Homecare Homebase is among the most comprehensive integrated platforms in the home health and hospice market — clinical documentation, scheduling, billing, EVV, and operational management in a single system. For agencies managing combined home health and hospice lines, HCHB's depth of integration is genuinely valuable. Its security reputation among the agencies I work with is generally positive: HCHB takes its infrastructure security seriously and its BAA programme is well-established. The compliance challenge is not with what HCHB does — it is with what HCHB does not do, and with the consistent pattern of agencies assuming that HCHB's application security extends further than it does.
The HCHB Security Boundary in Precise Terms
Homecare Homebase's BAA covers the HCHB application and the infrastructure it runs on. What does "application and infrastructure" mean in practical terms? It means: the HCHB servers and databases; the network connections between HCHB's own infrastructure components; the data stored within the HCHB system; the HCHB application's authentication systems; and the HCHB audit logs of activity within the platform. It explicitly does not cover: the computers and smartphones your staff use to access HCHB; the email systems through which HCHB notifications travel; the internet connections through which your staff reach HCHB; or the credentials your staff select for their HCHB logins. The boundary is precisely where the HCHB application ends and your agency's environment begins.
Device Security for HCHB Access: The Priority Layer
Field nurses who document visits using HCHB are accessing a clinical system from uncontrolled environments on devices that may or may not have the security controls the 2026 HIPAA mandatory requirements demand. Before any device accesses HCHB — agency-owned or personal — the following controls must be confirmed:
- Behavioral EDR installed and actively reporting: not antivirus, behavioral EDR that monitors process execution and network behaviour for malicious activity patterns. The 2026 HIPAA update mandates behavioral detection specifically.
- Full disk encryption verified and documented: BitLocker confirmation report for Windows devices, FileVault confirmation for Mac, MDM compliance report for mobile devices. Not assumed — verified and documented.
- MDM enrollment with compliance policy active: the device is enrolled in your MDM platform, the compliance policy is applied, and the device passes compliance checks before HCHB access is permitted. Non-compliant devices are denied access, not warned.
- Screen lock configured: automatic lock after 15 minutes maximum for clinical devices. HCHB sessions should time out at the application level as well — confirm the HCHB session timeout setting with your HCHB administrator and ensure it is set appropriately.
Authentication: MFA Enforcement for HCHB Logins
HCHB supports SAML-based SSO integration with external identity providers. Integrating HCHB with Microsoft Entra ID or Google Identity — and enforcing MFA at the identity provider level — is the recommended configuration for two reasons: it enforces MFA consistently across HCHB and every other integrated application the staff member uses, and it enables centralised account management so that deactivating a staff member in the identity provider simultaneously terminates their HCHB access.
If SSO integration is not feasible for your HCHB deployment, at minimum enforce HCHB's native MFA settings and implement a strict account deactivation protocol that ensures HCHB accounts are deactivated on the same day a staff member's employment ends. HCHB account deactivation that is separate from Microsoft 365 or HR system deactivation creates a gap where former employees retain HCHB access after other access has been terminated.
Audit Log Review: Your HIPAA Obligation for HCHB Activity
HCHB generates detailed audit logs of user activity within the platform. Your HIPAA obligation to conduct periodic audit log review — examining access patterns for anomalies, inappropriate access, and unusual export activity — is an obligation your agency fulfils using the logs HCHB provides. Most HCHB-using agencies have enabled logging but have never established a review process. Establish one: quarterly review of HCHB access logs, examining access by user role against their assigned caseload, large data exports, access during unusual hours, and any access from locations inconsistent with the user's normal pattern.
Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.
→ Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment
→ Explore Home Healthcare Cybersecurity — shieldforce.io/home-healthcare
→ View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

