Home health administrators spend months evaluating EHR platforms on clinical workflow, billing integration, scheduling capability, and interoperability. Security posture receives a fraction of that attention — typically a question to the vendor sales representative ("Are you HIPAA compliant?"), a review of whether a BAA is available, and occasionally a check for SOC 2 certification. This compressed security evaluation creates a consistent pattern: agencies select EHR platforms based on clinical fit and discover their security implications after go-live.
This comparison addresses that gap. The four platforms covered — Matrixcare, WellSky, Axxess, and Homecare Homebase — represent the majority of the home health EHR market. Each provides genuine HIPAA Security Rule compliance at the application level. Each leaves a security environment outside its application boundary that is entirely the agency's responsibility. Understanding exactly where each platform's responsibility ends is the foundation of a complete security architecture regardless of which platform you use.
The Universal Principle Before Any Comparison
No EHR platform secures the environment outside its application. Matrixcare secures the Matrixcare application and the infrastructure it runs on. WellSky secures the WellSky application and infrastructure. The devices your nurses use to access these applications, the email accounts that receive notifications from them, the networks your staff connect from, and the passwords your staff choose for their logins — none of these are covered by any EHR vendor's BAA or security programme. Your HIPAA compliance programme must cover all of it.
Matrixcare: Security Posture Analysis
Matrixcare serves a significant portion of the home health and senior living market through its cloud-based platform. The Matrixcare security programme includes SOC 2 Type 2 certification, which should be requested and reviewed at initial contracting and at each subsequent contract renewal. The BAA covers the Matrixcare application and cloud infrastructure under a standard agreement that most agencies accept without negotiation — see our separate article on BAA negotiation for provisions worth improving.
Matrixcare supports SSO integration with identity providers including Microsoft Entra ID, which allows agencies to enforce MFA at the identity provider level rather than relying on Matrixcare's native authentication alone. This SSO integration is the recommended configuration: it means MFA enforcement on Matrixcare access is controlled by your organisation's identity platform — with conditional access policies, device compliance checks, and consistent enforcement — rather than by Matrixcare's internal authentication settings, which have less configurability. If your Matrixcare deployment is not integrated with an SSO provider, MFA is enforced only at the Matrixcare application layer, which is less comprehensive.
Matrixcare's audit logging captures user access events within the application. Your HIPAA obligation to review those logs periodically — looking for access anomalies, inappropriate record access, and unusual export activity — is your responsibility to fulfil using the logs Matrixcare provides. Establish a quarterly audit log review process that specifically examines Matrixcare access events.
WellSky: Security Posture Analysis
WellSky is one of the most widely adopted home health and therapy platforms in the United States. Its cloud architecture provides strong infrastructure-level security and its BAA programme is well-established. WellSky maintains SOC 2 Type 2 certification for its core platform, which should be verified annually as part of your vendor security review process.
WellSky's mobile application for field staff is a significant ePHI access point that requires explicit security management. The app accesses patient records from field nurse devices — which may be personal smartphones or agency-issued tablets — in environments outside the agency's control. MDM enrollment for every device running the WellSky mobile app, with MDM-enforced encryption and remote wipe capability, is essential. A WellSky mobile app running on an unenrolled personal device with no encryption verification is an uncontrolled ePHI access point.
WellSky sends email notifications to clinical and administrative staff. These notifications — which may reference patient names, visit status, and clinical flags — are ePHI in transit. Configure your email security platform to treat WellSky notification emails with the same DLP policies as any other outbound ePHI communication. Additionally, phishing campaigns impersonating WellSky support are a documented attack vector targeting home health agencies. Anti-impersonation protection that flags emails mimicking WellSky sender addresses should be configured in your email security platform.
Axxess: Security Posture Analysis
Axxess is widely deployed among home health and hospice agencies, particularly mid-size and smaller organisations. Its integrated clinical, operational, and billing capability makes it operationally efficient. Axxess provides a BAA and maintains cloud infrastructure security consistent with healthcare software industry standards. The platform includes built-in secure messaging capabilities that support HIPAA-compliant clinical communication within the Axxess ecosystem — a genuinely useful feature that provides a compliant alternative to personal text messaging for care coordination.
The limitation of the Axxess secure messaging feature is that it covers only communication that happens within the Axxess platform. Communication with physicians, families, referral partners, and other external contacts happens outside Axxess and requires the agency's own secure messaging solution. An agency that relies on Axxess secure messaging for all clinical communication has a gap everywhere that communication exits the Axxess environment.
Homecare Homebase: Security Posture Analysis
Homecare Homebase is particularly strong among agencies managing combined home health and hospice operations, offering deep integration between the two service lines. HCHB's BAA covers the application and cloud infrastructure. The platform has enterprise-grade access management capabilities that allow sophisticated role-based access configuration — useful for complex organisations with multiple service lines and multiple access profiles to manage.
HCHB's depth of integration between clinical and billing functions creates a specific access control consideration: clinical staff who need access to clinical documentation may be placed in roles that also provide access to billing data that they have no clinical reason to access. The minimum necessary standard requires separating these access profiles. HCHB supports this separation through role configuration — but it must be done deliberately, not assumed by default.
Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.
→ Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment
→ Explore Home Healthcare Cybersecurity — shieldforce.io/home-healthcare
→ View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

