01 — Full specification and component decisions

Encore EVV — complete component and decision matrix

Master spec · April 2026
Area Component / Decision Implementation approach Notes Status
Core architecture
Architecture model Split-data biometric model Biometric data (facial embeddings, match scores, attempt logs) stays internal on Encore's system. Only the 6 federally required EVV fields transmit to the state aggregator. Each visit carries a Biometric Success ID linking the internal biometric record to the aggregator visit record for audit. Aggregators are not equipped to ingest biometric templates. Biometrics are the internal proof layer — EVV fields are the compliance submission layer. Confirmed
Build approach Offline-first · React Native hybrid Single React Native codebase for Android tablet APK and caregiver phone app. Full functionality without internet. All data stored locally in AES-256 encrypted storage and synced when connectivity is restored. Timestamp recorded at scan, never at sync. Timestamp-at-scan is a hard EVV compliance requirement — aggregators require actual visit time, not upload time. Confirmed
Backend Node.js / NestJS + PostgreSQL NestJS structured module architecture appropriate for compliance-heavy requirements. PostgreSQL with AES-256 encryption at rest. Encryption keys stored separately from visit records. All API and aggregator transmissions TLS 1.2 minimum, TLS 1.3 preferred. Confirmed
Verification logic 3-gate checkout logic At check-out, three gates run in sequence: (1) GPS matches patient's registered home address → auto-approve, (2) GPS matches an approved location from the care plan → auto-approve, (3) patient biometric confirms co-presence regardless of GPS → auto-approve. Any single gate passing clears the shift. All three failing triggers a flagged evidence package for coordinator review. Non-blocking by design. Caregiver is never prevented from proceeding — shift is logged and flagged. Confirmed
Sequence enforcement Aggregator ACK gates claim Claim generation is programmatically blocked until the state aggregator's acknowledgement is logged against the shift record. Cannot be manually bypassed. Prevents claims being submitted without verified EVV data — the root cause of most EVV-related denials. Confirmed
Biometric system
Biometric SDK FaceSDK — on-device FaceSDK processes biometric capture fully offline on the Android tablet and caregiver phone. Raw photos converted immediately to encrypted mathematical embeddings on-device. Raw images never stored — not on device, not on backend. Embeddings stored server-side, encrypted. On-device processing required for offline-first architecture. BAA to be executed with FaceSDK vendor before any live patient data is handled. Confirmed — FaceSDK
Caregiver enrollment 3-angle face enrollment One-time facial enrollment on caregiver's personal phone prior to first shift — front, left, right angles. Raw images converted to encrypted embeddings immediately, originals deleted. Account remains Inactive until a coordinator manually activates the profile. Coordinator activation gate prevents unauthorised device access. Must comply with HIPAA and applicable Ohio/PA biometric privacy laws. Confirmed
Patient biometric Provisional photo → live upgrade Family uploads baseline photo at intake — immediately converted to embedding, original deleted. On the patient's first real shift, the kiosk captures a live scan that automatically upgrades the profile to high-fidelity. No coordinator action needed for the upgrade. HIPAA data minimisation: raw images are never stored long-term. Coordinator reviews initial photo quality before first shift. Confirmed
EVV verification method code BIO code — pending confirmation Sandata's Alt-EVV V5.0 schema includes a VerificationMethod field. If Ohio supports a BIO code, Encore EVV submits with it. If BIO is not yet supported, visits submit as MVV (GPS/Mobile Visit Verification) — satisfying the GPS compliance requirement — while the biometric match is retained as an internal audit flag only. Action required: confirm with Sandata / Ohio ODM which VerificationMethod codes are supported before build. Email: [email protected] Open — confirm Sandata
Hardware and device management
Tablet hardware Android kiosk tablet · one per caregiver Dedicated Android tablet per caregiver. Wintouch A10 or equivalent. MDM-locked to single-app kiosk mode. Caregiver carries the tablet to every visit — tablet never lives at the patient's home. 10,000mAh power bank standard issue. Spare tablet pool maintained at the office. See tablet procurement section for pricing and MOQ details. Front camera required for biometric scan. Caregiver-carries model confirmed. Confirmed
MDM platform ManageEngine (recommended) or Jamf MDM enforces Android single-app kiosk lock. Blocks home button, status bar, quick settings, and notifications. OTA updates pushed overnight. Zero-touch enrollment via Android Zero-Touch portal — tablets auto-configure on first Wi-Fi connection. MDM heartbeat feeds coordinator dashboard with live device status. Remote wipe, lock, and location tracking enabled. See MDM comparison below. ManageEngine recommended for initial Ohio fleet. Revisit at scale. Decision required
EVV aggregator integration
Ohio routing All patients → Sandata Ohio Ohio's sole EVV aggregator. All Ohio patients regardless of payer (FFS, Aetna, Buckeye, CareSource, Humana, Molina, United) route to Sandata. EVV data formatted to Sandata Ohio Alt-EVV technical spec and transmitted in near real-time. Ohio is the target go-live state. Single aggregator — simpler certification path. Contact ODM immediately to enter the certification queue. Confirmed
Pennsylvania FFS FFS + waivers → Sandata PA PA fee-for-service and waiver patients (ACT150, DDD) route to Sandata under PA DHS configuration. Same vendor as Ohio, separate state configuration and separate certification. PA is the second certification phase after Ohio is live and stable. Confirmed
Pennsylvania MCO MCO patients → HHAeXchange PA MCO-managed patients (AmeriHealth, UPMC, Highmark, Health Partners, PA Health & Wellness, United) route to HHAeXchange. HHAeXchange automatically forwards to Sandata for PA DHS reporting — no double-submission needed. Contact: [email protected] to initiate alternate vendor setup. Confirmed
Routing logic Payer-driven automatic routing The payer/plan field captured at patient intake permanently determines which aggregator receives every future shift for that patient. No manual routing decision per visit. Routing table: Ohio + any plan = Sandata Ohio. PA + FFS/waiver = Sandata PA. PA + MCO = HHAeXchange. Payer/plan is a required field at intake. Must be set before patient's first visit. Confirmed
