Sterling Solutions LLC
success.build/riskhome care agencies › Medicare-certified home health agencies
Sovereignty Maturity Assessment for Medicare-Certified HHAs

The survey
does not negotiate.
The vendor stack does.

And those two facts collide on the day the surveyor walks in.

A Medicare-certified home health agency runs on a regulatory layer cake. CMS Conditions of Participation define what care must look like and how it must be documented. OASIS items collect the standardized clinical data CMS uses to risk-adjust and reimburse. PDGM (the Patient-Driven Groupings Model) converts that clinical picture into payment. The state survey agency (acting under CMS delegation) walks in unannounced every three years (or sooner if a complaint triggers it) and evaluates whether what the agency has been billing for matches what the records actually show. The deficiency citation has teeth. The repayment demand has teeth. The OIG referral has the most teeth.

The agency's clinical documentation vendor sits in the middle of every one of those audit surfaces. AlayaCare, Axxess, MatrixCare, Wellsky, and adjacent platforms hold the OASIS data, the visit records, the care plans, the physician orders, the medication reconciliation, and the discharge summaries. They hold the data the surveyor will pull on the morning of the survey. They hold the data the PDGM payment integrity audit will reconstruct. They hold the data the OIG referral will subpoena. And, since roughly 2024, they hold the AI summarization, AI scheduling, and AI predictive-care features that the vendor activated on the agency's account without a separate consent prompt.

The BAA the agency signed with the vendor in 2019 or 2021 did not contemplate AI processing of PHI. Most BAAs of that vintage are silent on AI. The vendor's position is typically that the AI is just another way of processing PHI under the existing BAA. The Office for Civil Rights has cited BAA-monitoring inadequacy in resolution agreements across 2022 to 2025, and the AI activation pattern fits squarely inside those enforcement theories. The covered entity (the agency) is the one on the hook when OCR comes asking. The vendor's BAA defense doesn't transfer the liability back.

Layer the rest of the stack on. DOL wage-and-hour exposure through the 2013 Home Care Rule and the FLSA. NY's 13-hour live-in case law shaping settlements in the millions. OIG's sustained focus on home care in the Work Plan. State Medicaid Fraud Control Units reading the same data the OIG reads. The agency's payroll vendor and scheduling vendor and EVV vendor (for Medicaid-funded co-care arrangements) all contributing slices of the audit trail.

This page exists to give you a written, sourced evaluation of where your Medicare-certified HHA's sovereignty posture stands today. Free. Long cycle by default given the regulatory depth; short cycle available if your question is narrow. Built around CMS Conditions of Participation, your actual vendor stack, and your current OIG / OCR / DOL exposure.

Skip ahead, book the call now → What's in the assessment ↓

What the assessment actually delivers.

A written sovereignty-posture document organized the way a thoughtful CMS surveyor, an OCR investigator, or a careful acquirer's diligence team would organize a review. Six to twelve pages on the long cycle (default for Medicare-certified HHAs given the regulatory depth); three to six pages on the short cycle if your question is narrow. Named observations, sourced to your agency's actual vendor stack and active service lines, with a remediation order written for the agency's reality: the owner or COO who reads vendor terms between PDGM cycles, the compliance officer who actually tracks survey readiness, the director of nursing who knows which OASIS items are most often miscoded.

Lens 1: CMS Conditions of Participation, OASIS integrity, and PDGM payment-defense posture.

What can your agency produce on demand to show that the clinical documentation, OASIS data flow, care plans, physician orders, and visit records in the vendor system accurately reflect what care was delivered? Where would a CMS survey find a gap? Where would a PDGM payment integrity audit reconstruct a different story than the billed reimbursement reflects? Where would an OIG referral find the documentation thin? This lens reads your agency's environment the way a thoughtful surveyor with subpoena power would: starting from the obligation in the Conditions of Participation, working outward to the vendor system, naming the gaps with specificity.

Lens 2: BAA conformance and AI feature activation across the clinical documentation stack.

What does your clinical documentation vendor's current Business Associate Agreement actually cover? When was it last amended? Does it explicitly contemplate AI processing of PHI? What is the vendor's sub-processor list (including AI model providers like OpenAI, Anthropic, or Google) and is the agency notified of changes? Which AI features have been activated on the agency's account since the BAA was signed, and what consent (if any) was obtained? For agencies running multiple platforms (e.g., AlayaCare for clinical + a separate scheduling vendor + a separate payroll vendor), the assessment surfaces the BAA gap-pattern across the whole stack.

