Guide

EVV Compliance Guide

A long-form, plain-English walkthrough of the 21st Century Cures Act EVV mandate — what's required, where states diverge, audit prep, and what "good" EVV software actually looks like.

What the federal mandate requires

Under §12006 of the 21st Century Cures Act, every state must operate an EVV system for personal care services (PCS) and home health care services (HHCS) funded by Medicaid. EVV systems must electronically capture, on every visit, six data points:

  1. The type of service performed
  2. The individual receiving the service
  3. The date of service
  4. The location of service delivery
  5. The individual providing the service
  6. The start and end times of the visit

"Electronically" means the data is captured by the system at the point of service — not reconstructed later from paper, memory, or call-in logs that the back office types up. This is the line that separates compliant from non-compliant systems.

Open vs. closed state models

Closed states mandate a single state-designated EVV vendor that every agency must use. There are a small number of closed states, and the choice is made for you.

Open states let agencies pick their own EVV system, provided it transmits data to the state's EVV aggregator in the required format. Most states operate open or hybrid models.

If you're in an open state, the aggregator integration is the part that requires care. Each aggregator publishes a transmission spec — file format, cadence, error handling, and reconciliation rules. The integration is non-trivial, but it's a one-time engineering investment that good EVV vendors handle for you.

What auditors actually look at

In our experience supporting EVV-using agencies through audits, the focus tends to be on four things:

  1. Completeness — every visit, every required field, captured electronically. Missing fields trigger follow-up.
  2. Geographic plausibility — check-in locations should make sense for the service. Community-based services are legitimately variable; the system should let you document the variation, not break against it.
  3. Time integrity — start/end times that can't be silently rewritten. Every edit leaves a trail.
  4. Reconciliation against billing — every billed visit has a corresponding EVV record; every EVV record either has a corresponding bill or a documented reason it doesn't.

The caregiver-experience dimension

EVV compliance is the floor. Caregiver experience is the part that determines whether the system actually works.

Caregivers don't have time to fight a clunky app. If check-in takes too many taps, the network is unreliable in the homes where your caregivers work, or biometric login fails too often, you'll see two outcomes: caregivers will start carrying the inefficiency in their day, and your turnover will go up.

What good looks like:

  • Native iOS & Android — not a slow web wrapper
  • 3-tap check-in
  • Biometric login (Face ID, Touch ID, fingerprint)
  • Works offline; syncs automatically
  • Captures location precisely (with a path, not just a point)
  • Tamper-evident audit trail

ctEVV™ is designed around these properties.

The back-office layer

EVV isn't just a caregiver app — it's a back-office workflow too. Larger agencies need:

  • Visit scheduling, with expectations that flow to the caregiver app
  • Real-time monitoring of which visits are happening, which are running late, which are missed
  • Reconciliation against billed claims
  • Audit reports on demand
  • Aggregator integration in open-model states

For agencies that need this layer, we pair ctEVV™ with ctAgency Suite™ — which adds the operational layer plus HHAeXchange aggregator integration.

Audit-prep checklist

If you're approaching an EVV audit and want to be calm rather than panicked:

  1. Run a 30-day completeness report. Every visit, every field, with any gaps surfaced.
  2. Spot-check geographic plausibility. Pull a sample of 50 visits and verify the check-in locations make sense.
  3. Review the audit trail. Confirm that edits to visit data are logged with user and timestamp.
  4. Reconcile EVV against billing for the audit period. Identify any mismatches and document the reasons.
  5. Verify aggregator transmission for the audit period if you're in an open state.

If these five reports come back clean, the audit will too.

The bottom line

Federal EVV compliance is six data points, every visit, electronically — with a tamper-evident audit trail. Your state will add specifics on top, usually around aggregator integration and exemptions. The compliance bar isn't high; the caregiver-experience bar should be.

If you're picking an EVV system, prioritize the caregiver UX. The compliance will follow from a well-built system. The reverse — compliant software that caregivers hate — doesn't work as well as it sounds.

Related

ctEVV™

Our EVV product — native iOS & Android.

EVV in 2026 (blog)

The shorter version of this guide.

Ready to see it in action?

Book a 30-minute walkthrough and we'll tailor it to how your team works.

Schedule a demo