835 ERA mapping Remittance mapped to shift records When the 835 ERA returns from Medicaid/MCOs, Encore EVV maps payment status (Paid / Denied / Short-paid) and denial reason codes back to the original shift record. Denied claims surfaced in the dashboard with reason code and correction path. Eliminates blind billing disputes. Billing team resolves EVV-related denials directly from the dashboard. Confirmed
Billing platform AxisCare — billing only AxisCare retained as billing backend only — not the EVV capture system. Data flow: Encore EVV → Sandata/HHAeXchange → AxisCare billing/claims submission. Confirmation required from AxisCare that their billing module can accept externally verified EVV records before build scope is finalised. Pending AxisCare API confirmation
Consent, compliance and legal
Biometric consent Explicit consent at intake — required Patient intake must include explicit, timestamped digital acknowledgement for: facial scanning at each visit, facial embedding storage in Encore's encrypted system, and biometric data used solely for shift verification. Checkbox with timestamp is minimum. Stored as immutable ePHI, 6-year minimum retention. Legal requirement in many states. HIPAA best practice regardless. Consent renewed if legal guardian changes. Confirmed
GPS consent Ohio ODM mandatory — separate consent Ohio requires signed patient consent before GPS coordinates can be captured (ODM form 10375 equivalent). Without consent, location logged as "home" or "community" only — no coordinates captured or transmitted. Patient record flagged as GPS-consent-pending. Consent renewed annually. Pennsylvania also requires GPS consent. Covers location at check-in/out and caregiver GPS breadcrumb data. Confirmed
HIPAA NPP Notice of Privacy Practices — at intake Federal requirement. Intake form includes acknowledgement of Encore Care's HIPAA Notice of Privacy Practices before any ePHI is collected. Timestamped and stored as immutable ePHI, 6-year minimum retention. All three consent types (biometric, GPS, HIPAA NPP) captured in step 2 of the patient intake flow. Confirmed
Proxy / POA handling Coordinator review gate For patients lacking capacity, a legal guardian or POA completes all consent sections. Coordinator reviews and uploads POA document or guardianship order in the patient record, then manually activates the patient profile. Patient cannot have first visit scheduled until coordinator marks proxy documentation as reviewed and on file. Coordinator review gate closes the loophole of unverified proxies completing a web form. All proxy consents stored as immutable ePHI. Confirmed
Exception handling and fraud prevention
Scan failure 3 attempts → flag and mandatory note Maximum 3 biometric scan attempts. After 3 failures: shift is logged and flagged. Caregiver must submit a mandatory, immutable free-text note before screen dismisses. Note becomes part of the coordinator evidence package. Caregiver is never blocked from proceeding — care is never interrupted. Shift continues as flagged. Surfaces in coordinator queue for review with full evidence package. Confirmed
Biometric exemption Coordinator-set patient exemption flag Coordinator can mark a patient profile as biometric-exempt (e.g. severe physical limitations). All future shifts for that patient skip the patient scan step and route to supervisor spot-check protocol. Exempt flag stored on patient profile, not the shift record. Exempt shifts reported separately from biometric-failed shifts in all compliance reports. Confirmed
Internal fraud prevention Coordinator cannot approve own shifts Hard API-level constraint prevents any coordinator from approving a flagged shift where they are also listed as the active caregiver. Enforced at API level — cannot be bypassed by frontend manipulation. Essential for internal fraud prevention and Medicaid audit integrity. Confirmed
Family anti-collusion Read-only family portal — API enforced Families can view verified shift histories and opt into arrival/departure notifications. Hard API limits prevent families from adding approved locations, editing care plans, or approving/rejecting shifts. Prevents coordination between caregivers and families to fabricate visits. Confirmed
HIPAA and security
Encryption AES-256 at rest · TLS 1.3 in transit AES-256 for tablet local storage, backend database, and biometric embeddings. Encryption keys stored separately from visit records. TLS 1.2 minimum, TLS 1.3 preferred for all transmissions. Every EVV transmission is a transfer of ePHI — encryption applies end-to-end. Confirmed
Access control MFA + RBAC + auto-logout Unique user IDs and MFA for all coordinator/admin access. RBAC enforced at API level. Auto-logout: 15 min dashboard, 30 min phone app, 60s kiosk tablet. Auto-logout timers required for devices handling ePHI in patient homes. Confirmed
Audit logging Immutable audit logs · 6-year retention Every read and write action involving ePHI generates an immutable audit log: user ID, action type, record ID, timestamp. Cannot be edited or deleted by anyone including admins. All coordinator decisions permanently appended to evidence packages as immutable entries. Confirmed
May 2026 HIPAA updates Asset register + 72hr incident response Living inventory of every asset touching ePHI — tablet serial numbers, MDM status, cloud servers, SDKs, APIs. Documented and tested 72-hour system restoration and breach notification plan. Annual pen testing infrastructure built in from day one. New mandates effective May 2026. Must be architected for compliance from the first sprint. Confirmed
HIPAA Risk Assessment Third-party external assessment Mandatory third-party HIPAA Risk Assessment must be completed before any live patient data is handled. Cannot be self-certified. Completed against the staging environment before Ohio go-live. Cost paid to external assessor firm ($5K–$15K). Budgeted separately from build cost — see costs table. Required pre go-live
SOC 2 Type II External audit — begin at staging Engage external audit firm when staging is live. 6–12 month observation window required before certification can be issued. The clock starts when controls are in place — not when the decision is made. Cost paid to external audit firm ($20K–$50K). Starting the observation period early is the only way to compress time to certification. Required — begin at staging

MDM platform — ManageEngine vs Jamf

Decision required before tablet procurement

Both platforms support Android zero-touch enrollment, kiosk lock enforcement, OTA updates, remote wipe/lock, and MDM heartbeat APIs. The decision is primarily cost vs enterprise depth.