The deliverable is yours. Keep it, share it with your compliance counsel ahead of a CMS survey, use it in a renewal negotiation with your clinical documentation vendor, or work the remediation in-house. There is no obligation to engage Sterling for any work beyond the assessment.

The threat surface, named for Medicare-certified HHAs.

Four exposures sized specifically for Medicare-certified home health agencies. None of these are hypothetical. All of them are showing up in current CMS survey citations, OCR resolution agreements, OIG enforcement actions, DOL wage-and-hour settlements, and the home care trade press.

Threat 1: Clinical documentation vendors have activated AI on PHI without separate consent or updated BAA coverage.

AlayaCare, Axxess, MatrixCare, Wellsky, and adjacent platforms have shipped AI summarization, AI scheduling intelligence, and AI predictive-care alerts across 2024 and 2025. The agency's BAA with the vendor was almost certainly executed before those features existed. Most BAAs of that vintage are silent on AI processing. The vendor's typical position is that the existing BAA covers AI as just another PHI-processing modality. OCR has cited BAA-monitoring inadequacy in resolution agreements 2022-2025, and the AI activation pattern fits squarely inside those enforcement theories. The covered entity (the agency) is the one on the hook. The agency that can produce a clean record of when each AI feature was activated, what consent (if any) was obtained, and what the BAA-amendment trail looks like is in a fundamentally different position than the agency that cannot.

Sources: 45 CFR 164 (HIPAA Privacy and Security Rules); HHS OCR Resolution Agreements 2022-2025 (multiple BAA-monitoring inadequacy cases including the 2022 Banner Health $1.25M settlement, the 2024 Solara Medical Supplies $3M settlement and parallel BAA-related actions); vendor product release notes 2024-2025 for AlayaCare, Axxess, MatrixCare, Wellsky (verify current state at assessment time); OpenAI and Anthropic enterprise terms 2026.

Threat 2: OASIS data integrity is a survey-readiness question AND a PDGM payment-defense question.

OASIS items drive PDGM reimbursement. The same items are what the CMS surveyor reads against the chart and what the payment integrity contractor reconstructs in a post-payment review. Vendor-side AI summarization that compresses clinical notes, AI scheduling intelligence that auto-suggests visit cadence, and AI predictive-care flags that nudge OASIS responses can all introduce drift between what the clinician observed and what the record shows. If the drift goes the agency's way on reimbursement, the payment integrity audit will find it. If it goes the patient's way on documented care, the survey will. Either direction creates exposure. The agency that can produce a clean OASIS-to-chart-to-care- plan audit trail independent of the vendor's AI judgment is in a fundamentally different position than the agency that relies on the vendor's AI to clean it up.

Sources: 42 CFR 484 (Medicare Conditions of Participation for Home Health Agencies); CMS PDGM Final Rule (CY 2020 and subsequent updates); CMS Home Health Quality Reporting Program; Targeted Probe and Educate (TPE) program guidance; Medicare Administrative Contractor (MAC) post-payment review protocols; vendor product release notes on AI-driven OASIS support 2024-2025.

Threat 3: DOL wage-and-hour enforcement, the 2013 Home Care Rule, and NY 13-hour live-in case law turn your scheduling and payroll vendors into audit-trail surfaces.

The 2013 DOL Home Care Rule (29 CFR 552) extended FLSA minimum-wage and overtime protection to most home care workers, including those previously categorized as "companions." Class-action litigation has followed, particularly in NY where Andryeyeva v. New York Health Care Inc. and Moreno v. Future Care Health Services have shaped 13-hour live-in settlement patterns into the millions. For Medicare-certified HHAs running RN and therapy services in parallel with home health aide services, the scheduling vendor, time-tracking vendor, payroll vendor, and EVV vendor (for co-located Medicaid-funded service lines) each hold a slice of the audit trail DOL or plaintiff's counsel will subpoena. The agency that can produce a clean, cross-vendor-reconciled time-and-attendance record is much harder to settle against.

