 10: Vendor Management
Documents the process for managing third-party vendors with access to ePHI, including BAA requirements, vendor security assessments, and the process for reviewing vendor access.
What the CSPP Is Not
It is not a technical manual. The CSPP does not need to explain how to configure your firewall. It documents the policies and procedures that govern security — the technical implementation details live in separate technical documentation.
It does not need to be long. A well-organized CSPP for a mid-size home health agency is typically 20–40 pages. Clarity and completeness matter more than length.
It is not a one-time project. The CSPP must be reviewed at least annually and updated when significant changes occur — new systems, new staff, new access methods, incidents. An outdated CSPP that doesn't reflect your current environment is a compliance gap.
Who Should Write the CSPP
The CSPP is written by whoever understands both the security requirements and the operational reality of the agency — ideally in collaboration between agency leadership and a healthcare cybersecurity specialist.
For home health agencies without cybersecurity expertise, the most efficient approach is to engage a healthcare-specialized managed security provider (like ShieldForce) who provides CSPP templates tailored to home health agency operations and aligned to current SHIN-NY and HIPAA requirements. The agency leadership reviews, customizes specific operational details, and executes the document.
ShieldForce and CSPP Development
ShieldForce provides a CSPP development service as part of our SHIN-NY compliance offering. We provide a RHIO-aligned template, work with your agency leadership to customize it to your specific environment and update it annually as requirements evolve and your agency changes.
Need a CSPP for your New York home health agency? ShieldForce provides CSPP development, SCPA preparation, and full SHIN-NY compliance management. Explore SHIN-NY Compliance Solutions →
Start with a free SHIN-NY readiness assessment to understand your current documentation gaps. Get Your Free Assessment →