ManageEngine MDM

Recommended · Lower cost
Lower cost — ~$3–5/device/month vs Jamf's $7–10
Adequate Android kiosk enforcement for this use case
Zero-touch enrollment and OTA push supported
REST API available for heartbeat integration into coordinator dashboard
Faster onboarding for mid-size fleets (50–500 tablets)
Less robust compliance reporting depth compared to Jamf
Smaller support organisation — longer resolution times for edge cases

Jamf Pro

Alternate · Enterprise-grade
Industry-leading enterprise policy management and enforcement depth
Stronger compliance reporting — better positioned for SOC 2 audit trail
Larger support organisation, dedicated customer success
Better long-term scalability for large caregiver fleets
Higher cost — $7–10/device/month (~$4,200–$6,000/yr at 50 devices)
Longer initial configuration and onboarding time
Recommendation
Start with ManageEngine for the Ohio launch. At initial scale, ManageEngine delivers adequate control at materially lower cost. Architecture supports a migration to Jamf later without rebuilding — the MDM heartbeat API integration in the coordinator dashboard is vendor-agnostic. Revisit when fleet exceeds 300 devices or when SOC 2 audit requirements create a case for Jamf's reporting depth.
02 — Technology stack

Confirmed technical decisions

All layers confirmed
Frontend — Tablet + Phone
React Native (hybrid)
Single codebase for Android tablet APK and caregiver phone app. MDM kiosk lock runs at OS level.
Backend + API
Node.js / NestJS
Encrypted PostgreSQL database. Structured module architecture for compliance-heavy requirements and multi-role access control.
Biometric SDK
FaceSDK — confirmed
On-device facial recognition. Fully offline on Android. Raw photos never stored. HIPAA-compliant. BAA required before go-live.
MDM Platform
ManageEngine (recommended)
Android zero-touch, kiosk profile, OTA updates, heartbeat API. Final decision required before tablet procurement.
Patient portal + Family
Mobile-optimised web
No app download. SMS/email link. Pre-filled from coordinator intake. Accessibility-first.
Encryption
AES-256 · TLS 1.3
Local storage, backend database, and embeddings all AES-256. Keys separated from records. TLS 1.3 preferred in transit.
Aggregator integration
Sandata + HHAeXchange
FHIR / EDI 837P formatted payloads. 6 EVV fields only transmitted. Biometrics never leave Encore's system.
Tablet hardware
Wintouch A10 · ~$75–85/unit
Android-based. Front camera required. One per caregiver. Initial batch for Ohio launch.
Billing backend
AxisCare (billing only)
Retained for claims processing. Encore EVV replaces AxisCare's EVV capture module only. API confirmation pending.
03 — Platform modules — full spec
Module A

Tablet app — kiosk, caregiver-facing (Android)

  • App runs in Android single-app kiosk lock enforced by MDM. No home button, status bar, or settings access. Remote wipe and lock available via MDM.
  • MDM heartbeat feeds coordinator dashboard. Footer shows "Online · MDM managed" or amber warning if MDM connection or GPS drops.
  • Check In triggers simultaneous front camera biometric capture and background GPS — no secondary user action required.
  • After caregiver scan confirms, screen transitions automatically to patient scan. Patient looks at camera — no tapping. 30-second timeout triggers retry prompt. Large font (20px+), high contrast, zero small touch targets for elderly users.
  • Successful dual scan triggers 5-second confirmation flash. Shift record is sealed as immutable at this exact moment. No edits permitted after sealing.
  • Active shift screen (A4b): Persistent display of caregiver name, patient name, running timer (server-calculated — survives tablet restart). Check Out only on this screen, not on idle home screen.
  • 3 biometric scan attempts maximum. After 3 failures: shift logged and flagged, caregiver must submit mandatory immutable note before screen dismisses. Caregiver never blocked from proceeding.
  • Offline mode: AES-256 encrypted local storage, auto-syncs on connectivity restore. Timestamp at scan, not at sync.
  • GPS breadcrumb trail captured passively every 15–30 minutes via caregiver phone app throughout the shift.
Module B

Caregiver phone app — personal device

  • One-time biometric enrollment: 3 face angle captures on caregiver's own phone. Raw photos immediately converted to encrypted embeddings server-side. Raw images never retained.
  • Account remains Inactive until a coordinator manually activates the profile. Caregiver cannot use the kiosk tablet until activated.
  • Visit history from backend. Status badges (Verified / Flagged / Pending) reflect live record state. Weekly/monthly hours calculated server-side from sealed verified shifts only — flagged shifts excluded until adjudicated.
  • Passive GPS sync indicator shows whether data is queued locally or synced to backend.
  • Flagged shift detail: shows exact flag reason, timestamps, GPS trail. Caregiver submits mandatory note. Note locked on submission, becomes part of coordinator evidence package.
Module C

