Sovereignty Maturity Assessment for Home Care Agencies

Care happens
inside someone's home.
So does the data trail.

And the vendor stack decides who else gets to read it.

Home care is the most intimate distance the healthcare system reaches. The aide is in the bathroom. The nurse is in the bedroom. The CDPAP personal assistant is at the kitchen table reading the medication list out loud to a family member who doesn't speak English at the same level the prescription is written in. Every visit produces a record. The record contains the address, the door code, the medication regimen, the body state, the family dynamic, the moment somebody cried, the moment somebody refused care, the moment the aide made the right call. The trust the patient and the family extended to the caregiver to be in that room is the asset the agency is actually selling. The data trail is its evidence.

And then, somewhere between 2020 and now, the vendor stack inserted itself between the caregiver and the record. The EVV vendor mandated by the 21st Century Cures Act. The clinical documentation vendor with the AI summarization feature that activated last spring. The scheduling vendor whose visit-verification flags are now part of OIG's fraud-and-abuse tool surface. The payroll vendor holding the time entries that DOL or plaintiff's counsel will subpoena. Each one signed onto the same way (terms of service that ran past on the install), each one writing the same kind of clause about derived data, performance data, training data. The patient's record is still in the agency's chart. The metadata trail that makes it valuable now sits in vendors' databases under licenses the agency granted by clicking through.

Then 2024 happened. AlayaCare, Axxess, MatrixCare, Wellsky, and HHAeXchange all shipped AI features across 2024 and 2025. AI documentation summarization. AI scheduling optimization. AI predictive-care alerts. AI visit-pattern fraud detection. Most of these were activated by default for existing customers, with the existing BAA treated as already sufficient because the data was already in the platform. The owner who signed the BAA in 2021 did not consent in 2021 to AI processing of clinical notes in 2024. The patient who signed the consent form does not know either. The amendment was sent to the agency's compliance officer in an email that read like every other vendor update from every other vendor that month.

Layer the rest of the regulatory stack on. HIPAA always. CMS Conditions of Participation for Medicare-certified HHAs. State DOH licensing and inspection for LHCSAs. NY's CDPAP transition to PPL (effective April 2025) which left the surviving fiscal intermediaries operating under a fundamentally changed landscape. DOL's 2013 Home Care Rule extending FLSA to most home care workers. NY's 13-hour live-in case law shaping settlements in the millions. OIG's sustained focus on home care in its annual Work Plan. Every layer has its own audit, its own penalty surface, its own counsel that ought to be involved before something gets put in writing.

This page exists to give you a written, sourced evaluation of where your agency's sovereignty posture stands today. Free. Built around the four priority types this surface serves: Medicare-certified HHAs, LHCSAs, CDPAP fiscal intermediaries, and private-duty agencies. The regulatory overlay and the vendor stack differ enough between them that the deeper read happens on a type-specific page; pick yours from the routing below or read through the broad threat surface here.

Pick the assessment for your agency type ↓ The broad threat surface ↓ Or just book the discovery call →

Pick the assessment shaped for your agency.

The regulatory layer and the vendor stack diverge enough between the four priority types that we built four type-specific pages. The framing, threat surface, and lens questions on each one are tuned to the actual regulators, payers, and vendors of that agency type. Pick the one that fits.

Medicare-certified home health agencies (HHAs).

CMS Conditions of Participation, OASIS reporting, PDGM payment integrity, CMS survey readiness. Vendor stack: AlayaCare, Axxess, MatrixCare, Wellsky. The deepest regulatory exposure of the four types; assessment runs the long cycle by default.

Assessment for Medicare-certified HHAs →

NY LHCSAs (and state-DOH-licensed equivalents elsewhere).

NY DOH oversight, Medicaid MLTC payer relationships, EVV vendor lock-in (HHAeXchange in NY), DOL home care worker exposure. The largest NY audience by agency count; the sharpest single vendor-lock-in story (HHAeXchange) in the four types.

Assessment for LHCSAs →

NY CDPAP fiscal intermediaries (post-2025 PPL transition).

The narrowest, most time-sensitive type. CDPAP transition to PPL was effective April 2025; surviving fiscal intermediaries are operating in a fundamentally changed landscape. The sovereignty posture can be a competitive advantage in the post-transition motion. Lighter, campaign-shaped page.

Assessment for CDPAP fiscal intermediaries →

Private-duty home care (non-Medicare, non-Medicaid).

Private-pay home care agencies operating outside the Medicare/Medicaid regulatory air cover. Vendor lock-in is the same shape. Family-side marketing data, caregiver data, and payment data are the exposure. Cycle: short by default; long on request for larger agencies.

