For Agency Owners & Operators

Defend the license you built.

One bad audit. One clawback letter. One nightly-news segment. That's the difference between a 15-year agency and a 6-month wind-down. VisitLock is the floor under your operation.

Book a Demo → See the schemes →

An agency owner reading visit reports at her desk in late afternoon light

The five schemes

Visit fraud isn't one thing. It's five.

In every state agency we've sat with, the same five patterns surface — sometimes from a single bad actor, more often from drift across a 60-aide roster. The good news: each one has a signature, and each one is catchable.

Ghost visits

The visit that never happened.

An aide signs in for a patient she never saw — at the desk, from her car, or in a hospital waiting room two cities away. The signature flow that came with the EVV system rubber-stamps it. The claim pays. Months later, a complaint surfaces, and you're explaining yourself to the state.

VisitLock requires biometric face match on the device — at the verified address.
No GPS match, no token. No token, no claim. The fraud cannot start.
Average detection delta vs. signature workflow: days, not months.

Buddy punching

One aide doing two visits — at the same time.

Maria's phone clocks in at 2pm. So does Maria's phone, again, at 2:05pm — fifteen miles away. Same login, same password, two patients. The OIG calls this "impossible travel," and it's the single most common state-level audit finding we see in PCS.

Face match is bound to the device, not the username.
Travel-time-anomaly detector flags impossible visits in the same shift.
The aide can share a phone. They cannot share a face.

GPS spoofing

The check-in that drove itself.

Mock-location apps are free in the Play Store. A motivated aide can place themselves on the patient's porch from a parking lot four miles away — the EVV system records a clean "GPS verified" on the claim. State auditors are getting better at catching this. By then, the clawback is already in motion.

VisitLock's anti-spoof detects mock-location apps, dev-mode toggles, and emulator signals.
Spoofed visits never produce a token. They surface as exceptions on your dashboard.
The signal that something's off shows up before the visit posts to your billing.

Time inflation

The 30-minute visit that billed for 90.

The aide really did show up. The aide really did do the work. The aide really was on the porch for 28 minutes — and the claim says 90. In a 50-aide agency at 12 visits a week, even small drift on the clock-out side adds up to six figures of preventable risk.

Cryptographic clock-in and clock-out, both biometric-bound.
Actual on-site time vs. claimed billable time, side-by-side, on every claim.
The aides who tilt their hours stand out the way a missing tooth stands out in a smile.

Identity rotation

One credential, three different aides.

The aide of record quits. Her brother takes over the route — same login, same patients, different person. The patient may not even notice. The state will, eventually, in the form of an exclusion letter that names your agency.

Biometric template is bound to a single enrolled identity. A different face produces a 0% match.
Re-enrollment requires owner-level approval and is itself an audited event.
You find out at visit one — not at exclusion-letter year three.

"We replaced our signature workflow in nine days. The first audit-edit case our state surfaced was caught by VisitLock the same week."

— Director of Operations65-aide PCS provider · Florida

What an owner gets

The dashboard you'll actually open on Monday morning.

Visit ledgerEvery visit · signed · clawback-proof

Anomaly queueFlags before payroll runs

Aide reliabilityReliability score · trend · risk band

EVV submissionState-by-state status · failure surface

Audit packetCryptographic export · 1-click for any 90-day window

Onboarding10-day deployment · 30-min aide training