Patient intake and family portal — mobile web

  • SMS or email link — no app download required. Fields pre-filled from coordinator intake, family completes the gaps.
  • Payer/insurance plan field is required and drives all future aggregator routing for this patient.
  • Three mandatory consents — timestamped, immutable ePHI, 6-year retention: biometric data consent, GPS/geolocation consent (Ohio ODM mandatory), HIPAA NPP acknowledgement.
  • Proxy/POA flow: Coordinator reviews and uploads POA documentation, then manually activates patient profile. First visit cannot be scheduled until proxy documents are marked as reviewed and on file.
  • Photo upload: converted to facial embedding on upload, original deleted. Coordinator reviews photo quality before first shift is activated.
  • Family portal: strictly read-only. API-enforced — families cannot add approved locations, edit care plans, or approve/reject shifts.
Module D

Coordinator and admin dashboard — web

  • Four real-time KPI tiles: Active shifts, Verified today (auto-approved only), Flagged (action required), Offline devices (from MDM heartbeat).
  • Flagged queue sorted by urgency: Review needed → Pending note → Warning.
  • Evidence package auto-generated per flagged shift: timestamps, GPS trail, biometric match scores or failure codes, caregiver note. Downloadable as PDF for disputed Medicaid claim defence.
  • Coordinator decision generates immutable audit log: coordinator ID, timestamp, optional written reason. Permanently appended to evidence package.
  • API-level constraint: coordinator cannot approve a shift where they are also the active caregiver.
  • Biometric-exempt flag, manual shift close, MDM device monitoring, compliance reports with date-range filters, CSV export, bulk evidence package download.
  • 835 ERA remittance: payment status mapped to individual shift records. Denied claims surfaced with reason code and correction path.
Screen wireframes — component layout reference

Module A — Tablet kiosk app

Caregiver-facing · Android kiosk lock
A1 · Idle / home screen
MDM MANAGED ● ONLINE ENCORE EVV CHECK IN Online · MDM managed · GPS ●
A2 · Caregiver face scan
Caregiver verification Scanning face… Look at the camera Attempt 1 of 3 Online · MDM managed · GPS ●
A3 · Patient face scan
Patient verification Look at the camera No tapping needed · 30s timeout Attempt 1 of 3 Online · MDM managed · GPS ●
A4 · Dual scan confirmed
Check-in verified CAREGIVER PATIENT 10:32:14 AM · Record sealed Returning to active shift in 5s… Online · MDM managed · GPS ●
A5 · Active shift screen
● SHIFT ACTIVE CAREGIVER PATIENT ELAPSED TIME 02:14:33 Checked in 10:32 AM · Server time CHECK OUT Online · MDM managed · GPS ●
A6 · Scan failure — mandatory note
! Scan could not verify 3 attempts used · shift will be flagged Mandatory note — explain what happened Type your explanation here… Note is immutable once submitted Submit and continue Online · MDM managed · GPS ●

Module B — Caregiver phone app

Personal device · Android
B1 · Biometric enrollment
Face enrollment One-time setup · 3 angles required FRONT ✓ LEFT RIGHT Turn head left 1 of 3 captured Pending coordinator activation
B2 · Visit history
My visits THIS WEEK 22.5 hrs THIS MONTH 84.0 hrs Apr 1 · 10:32 AM – 2:46 PM · 4.2h VERIFIED Mar 31 · 8:00 AM – 12:15 PM · 4.3h VERIFIED Mar 30 · 9:10 AM – 1:22 PM · 4.2h FLAGGED Mar 29 · 7:45 AM – 11:58 AM · 4.2h VERIFIED ● GPS synced · All data current Visits Profile Settings
B3 · Flagged shift detail
← Back Flagged visit FLAGGED FLAG REASON 3 biometric attempts failed PATIENT CHECK IN 9:10 AM CHECK OUT 1:22 PM DURATION 4h 12m GPS TRAIL YOUR NOTE (IMMUTABLE) Pending coordinator review

Module C — Patient intake and family portal

Mobile web · No app download
C1 · Patient intake — consent step
intake.encorecare.com STEP 2 OF 4 Consent and privacy All three consents are required to proceed Biometric data consent GPS / geolocation consent HIPAA Notice of Privacy Practices Completing on behalf of patient? POA/guardian flow → Continue to step 3 Consents timestamped · 6-year retention
C2 · Patient photo upload
intake.encorecare.com STEP 3 OF 4 Patient photo Upload a clear front-facing photo Tap to upload or take photo Photo converted to embedding · original deleted PHOTO REQUIREMENTS ✓ Clear front-facing view ✓ Good lighting, no sunglasses Submit intake
C3 · Family portal — read-only
portal.encorecare.com Family portal READ ONLY PATIENT Verified shift history Apr 1 · 10:32 AM – 2:46 PM Mar 31 · 8:00 AM – 12:15 PM Mar 30 · 9:10 AM – 1:22 PM Arrival / departure notifications SMS alerts when caregiver checks in or out API-ENFORCED RESTRICTIONS Cannot edit locations, care plans, or approve shifts