Sources: 29 CFR 552 (DOL Home Care Rule); Andryeyeva v. New York Health Care Inc., 33 NY3d 152 (2019); Moreno v. Future Care Health Services, 173 AD3d 700 (2019); FLSA (29 USC 201 et seq.); New York Labor Law Article 19; state wage-and-hour statutes (varies by jurisdiction).

Threat 4: HHS OIG has Medicare home health on the priority list, and AI-driven fraud detection cuts both ways.

Medicare home health has appeared in the HHS OIG Work Plan every year for over a decade. Published enforcement actions 2022-2025 have repeatedly targeted billing for services not rendered as billed, OASIS misclassification driving PDGM upcoding, and inadequate documentation supporting medical necessity. AI-driven visit-verification or fraud-detection vendors create a Schrödinger's tool problem: if the vendor's AI flags a false positive in visit-pattern analysis, the agency has documentation problems to clear; if it misses a real issue, the agency has compliance problems to answer for. State Medicaid Fraud Control Units (MFCUs) read the same data. The agency that can produce its own clean audit trail independent of the vendor's AI judgment is in a fundamentally different position than the agency that has to defend whatever the vendor's AI did or didn't flag.

Sources: HHS OIG Work Plan 2024-2025 (Home Health Services references); published OIG enforcement actions on home health 2022-2025; CMS Program Integrity Manual (Pub. 100-08); State Medicaid Fraud Control Units (MFCU) annual reports; OIG Strategic Plan on Health Care Fraud.

The hybrid cycle, sized to the agency.

Medicare-certified HHAs default to the long cycle because the regulatory layer cake (CMS Conditions of Participation + OASIS integrity + PDGM payment defense + OCR HIPAA exposure + OIG enforcement surface + DOL wage-and-hour overlay) justifies the depth. Short cycle is available if your question is narrow.

  • Short cycle (about two hours of your time, roughly one week elapsed). Thirty-minute discovery call. Homework on your side: vendor list, a quick description of the AI features you have noticed activating across your stack, and the specific question you want answered ("is our AI summarization defensible under our current BAA," "what is our OIG exposure pattern looking like," "how does our PDGM payment integrity posture hold up if a probe lands"). One sixty- minute evaluation session. A three-to-six page written posture document delivered within five business days. Best fit for agencies with a focused question or a specific upcoming event (renewal, survey, audit).
  • Long cycle (about ten business days, CMS-survey- shaped deliverable). Default for Medicare-certified HHAs. Forty-five-minute discovery call. One week of homework on our side: we pull the current public terms of service and BAA templates for every named vendor, check for AI feature activation defaults across the stack, review CMS Conditions of Participation against your actual operational posture, structure the evaluation around OASIS integrity + PDGM payment defense + OCR HIPAA exposure + OIG enforcement surface. One ninety-minute evaluation session with the owner or CEO, the compliance officer, the director of nursing or clinical director, and the CFO if a payment integrity question is in scope. A six-to-twelve page written posture document within five business days of the evaluation session. Best fit for agencies preparing for a known upcoming CMS survey, agencies in active payment integrity review or TPE cycle, agencies with multiple service lines, and agencies preparing for a sale or acquisition.

The choice is made on the discovery call. Bring the question, we will help size the cycle. Either option is free.

Who this is for.

The fit is clearest for Medicare-certified home health agencies in the $5M to $50M annual revenue band with 50 to 500 caregivers across RN, therapy, and home health aide service lines. Smaller agencies should start with the home care hub assessment. Larger national chains typically have an internal compliance function large enough that the success.build/conformance assessment serves better.

  • Independent Medicare-certified HHAs (50-200 caregivers) with a single corporate parent or no corporate parent, running on one primary clinical documentation platform.
  • Multi-site Medicare-certified HHAs (200-500 caregivers across multiple locations) with consistent vendor stack across sites.
  • HHAs with multiple service lines (Medicare-certified home health + LHCSA or other Medicaid-funded home care + private-duty) running on multiple vendor platforms.
  • HHAs preparing for a known upcoming CMS survey, recertification, or complaint-triggered re-survey.
  • HHAs in active Targeted Probe and Educate (TPE) cycle or recent payment integrity contractor activity.
  • HHAs preparing for a sale, succession, or strategic acquisition where the clinical documentation integrity, the audit trail completeness, and the BAA-vendor-stack posture determine the multiple and the indemnification structure.
Adjacent Medicare-and-home-health structures we also work with
  • Medicare-certified hospice agencies with the CMS hospice Conditions of Participation layer and family bereavement data sensitivity (possible future type-page).
  • Home health agencies with a hospital-system parent where the enterprise IT and BAA framework is set at the system level but the operational reality is agency-specific.
  • Home health agencies undergoing a recent acquisition or sale where vendor-stack inheritance from the prior owner creates BAA and AI activation timing complications.
  • National HHA chains for whom the success.build/conformance assessment is sized correctly.
  • Single-site small HHAs under $5M revenue for whom the home care hub assessment may be sized correctly.