Assessment for private-duty agencies →

If you run a hospice or palliative home care agency, or an assisted living facility, or a nursing home, the work shape is different enough that we have not yet built a type-specific page. The general success.build/risk assessment fits, and we will flag during the discovery call if a future type-specific surface would serve you better.

The broad threat surface, named.

Four exposures that show up across all four agency types in different shapes. Each type page sharpens these to its specific regulator and vendor stack. None of these are hypothetical. All of them are showing up in current HHS OCR resolution agreements, CMS survey citations, state DOH inspection findings, DOL wage-and-hour settlements, OIG enforcement actions, and the home care trade press.

Threat 1: AI documentation vendors are processing PHI without consistent BAA coverage for the new features.

AlayaCare, Axxess, MatrixCare, Wellsky, and HHAeXchange have shipped AI summarization, scheduling intelligence, and predictive-care features across 2024 and 2025. The agency's BAA with the vendor was almost certainly executed before those features existed. Whether the BAA covers AI processing of PHI, what the vendor's sub-processor list now includes, and what the data-handling posture is for caregiver call-center transcripts processed by AI are all open questions most agencies haven't asked. OCR's published resolution agreements 2022-2025 have cited BAA-monitoring inadequacy repeatedly; the new AI features sit squarely inside that enforcement theory. The agency, not the vendor, is the covered entity on the hook.

Sources: 45 CFR 164 (HIPAA Privacy and Security Rules); HHS OCR Resolution Agreements 2022-2025 (multiple BAA-monitoring inadequacy cases); vendor product release notes 2024-2025 for AlayaCare, Axxess, MatrixCare, Wellsky, HHAeXchange (verify current state at assessment time); OpenAI and Anthropic enterprise terms 2026.

Threat 2: EVV vendor lock-in is regulator-mandated and contractually punishing.

The 21st Century Cures Act mandated Electronic Visit Verification for Medicaid-funded personal care and home health services. States largely centralized on single-vendor or open-vendor-model solutions, but the practical reality for most NY LHCSAs is HHAeXchange. Agencies have no real choice; the regulator made the decision and the vendor priced accordingly. Vendor contract terms reflect that. Data- portability is essentially non-existent. The agency is paying per-visit fees to a vendor that holds the data the agency needs to operate, prove compliance, and defend itself in audit. This is the credit-union-equivalent threat for home care: one dominant vendor everyone feels but has no alternative to.

Sources: 21st Century Cures Act EVV provisions (42 USC 1396b); CMS EVV implementation guidance; NY DOH EVV implementation and HHAeXchange selection record; HHAeXchange published terms of service (verify current language at assessment time); Sterling's anti-lock-in doctrine (REFERENCE_anti-lock-in-doctrine.md).

Threat 3: DOL wage-and-hour enforcement is heavy in home care, and your vendor stack determines whether you can prove compliance.

The 2013 DOL Home Care Rule (29 CFR 552) extended FLSA minimum-wage and overtime protection to most home care workers. NY's 13-hour live-in case law (Andryeyeva v. New York Health Care Inc.; Moreno v. Future Care Health Services) has shaped class-action settlements in the millions across the state. The agency's scheduling vendor, time-tracking vendor, payroll vendor, and EVV vendor each hold a slice of the data trail DOL or plaintiff's counsel will subpoena. If the data tells a clean story you can produce on demand, the case is manageable. If the story is fragmented across five vendors with inconsistent timestamps, the case is much harder to defend. The vendor stack is the audit-readiness posture.

Sources: 29 CFR 552 (DOL Home Care Rule); Andryeyeva v. New York Health Care Inc., 33 NY3d 152 (2019); Moreno v. Future Care Health Services, 173 AD3d 700 (2019); FLSA general (29 USC 201 et seq.); state wage-and-hour statutes (varies by jurisdiction).

Threat 4: OIG fraud-and-abuse enforcement on home care is sustained, and AI visit-verification is now part of the enforcement surface.

Home care has been an HHS OIG priority area for years; the OIG Work Plan repeatedly names it. AI-driven visit verification and fraud-detection vendors create a Schrödinger's tool problem: if the vendor's AI flags a false positive, the agency has documentation problems to clear; if it misses a real issue, the agency has compliance problems to answer for. State Medicaid Fraud Control Units (MFCUs) read the same data. The agency that can produce its own clean audit trail independent of the vendor's AI judgment is in a fundamentally different position than the agency that has to defend whatever the vendor's AI did or didn't flag.

Sources: HHS OIG Work Plan 2024-2025; published OIG enforcement actions on home care 2022-2025; CMS Program Integrity guidance; State Medicaid Fraud Control Units (MFCU) annual reports; OIG Strategic Plan on Health Care Fraud.

The two lenses, sized to the agency.