Module D — Coordinator dashboard

Web · Admin access
D1 · Dashboard — KPI tiles and flagged queue
ENCORE EVV Dashboard Flagged queue Caregivers Patients Devices Reports Billing / ERA Coordinator: J. Smith Auto-logout: 15 min ACTIVE SHIFTS 24 VERIFIED TODAY 18 FLAGGED 3 OFFLINE DEVICES 1 Flagged shifts — action required CAREGIVER PATIENT FLAG REASON URGENCY ACTION 3 scan failures REVIEW Review → GPS mismatch PENDING Review → All 3 gates failed WARNING Review → Device fleet status ONLINE 47 devices OFFLINE 1 device LAST OTA UPDATE 2 days ago 835 ERA — recent remittances SHIFT ID PATIENT STATUS AMOUNT CODE
D2 · Evidence package — flagged shift review
ENCORE EVV Dashboard Flagged queue Caregivers Patients ← Back to flagged queue Evidence package — shift #EVV-4821 Download PDF VISIT DETAILS CAREGIVER PATIENT CHECK IN 9:10:22 AM CHECK OUT 1:22:08 PM FLAG REASON 3 biometric failures MATCH SCORES 0.42 / 0.39 / 0.41 GATE RESULTS GPS ✗ · Loc ✗ · Bio ✗ TIMESTAMPS Sealed at scan · not sync GPS BREADCRUMB TRAIL 9:10 AM 1:22 PM CAREGIVER NOTE (IMMUTABLE) Coordinator decision Decision is immutable and generates a permanent audit log entry Approve shift Reject shift WRITTEN REASON (OPTIONAL)
04 — Back-office architecture and EVV data pipeline

End-to-end — from scan to paid Medicaid claim

4 phases · each gates the next
Phase 1 — Capture

On-device data collection

Tablet captures face biometric and GPS simultaneously on Check In. GPS breadcrumb trail captured every 15–30 min via phone app. If offline: AES-256 encrypted local queue, auto-syncs on reconnect. Timestamp at scan, not at sync.

Phase 2 — Verification engine

3-gate logic + immutable decision

FaceSDK match service processes captured face data against stored profiles. Rule engine runs 3-gate checkout logic. Any single gate passing → auto-approve. All three failing → flag with auto-generated evidence package. Decision sealed as immutable.

Phase 3 — EVV aggregator export

6 fields transmitted · near real-time

Verified shift records formatted to FHIR / EDI 837P payloads containing exactly the 6 mandated EVV fields. Transmitted to Sandata or HHAeXchange per payer routing. Encore EVV awaits acknowledgement, logs it against shift record. "Not Accepted" visits surfaced with error codes.

Phase 4 — Billing and payment

Aggregator ACK unlocks claim

Aggregator acknowledgement unlocks claim generation. Data passed to AxisCare for submission to Ohio Medicaid / PA DHS / MCO. When 835 ERA returns, payment status mapped back to the original shift record. Full loop: biometric scan to cash received.

Open — VerificationMethod code
Confirm with Sandata / Ohio ODM whether the BIO VerificationMethod code is supported in the Ohio Alt-EVV schema before build begins. If BIO is not available: submit as MVV (GPS), retain biometric match as internal audit flag only. Contact: [email protected]
AxisCare integration
Confirmation required from AxisCare that their billing module can accept externally verified EVV records from Encore EVV. AxisCare is the billing backend only. Without API confirmation, Phase 4 scope cannot be fully defined. Pre-build blocker.
05 — Aggregator routing and certification path

Routing logic — set at intake, automatic per shift

No manual routing decisions per visit
StatePayer typeAggregatorNotes
Ohio All — FFS and MCO (Aetna, Buckeye, CareSource, Humana, Molina, United) Sandata (Ohio) Ohio's sole EVV aggregator. All payers unified under one integration. Target go-live state.
Pennsylvania Fee-for-service + waivers (ACT150, DDD) Sandata (PA DHS) Same vendor as Ohio, separate state config and separate certification process.
Pennsylvania MCO (AmeriHealth, UPMC, Highmark, Health Partners, PA Health & Wellness, United) HHAeXchange HHAeXchange forwards to Sandata for DHS reporting automatically. No double-submission needed.

Certification path — Ohio first, then Pennsylvania

Required before live data transmission
Ohio — step 1

Contact ODM immediately

Reach out to Ohio ODM EVV team while build is still in progress. Email: [email protected] · Phone: 855-805-3505. Wait times exist — getting in the queue early is critical.

Ohio — step 2

Build to Sandata Ohio spec

Follow Ohio Alternate EVV technical specifications on the ODM EVV webpage. Register at sandatalearn.com using provider ID 9999999 as placeholder during testing.

Ohio — step 3

API sandbox testing

Submit test visit records across all scenarios: standard visit, missed visit, manual edit, offline sync, exception handling. API conformance test — not a legal audit.

Ohio — step 4

ODM confirms → Ohio go-live

ODM certification confirms Encore EVV can transmit live Ohio EVV data. Budget 2–4 months from first ODM contact to confirmed certification.

Pennsylvania — Sandata PA

PA DHS — separate state config

Build to PA Sandata spec (separate from Ohio). PA DHS Provider Assistance Center: 800-248-2152.

Pennsylvania — HHAeXchange

Alternate vendor integration

Contact [email protected]. They assign an integrations team member. Run test records through the HHAeXchange sandbox in parallel with Sandata PA.

