PointClickCare is one of the most widely used clinical management platforms in post-acute and home health care. Its care coordination tools, outcomes tracking, and interoperability with hospital systems make it a strong operational choice for home health agencies. Like all major EHR and care management platforms, PointClickCare maintains security at the application and infrastructure level and provides a Business Associate Agreement.
And like all EHR platforms, PointClickCare's security responsibility ends at the application boundary. The devices your nurses use to access PointClickCare, the networks they connect from, the email accounts associated with their PointClickCare credentials, and the physical security of devices in the field are all your agency's responsibility.
Understanding this boundary clearly is the starting point for building a complete HIPAA-compliant security program around your PointClickCare deployment.
The PointClickCare Security Boundary
What PointClickCare covers under their BAA:
- Infrastructure security for the hosted PointClickCare environment.
- Encryption of data in transit between PointClickCare's servers and your browser or application.
- Application-level access controls and role-based permissions within PointClickCare.
- Audit logging within the application.
- PointClickCare's own HIPAA breach notification obligations as a business associate.
What PointClickCare does not cover:
- The devices your staff use to access PointClickCare.
- The networks those devices connect from.
- The email accounts receiving PointClickCare notifications.
- Staff credential security, including passwords and phishing susceptibility.
- Physical security of devices containing cached PointClickCare data.
- Backup of data your agency exports from PointClickCare.
- MFA configuration at the identity provider level.
The Four Security Layers Your Agency Must Add
Layer 1: Device Security - Protecting What Accesses PointClickCare
Every device used to access PointClickCare is a potential entry point. The common devices in a home health environment include office workstations and laptops used for care coordination, scheduling, and documentation, tablets carried by field nurses into patient homes, and personal smartphones used by case managers to access PointClickCare between visits.
Required controls for each device:
Encryption: Every device must be encrypted. A nurse's tablet accessing PointClickCare patient records that is lost between visits is a potential breach unless the device is encrypted, in which case the data is inaccessible without the PIN.
MDM (Mobile Device Management): MDM provides remote wipe capability if a device is lost or stolen. For personal BYOD devices, it deploys a secure container that can be wiped independently of personal data.
EDR (Endpoint Detection and Response): Behavioral threat detection catches malware, credential harvesters, and ransomware on any device that accesses PointClickCare.
Patch management: Automated operating system and browser updates must run on all devices.
Layer 2: Authentication - Securing PointClickCare Logins
PointClickCare supports single sign-on integration via SAML 2.0, enabling MFA enforcement through your identity provider such as Microsoft Entra ID, Okta, or a similar platform. This is the critical configuration that stops credential theft attacks.
- MFA enforced for every PointClickCare login.
- Conditional Access policies that verify device compliance before granting access.
- Account deprovisioning through the identity provider so that when a staff member leaves, disabling their identity account simultaneously revokes PointClickCare access.
Layer 3: Email Security - Protecting PointClickCare Notification Channels
PointClickCare sends email notifications including care alerts, system notifications, and workflow reminders. Attackers impersonate these in phishing campaigns, knowing that staff who routinely receive PointClickCare emails are less suspicious of a convincing fake.
Advanced email security with anti-impersonation protection, DMARC enforcement, and malicious link scanning prevents PointClickCare-branded phishing emails from reaching your staff.
Layer 4: Backup - Protecting Data Beyond PointClickCare
PointClickCare maintains its own data redundancy. However, if your agency generates reports, exports, or documentation derived from PointClickCare that lives outside the platform, in email, SharePoint, or local file storage, that supplementary data needs independent backup.
Immutable backups in isolated cloud storage protect supplementary clinical and administrative data from ransomware encryption.
The Audit Log Review Obligation
PointClickCare maintains audit logs within the application, including who accessed which patient record, when, and from which account. Your HIPAA compliance program requires that your agency actively reviews these logs:
- At minimum quarterly.
- Immediately following any suspected security incident.
- With documented review records retained for HIPAA's required six-year period.
The logs exist in PointClickCare. The review process, the documentation of the review, and the response to any anomalous access findings are your agency's responsibility.
When PointClickCare Access Is Compromised
The most common attack scenario involving PointClickCare follows this pattern:
- A billing staff member receives a convincing phishing email purportedly from PointClickCare support.
- She clicks the link and enters her credentials on a spoofed PointClickCare login page.
- The attacker captures her username and password.
- Without MFA, those credentials provide immediate access to PointClickCare and all patient records the billing staff member's role can access.
- The attacker accesses records silently for days or weeks before detection.
The complete defense is layered. Advanced email security prevents the phishing email from reaching the staff member. If it does reach her, MFA ensures her captured credentials alone cannot access PointClickCare. If she reports the suspicious email, the incident is documented and reviewed before exploitation occurs.
Complete the security picture around your PointClickCare deployment.
ShieldForce protects the devices, networks, email, and access layer that PointClickCare does not cover, with full HIPAA compliance documentation included.
Explore Home Healthcare Cybersecurity
Schedule a free assessment of your PointClickCare security posture.