Why us.

Sterling Solutions is a Westchester-based small firm. We do not run on venture capital. We do not have a sales team pretending to be your friend. We do not have an exit horizon. We have published values (success.build/ethos) and a written anti-lock-in doctrine, and the architecture of our own platform proves it: every layer is swappable, every export is clean, your data is yours from day one and on the day you leave.

We are not a clinical documentation vendor and we are not pitching one. We are not an OASIS-coding service. We are not a CMS survey-prep consultant. The assessment is not a stalking horse for a migration engagement. If the conclusion is "your stack is defensible with three documentation gaps closed," that is the conclusion. We have no commission structure with any of the vendors we evaluate.

The caregiver-family-patient triad is built on trust at the most intimate distance the healthcare system reaches. The nurse is in the bedroom. The aide is in the bathroom. The therapist is at the kitchen table. The vendor stack a Medicare-certified HHA operates should reflect that intimacy, not extract from it. The same anti- lock-in doctrine that protects member sovereignty for the mutual carriers we work with and protects client confidentiality for the attorneys we work with protects patient-family-caregiver trust here, in the most regulated home care setting Medicare reaches.

What this page is not.

This is not a pitch for a six-figure modernization engagement disguised as a free assessment. The assessment is the deliverable.

This is not a CMS survey-prep audit. Those exist, they cost five figures, and we are not certified to do them. We identify gaps and route to surveyors or compliance counsel if you need that level of work.

This is not a Medicaid program integrity audit and not a payment integrity reconstruction. Same distinction: we name the gaps and recommend counsel for anything with audit, repayment, or False Claims Act consequence.

This is not legal advice. Sterling Solutions is a technology firm, not a law firm. Medicare-certified home health operators typically need BOTH a healthcare attorney (HIPAA, CMS, OCR, OIG matters) AND employment counsel (FLSA, wage- and-hour, contractor classification matters) for legal- consequence decisions. The written deliverable identifies sovereignty and vendor-posture gaps and names the regulatory categories they sit under. Decisions about specific actions (vendor contract renegotiation, audit response, payment integrity defense, employment matters, sale or succession structuring) should run through your own counsel of the appropriate type. We are happy to coordinate.

Tire-kickers, briefly.

The evaluation is honest work. We do the homework on our end. We come to the evaluation session prepared. We ask the same of you: bring the owner or compliance officer who actually makes the vendor decisions, and bring a real intent to read what we deliver. Curiosity is fine. Performative curiosity is not what this offer is for.

One discovery call.

Forty-five minutes for the long cycle (default for Medicare-certified HHAs), thirty for the short cycle. The clinical documentation vendor, the AI features that activated since you signed the BAA, the OASIS integrity posture, the PDGM payment defense, and the OIG exposure your agency carries today are going to be the subject of the next survey, the next TPE probe, the next OIG referral, or the next OCR investigation whether or not you have a written posture document on the shelf. The asymmetry between "having a written assessment ready before the question comes" and "scrambling once it does" is large, and it is not in your favor by default. Sterling is happy to help close it.

Book the discovery call →

Heads-up on the booking page: the booking widget currently shows 30-minute slots. For the short cycle, thirty minutes is the right length. For the long cycle (default for Medicare-certified HHAs), once you pick a time we will extend it to forty-five minutes on our end, provided the fifteen minutes before or after your selected slot are open on our calendar. If the adjustment does not work for you, email [email protected] and we will find a slot that fits.

success.build/risk/home-care/medicare-certified · [email protected] · long cycle default; scope-selectable on the call

Sterling Solutions LLC
Purpose-built technology for community organizations. Platforms, AI, and development services designed for nonprofits, fraternal organizations, and professional associations.