Certification timeline
Budget 2–4 months per state from first contact to confirmed go-live. This process runs in parallel from Week 3 of the build — not sequential to it. ODM and PA DHS queues have wait times. Ohio certification contact must be initiated at Week 3, not after the build is complete. Do not communicate go-live dates to patients, staff, or stakeholders without factoring this timeline in.
06 — HIPAA compliance — 2026 requirements

EVV data boundaries — what stays internal vs what transmits

Biometric transmission requirements — to be verified with states
Data typeSystemTransmitted to aggregator?
Facial embeddings (caregiver + patient) Encore EVV — internal To be verified with Ohio and PA aggregators
Biometric match scores Encore EVV — internal To be verified with Ohio and PA aggregators
Biometric attempt logs Encore EVV — internal audit trail To be verified with Ohio and PA aggregators
Type of service Encore EVV → Aggregator Transmitted — EVV field 1
Recipient Medicaid ID Encore EVV → Aggregator Transmitted — EVV field 2 · PHI
Date of service Encore EVV → Aggregator Transmitted — EVV field 3 · PHI
GPS location coordinates Encore EVV → Aggregator Transmitted — EVV field 4 · PHI · requires written consent
Caregiver staff ID Encore EVV → Aggregator Transmitted — EVV field 5 · PHI
Time in / time out Encore EVV → Aggregator Transmitted — EVV field 6 · PHI
Biometric transmission — open question
The current architecture assumes biometric data stays internal and only the 6 EVV fields transmit to aggregators. However, individual state requirements for biometric data handling and optional transmission need to be confirmed with Ohio ODM (Sandata) and Pennsylvania DHS (Sandata PA / HHAeXchange) before the Phase 3 data pipeline is finalised. The VerificationMethod field in the Sandata schema may or may not support a BIO code in each state's configuration. Confirm this before Sprint 3 begins.

Technical safeguards — required at launch

Encryption

AES-256 at rest · TLS 1.3 in transit

AES-256 for tablet local storage, backend database, and biometric embeddings. Keys stored separately from visit records. TLS 1.2 min, TLS 1.3 preferred for all transmissions.

Access control

MFA + RBAC + auto-logout

Unique user IDs and MFA for all coordinator/admin access. RBAC at API level. Auto-logout: 15 min dashboard, 30 min phone app, 60s kiosk tablet.

Audit logging

Immutable logs · 6-year retention

Every ePHI read/write generates an immutable audit log. Cannot be edited or deleted by anyone including admins.

May 2026 HIPAA updates

Asset register + 72hr incident response

Living inventory of every asset touching ePHI. Documented 72-hour restoration plan. Annual pen testing built in from day one.

Pre go-live requirements
Two external compliance requirements before live patient data is handled: (1) BAAs executed with all vendors — FaceSDK, cloud host, MDM vendor, Sandata, HHAeXchange, and billing platform. (2) Third-party HIPAA Risk Assessment completed against staging environment. Both are scoped and costed separately from the development build — see the additional costs table in Section 8.
07 — Project timeline — build through go-live

28-week build timeline + aggregator certification to Ohio go-live

4 weeks UI/UX · 20 weeks build · 4 weeks buffer · Certification parallel from Week 5
1
Weeks 1–4 · UI/UX phase
User journeys and design system
Full UI/UX user journeys completed before development begins. Deliverables: all screen user journeys for tablet app (A1–A6, all states), caregiver phone app (B1–B3), patient intake web portal (C1–C3), and coordinator dashboard (D1–D2). Component library, interaction states, design tokens file for developer handoff — all in Figma, production-ready. Development does not start until all UI/UX is signed off. These are hard gates, not soft targets — building against incomplete designs creates rework and scope drift.
UI/UX user journeys Figma handoff Component library
2
Weeks 5–6 · Architecture phase
Technical architecture and pre-build sign-off
Architecture deliverables: ER diagram, API schema, database structure, FaceSDK integration plan, MDM configuration spec, aggregator API integration plan (Sandata Ohio + HHAeXchange), 835 ERA mapping plan. All finalised and signed off by Encore Care before code is written. Simultaneously: contact Ohio ODM EVV team ([email protected]) and HHAeXchange ([email protected]) to enter the certification queues. These contacts must happen at Week 5 — not after the build is complete.
Architecture sign-off Contact ODM + HHAeXchange
3
Weeks 7–12 · Sprint 1
Core infrastructure and tablet app
Backend setup (NestJS + PostgreSQL + AES-256 encryption + RBAC), MDM configuration (kiosk profile, zero-touch enrollment, heartbeat API), tablet APK build (kiosk lock, FaceSDK biometric integration, offline encrypted storage, GPS capture, 3-gate checkout logic). End of sprint: tablet check-in/check-out flow works end-to-end in development environment including offline mode and scan failure states.
Tablet appBackend foundationMDM integration
4
Weeks 13–18 · Sprint 2
Caregiver phone app, patient portal, coordinator dashboard
Caregiver phone app (enrollment flow, visit history, flagged shift detail, immutable note submission, GPS breadcrumb tracking), patient intake web form (three consents engine, proxy/POA flow with coordinator review gate, photo upload, payer/plan routing field), coordinator dashboard (real-time KPIs, flagged queue with urgency sorting, evidence package generation, immutable decision audit trail, MDM device monitoring, reports and CSV export). End of sprint: full user journey functional from caregiver enrollment through coordinator review.
Phone appPatient portalCoordinator dashboard
5
Weeks 19–22 · Sprint 3
Aggregator integration, billing pipeline, compliance layer
Sandata Ohio API integration, HHAeXchange API integration, aggregator routing logic, EVV field formatting (FHIR/EDI 837P), sequence enforcement (claim blocked until aggregator ACK), 835 ERA mapping, HIPAA audit logging, auto-logout timers, technology asset register, biometric exemption flag, manual shift close. Begin Sandata Ohio sandbox testing in parallel. Highest-risk sprint — aggregator API integration is where most EVV projects encounter unexpected delays. Buffer weeks 25–28 are reserved specifically to absorb any overrun here.
Aggregator integrationHighest-risk sprintSandata sandbox begins
6
Weeks 23–24 · QA and staging
Testing, security, and staging deployment
Full functional, regression, security, and end-to-end testing across all modules. Deploy to staging environment. Encore Care UAT with real coordinators and caregivers using test patient records. Execute all vendor BAAs. Complete third-party HIPAA Risk Assessment against staging. Fix all critical bugs. SOC 2 Type II observation period begins at staging deployment.
QA + UATHIPAA Risk AssessmentSOC 2 clock starts
7
Weeks 25–28 · Buffer
Buffer — aggregator integration, UAT fixes, and stabilisation
4 weeks of explicit buffer reserved for the highest-risk elements of the build. Primary use: resolving Sandata sandbox conformance exceptions (typically requires multiple iterations), UAT bug fixes from Encore Care team, any scope items that drifted during Sprint 3. Secondary use: additional security hardening, performance optimisation, documentation. If no major issues arise, this window is used to begin PA aggregator integration ahead of schedule.
Buffer weeksSandata exception resolution
8
Months 7–9 · Post-build · Parallel from Week 5
Sandata Ohio conformance testing and ODM certification
Complete Sandata Ohio API conformance testing. Prove all 6 EVV fields transmit correctly across all scenarios. Resolve all exceptions. Submit certification request to ODM. Ohio go-live only after ODM certification is confirmed. Estimated: 2–4 months from first Sandata contact. This process runs in parallel from Week 5 — it is not sequential to the build.
Sandata conformanceODM certification
9
Month 9–11 · Ohio go-live
Ohio production launch — live Medicaid patients
ODM certification confirmed. Deploy to production. Begin onboarding Ohio caregivers, patients, and coordinators. First live EVV records transmitted to Sandata. First 835 ERA remittances returned and mapped to shift records. Pennsylvania certification work continues in parallel.
Ohio live
10
Months 11–16 · After Ohio is stable
Pennsylvania certification and go-live
Sandata PA sandbox and HHAeXchange sandbox run simultaneously. PA DHS and HHAeXchange each have their own acceptance criteria. PA DHS + HHAeXchange approvals both required before PA go-live. SOC 2 Type II observation period continues throughout.
Sandata PAHHAeXchange
08 — Investment breakdown

