Axxess is one of the most widely adopted home health and hospice software platforms in the United States. Its cloud-based architecture, mobile documentation capabilities, and integrated care management tools make it a strong operational choice for hospice agencies of all sizes. Axxess maintains a Business Associate Agreement and provides security at the application and infrastructure level.
What it does not provide is security for the environment in which your staff access it. The device a chaplain uses to document a spiritual care visit, the home WiFi network a social worker connects from, the email account used to receive Axxess notifications, and the behavior of staff members who are phished — all of that falls outside Axxess's security responsibility and inside yours.
Understanding the Axxess Security Boundary
What Axxess covers:
- Infrastructure and application security for the hosted Axxess platform
- Encryption of data in transit between Axxess servers and your browsers/apps
- Application-level user management and role-based access within Axxess
- Audit logging of access events within the Axxess application
- Axxess's obligations as a business associate under HIPAA
What falls to your agency:
- Security of every device used to access Axxess (smartphones, tablets, laptops)
- Security of networks from which Axxess is accessed (home WiFi, patient home networks, office network)
- Email security for accounts receiving Axxess notifications and care coordination emails
- MFA configuration at the identity provider level
- Physical security of devices used in the field
- Backup of documentation and data created outside or exported from Axxess
- Staff training and behavior
The Hospice-Specific Security Challenges Around Axxess
Challenge 1: The Interdisciplinary Group Documentation Workflow
Hospice care is delivered by an interdisciplinary group — physicians, nurses, social workers, chaplains, aides, and volunteers. Each member documents their activities in Axxess. The variety of roles, the geographic distribution of team members, and the sensitivity of the information documented (end-of-life care plans, advance directives, spiritual assessments) create a unique security challenge.
A chaplain who uses a personal tablet to document spiritual care visits in Axxess from a patient's home, connected to the patient's WiFi network, is accessing extremely sensitive ePHI from an uncontrolled environment on an unmanaged device.
The security requirement: MDM deployment on the chaplain's personal tablet creating a managed container for Axxess access. Encryption verified on the device. The patient's home WiFi presents no risk because the Axxess connection is encrypted in transit, and the MDM container's data is encrypted at rest.
Challenge 2: Volunteer Access to Axxess
Many hospice agencies give volunteers limited access to Axxess for scheduling coordination, visit documentation, or administrative support. Volunteer accounts are frequently overlooked in security reviews:
- Volunteers may not complete the same security training as paid staff
- Volunteer devices are typically entirely personal and unmanaged
- Volunteer accounts may not have MFA enforced
- When volunteers leave, account deprovisioning is often delayed or missed
The 2026 HIPAA Security Rule's MFA requirement applies to volunteer accounts that access ePHI. The access control review process must include volunteer accounts. Deprovisioning must occur when a volunteer's engagement ends.
Challenge 3: Family Communication Via Axxess
Axxess includes patient family communication capabilities — messaging, care updates, and documentation sharing with families. This patient-facing communication involves ePHI and must meet HIPAA requirements. Ensure that:
- Family communication features are configured to use encrypted channels
- Access to family communication records is restricted to appropriate clinical staff
- The BAA with Axxess covers this component of the platform
The Security Controls Your Agency Must Layer Around Axxess
Device security: Encryption verified on every device used to access Axxess. MDM providing remote wipe capability and a managed container for BYOD personal devices. EDR on all endpoints. Patch management ensuring current OS and app versions.
Authentication: Axxess supports SSO integration. Configure MFA enforcement through your identity provider so every Axxess login requires a second factor. Quarterly access review to confirm active accounts match current staff roster.
Email security: Axxess sends email notifications. Deploy advanced email security with anti-impersonation protection to prevent Axxess-branded phishing. DMARC configured to prevent domain spoofing.
Audit log review: Review Axxess audit logs quarterly and immediately following any suspected security incident. Document reviews.
Staff training: Include Axxess-specific security scenarios in annual training: what to do if an Axxess notification seems suspicious, how to handle device loss while conducting a patient visit, why sharing Axxess login credentials is prohibited.
Complete your Axxess security program with the controls the platform doesn't include. ShieldForce protects the devices, networks, email, and staff layer around your Axxess deployment — with full HIPAA compliance documentation.
Explore Hospice Cybersecurity Solutions →
Get a free hospice HIPAA risk assessment.