Every type-specific page narrows these to the agency's actual regulatory layer and vendor stack. At the hub level, the lenses are the broad shapes of inquiry the assessment uses.

Lens 1: CMS / state DOH / HIPAA / OIG exam-readiness posture.

What can your agency produce on demand to show that the AI tools, cloud vendors, EVV system, scheduling system, and payroll system in active use are consistent with HIPAA, with CMS Conditions of Participation (for Medicare-certified HHAs), with state DOH licensing requirements (for LHCSAs and equivalents), and with OIG fraud-and-abuse expectations? Where are the gaps an OCR investigation, a CMS survey, a state DOH inspection, or an OIG audit would find? This lens reads your agency's environment the way a thoughtful compliance officer with subpoena power would: starting from the obligation, working outward to the vendor relationships, naming the gaps with specificity and the remediation paths with proportion.

Lens 2: Vendor sovereignty across the home-care stack.

What do your EVV vendor, your clinical documentation vendor, your scheduling vendor, your payroll vendor, your CRM / marketing vendor, and any AI overlay vendors actually claim in their current Terms of Service, Business Associate Agreements, data processing addenda, and AI feature activation defaults? Where does your data live, who has subpoena authority over it, and can you produce a clean export of every visit record, every time entry, every caregiver assignment, and every patient record without the vendor's active cooperation? Which AI features have been activated since you signed the BAA, and were those changes accepted by silence?

Who this is for.

The fit is clearest for home care agencies in the $2M to $30M annual revenue band with 50 to 500 caregivers, multi-payer, where the agency owner, COO, director of operations, or compliance officer is the person reading vendor contracts and making the tooling decisions. Smaller agencies should start with the general success.build/risk assessment. Larger national chains typically have an internal compliance function large enough that this surface is the wrong shape; the success.build/conformance assessment serves that buyer better.

Medicare-certified home health agencies with OASIS reporting, CMS Conditions of Participation conformance, and PDGM payment integrity exposure. Assessment shaped for Medicare-certified HHAs.
NY LHCSAs (and state-DOH-licensed equivalents) on HHAeXchange or other EVV vendors, with Medicaid MLTC payer relationships and DOL home care worker exposure. Assessment shaped for LHCSAs.
NY CDPAP fiscal intermediaries operating in the post-2025 PPL transition landscape. Assessment shaped for CDPAP fiscal intermediaries.
Private-duty home care agencies operating outside Medicare/Medicaid with the same vendor exposures and the family-side marketing-data overlay. Assessment shaped for private-duty agencies.
Multi-line agencies running combinations of the above (a single agency may be Medicare-certified for one service line, a LHCSA for another, and a CDPAP FI for a third). The hub assessment surfaces the cross-line questions before routing into type-specific work.
Agencies in or approaching merger, acquisition, or consolidation where the customer list, the caregiver roster, the active care plans, and the audit trail are the assets that determine the multiple.

Adjacent home-care and care-adjacent structures we also work with

Hospice and palliative home care agencies with the distinct CMS hospice Conditions of Participation layer and family bereavement data sensitivity. Possible future type-page if engagement volume warrants it.
Adult day services and PACE programs (Program of All-Inclusive Care for the Elderly) with overlapping regulatory exposure and distinct vendor stacks.
Assisted living facilities and nursing homes with a different regulator (state DOH facility licensing) but adjacent vendor exposure on the documentation and AI sides.
Community mental health centers and behavioral health programs where the clinical confidentiality and HIPAA framing carries the heaviest weight; the patient-trust shape repeats across both surfaces. Assessment shaped for behavioral health practices and clinics covers the clinical-confidentiality-first framing.
501c3-structured home health agencies and LHCSAs operated as nonprofit clusters where the agency sits inside a larger nonprofit cluster (a 501c3 operating charity, a 501c2 holding the facility, sometimes a 501c4 advocacy arm). The agency-specific vendor and clinical questions are treated here; the cluster-stewardship questions across the related 501c entities route to the 501c3 public charities and private foundations assessment.
Faith-based home care agencies and parish-based aging-in-place programs where the agency operates as a ministry of a religious institution and the moral framing is tradition-specific. The clinical and EVV-vendor questions are identical; the tradition-specific stewardship framing routes to the religious institutions and diaspora community organizations assessment.
Caregiver marketplace platforms (Care.com, A Place for Mom, and adjacent) with a different business model but the same caregiver-family-patient data sensitivity.
Home care franchises with an additional layer of franchise terms that interact with the vendor stack in ways most franchisees have not reviewed.
Single-aide or single-nurse owner-operator agencies under $2M revenue for whom the general success.build/risk assessment is sized correctly.

Why us.