Development investment — 28-week build

Total build cost · $175,000
Role Scope of work Hours Rate/hr Total
Design
UI/UX — User journeys All screen user journeys, interaction states, and component systems for tablet app (A1–A6), caregiver phone app (B1–B3), patient intake portal (C1–C3), and coordinator dashboard (D1–D2). Figma files with design tokens for developer handoff. 120 $42 $5,040
Architecture
Project Architects Application technical structure, ER diagrams, API schema, database design, MDM configuration spec, FaceSDK integration plan. Scalability and performance oversight throughout build. 240 $42 $10,080
API Architects Aggregator integration architecture — Sandata Ohio, Sandata PA, and HHAeXchange API specifications. FHIR/EDI 837P payload design. 835 ERA mapping architecture. Aggregator routing logic. Sequence enforcement design. AxisCare integration spec. 160 $95 $15,200
Development
Developers Team React Native (tablet APK + phone app), Node.js/NestJS backend, PostgreSQL, mobile web portal, FaceSDK biometric integration, MDM integration, Sandata + HHAeXchange API integrations, 835 ERA mapping, HIPAA audit logging, coordinator dashboard, all platform modules. 1,522 $75 $114,150
Quality assurance
Quality Assurers Functional, regression, end-to-end, security testing across all modules and user roles. UAT coordination, bug tracking, acceptance testing. 270 $30 $8,100
Project management
Project Manager Sprint coordination, stakeholder communication, timeline management, delivery oversight. 7 months duration (28 weeks). 7 months $3,200/mo flat $22,400
Subtotal $174,970
Total development investment $175,000
What is included
All development, QA, architecture, API integration architecture, UI/UX user journeys, and project management for the 28-week build. React Native codebase, NestJS backend, FaceSDK integration, MDM integration, Sandata Ohio + Sandata PA + HHAeXchange API integrations, 835 ERA mapping, all four platform modules, HIPAA audit logging, and staging deployment.

Additional costs — not included in the $175,000 build

Scoped and budgeted separately
Item Description Estimated cost Timing
Cloud hosting AWS or Azure with HIPAA-compliant configuration. Includes backend servers, PostgreSQL database hosting, and encrypted storage for biometric embeddings and ePHI. ~$500–$2,000/month From staging deployment
MDM platform ManageEngine MDM (recommended) or Jamf Pro. Per-device monthly fee for kiosk management, OTA updates, remote wipe, and heartbeat monitoring. ~$3–5/device/month (ManageEngine) From tablet procurement
FaceSDK licensing HIPAA-compliant on-device facial recognition SDK. Pricing varies by vendor and volume — per-scan or annual licensing. Vendor BAA required before go-live. Get quotes before SDK is finalised. $500–$3,000/year (volume-dependent) From staging deployment
HIPAA Risk Assessment Mandatory third-party external assessment — cannot be self-certified. Completed against staging environment before Ohio go-live. Cost paid to external assessor firm, not to the development team. $5,000–$15,000 (external assessor) Before Ohio go-live
SOC 2 Type II audit External audit firm engaged at staging launch. 6–12 month observation period. Cost paid to external audit firm (A-LIGN, Schellman, or Drata), not to the development team. $20,000–$50,000 (audit firm) Begin at staging
BAAs — all vendors Business Associate Agreements with: FaceSDK vendor, cloud host, MDM vendor, Sandata, HHAeXchange, and billing platform. Legal counsel time for review. Legal counsel time Before any ePHI is handled
Tablet hardware See tablet procurement section below for full spec and pricing. See Section 9 Before Ohio go-live
Aggregator certification No vendor fee for certification itself. Developer time is included in the build scope. The state certification process (ODM / PA DHS) has no direct cost but has a wait-time dependency outside anyone's control. No direct cost Parallel from Week 5

Payment schedule

4 tranches · milestone-gated
Tranche%Trigger / milestoneAmount
1 — Project kickoff 35% Contract signed. UI/UX and architecture phases begin. $61,250
2 — Post architecture sign-off 35% Architecture complete: ER diagram, API schema, MDM config spec, aggregator integration plan — reviewed and approved in writing by Encore Care. UI/UX Figma files also delivered and signed off. $61,250
3 — Post 70% development 15% Majority of development complete. Tablet app, phone app, patient portal, and coordinator dashboard all demo-able in staging. $26,250
4 — Post QA and deployment 15% QA complete. All critical bugs resolved. System deployed to staging and accepted by Encore Care UAT. $26,250
Total $175,000
09 — Tablet hardware procurement

Kiosk tablet specifications and procurement terms

Pricing to be confirmed based on final quantity
Unit pricing

$75–$85 per unit

Wintouch A10 or equivalent Android tablet. Price range based on order quantity — larger orders toward the lower end. Import fees and duties are not included in this pricing and must be budgeted separately based on origin and shipping configuration.

Minimum order quantity

500 units at MOQ price

The $75–$85/unit price point applies at a minimum order quantity of 500 units. Smaller quantities will carry a higher unit price. Initial procurement recommendation: size the first batch for the Ohio launch only, then scale with Pennsylvania certification.

Warranty

1-year manufacturer warranty

Standard 1-year warranty included with hardware. Coverage terms to be confirmed at order — verify what is included (screen damage, battery, hardware failure) and the RMA process for replacements during the warranty period.

Replacement units

Buffer stock recommended

A small number of replacement units will be provisioned and held at the office as a same-day swap pool. Recommended: 5–10% of fleet size. Replacement units are pre-enrolled in MDM and pre-loaded with the Encore EVV APK so a swap takes minutes, not days.

Hardware requirements

Android · front camera · GPS

Android operating system required for MDM kiosk enforcement and FaceSDK on-device biometric processing. Front-facing camera required for biometric face scan. GPS chip required for location capture. Minimum 32GB internal storage for offline encrypted queue.

Accessories per unit

Power bank + case

Each caregiver issued a 10,000mAh power bank for all-day operation between charges. Protective case recommended for field use in patient homes. Tablets charge nightly as documented policy. Accessories costed separately from unit price.

Procurement decision — quantity
Final tablet quantity must be determined before procurement is initiated. The recommended approach is to procure for the Ohio launch only (size based on the Ohio caregiver fleet), then place a second order timed with Pennsylvania go-live. This avoids committing to MOQ capital before Ohio operations are proven. At 500 units: total hardware cost is approximately $37,500–$42,500 before import fees. At 250 units (below MOQ): unit price will be higher — confirm with supplier. Import fees, duties, and shipping must be confirmed based on country of origin and shipping configuration before finalising the procurement budget.
10 — Monthly maintenance and support

Post-launch maintenance — ongoing monthly engagement

Commences after staging deployment

Monthly maintenance covers the ongoing health, security compliance, and operational continuity of the Encore EVV platform after go-live. Scope is broken into four areas below. Monthly investment is based on a retainer model — scope and hours are agreed in advance each quarter and adjusted as the platform matures.

Infrastructure and security

Platform health and compliance upkeep

  • Cloud infrastructure monitoring and incident response
  • Security patch management — backend, SDK, and dependencies
  • AES-256 and TLS configuration maintenance
  • Technology asset register updates (May 2026 HIPAA mandate)
  • Annual penetration testing coordination and remediation
  • Quarterly HIPAA Security Rule compliance review
  • MDM fleet monitoring — offline device alerts, OTA update pushes
  • Backup verification and 72-hour incident response testing
Aggregator and billing operations

EVV pipeline stability

  • Sandata and HHAeXchange API monitoring and error handling
  • Aggregator schema updates — both aggregators update their specs periodically and the integration must be updated to match
  • 835 ERA mapping maintenance as payer remittance codes change
  • Denied claim investigation support for EVV-related rejections
  • AxisCare billing integration monitoring
  • Near real-time EVV transmission verification and alerting
Application updates

Feature maintenance and bug fixes

  • Bug fixes for issues surfaced in production
  • Android OS compatibility updates for tablet and phone apps
  • FaceSDK version updates as new versions are released
  • Minor feature enhancements agreed in the quarterly scope review
  • Coordinator dashboard data model updates as reporting requirements evolve
  • Patient portal consent form updates as regulatory language changes
Compliance and regulatory

Ongoing regulatory alignment

  • State EVV regulation monitoring — Ohio ODM and PA DHS policy updates
  • HIPAA Security Rule update monitoring and implementation
  • Biometric privacy law compliance monitoring (Ohio and PA)
  • Aggregator certification renewal coordination as required
  • SOC 2 Type II evidence collection support during observation period
  • Audit log retention and access control verification
Monthly retainer
Monthly maintenance investment is scoped and agreed separately from the build contract. Typical engagement for a platform of this complexity and compliance requirement: $4,000–$8,000/month depending on scope and included hours. A formal maintenance scope agreement is recommended before Ohio go-live, covering all four areas above with defined SLAs and response times.