Sterling Solutions is a Westchester-based small firm. We do not run on venture capital. We do not have a sales team pretending to be your friend. We do not have an exit horizon. We have published values (success.build/ethos) and a written anti-lock-in doctrine, and the architecture of our own platform proves it: every layer is swappable, every export is clean, your data is yours from day one and on the day you leave.

We are not a clinical documentation vendor and we are not pitching one. We are not an EVV vendor. We are not a payroll vendor. The assessment is not a stalking horse for a ServiceVendor-to-X migration engagement. If the conclusion is "your stack is defensible with three documentation gaps closed," that is the conclusion. If the conclusion is "your EVV vendor's contract is much worse than you realized and the remediation path is renegotiation at the next renewal," that is the conclusion. We have no commission structure with any of the vendors we evaluate.

Care happens at the most intimate distance the healthcare system reaches. The aide is in the bathroom. The nurse is in the bedroom. The CDPAP personal assistant is at the kitchen table. The caregiver-family- patient triad is built on trust at a distance no other healthcare setting matches. The vendor stack a home care agency operates should reflect that intimacy, not extract from it. Sterling takes this seriously because we operate locally in the same Westchester / Hudson Valley communities our prospective home care agency clients serve. The same care that gets given inside someone's home is the care we extend to the people we work with. The same anti-lock-in doctrine that protects member sovereignty for the mutual carriers we work with and protects client confidentiality for the attorneys we work with protects patient-family-caregiver trust here, in a different industry with different regulators but the same structural question: who owns the operational asset, and who claims rights to the derivative data underneath it. The same therapeutic-trust shape repeats one office over at behavioral health practices and clinics, where clinical confidentiality is the asset and the AI scribe and EHR vendor stack carry an exposure shape this audience will recognize. When the agency is structured as a nonprofit cluster (a 501c3 operating charity around the agency, a 501c2 holding the facility, a 501c4 advocacy arm), the cluster-stewardship questions across the entities route to the nonprofits and tax-exempt organizations assessment. When the agency operates as a ministry of a religious institution, the tradition-specific stewardship framing is held at the religious institutions and diaspora community organizations assessment.

What this page is not.

This is not a pitch for a six-figure modernization engagement disguised as a free assessment. The assessment is the deliverable. If you read it, file it, do the work in-house, and never speak to us again, that is a good outcome and we are not chasing you for a sales call.

This is not a CMS survey-prep audit. Those exist, they cost five figures, and we are not certified to do them. We identify gaps and route to surveyors or compliance counsel if you need that level of work.

This is not a Medicaid program integrity audit. Same distinction: we name the gaps and recommend counsel for anything with audit, repayment, or False Claims Act consequence.

This is not legal advice. Sterling Solutions is a technology firm, not a law firm. Home care is unusual in that operators typically need BOTH a healthcare attorney (HIPAA, CMS, OCR, OIG, state DOH matters) AND employment counsel (FLSA, wage- and-hour, contractor classification matters) for legal- consequence decisions. The written deliverable identifies sovereignty and vendor-posture gaps and names the regulatory categories they sit under. Decisions about specific actions (vendor contract renegotiation, audit response, employment classification matters, payor disputes, sale or succession structuring) should run through your own counsel of the appropriate type. We are happy to coordinate.

Tire-kickers, briefly.

The evaluation is honest work. We do the homework on our end. We pull the current public terms of service and BAA templates for the vendors you name. We check the most recent product release notes and amendments. We come to the evaluation session prepared. We ask the same of you: bring the owner or compliance officer who actually makes the vendor decisions, and bring a real intent to read what we deliver. Curiosity is fine. Performative curiosity is not what this offer is for.

One discovery call.

Thirty minutes for the hub discovery. Pick the agency- specific page first if you can (Medicare-certified HHAs, LHCSAs, CDPAP fiscal intermediaries, private-duty) and book from there; the cycle is sized to the agency on the call. The EVV vendor, the clinical documentation vendor, the payroll vendor, the AI overlays your agency relies on today are going to be the subject of the next CMS survey, the next state DOH inspection, the next DOL or plaintiff's case, the next OIG audit, or the next OCR investigation whether or not you have a written posture document on the shelf. The asymmetry between "having a written assessment ready before the question comes" and "scrambling once it does" is large, and it is not in your favor by default. Sterling is happy to help close it.

Book the discovery call →

Heads-up on the booking page: the booking widget currently shows 30-minute slots. That is the right length for the hub-level discovery call. The agency-type pages explain the per-type cycle. If the standard slot does not work for you, email [email protected] and we will find a slot that fits.

success.build/risk/home-care · [email protected] · agency-type pages route from here

Care happensinside someone's home.So does the data trail.