PointClickCare has announced a significant security requirement for Marketplace partners in the physician EMR category that directly impacts the Post-Acute care ecosystem. By February 1, 2026, all Marketplace partners must support 3-legged authentication to access PointClickCare APIs.
For Post-Acute providers—including organizations operating across SNFs, LTC, and other post-acute settings—this change represents an important step toward stronger data security, clearer access controls, and improved interoperability across care teams.
What's Changing for Post-Acute Integrations?
All PointClickCare Marketplace partners in the physician EMR category will be required to use 3-legged authentication by February 1, 2026.
PointClickCare has confirmed that:
- Alternative authentication methods will not be approved
- All physician EHR and Post-Acute technology partners must complete validation using the 3-legged OAuth model
This update directly affects how Post-Acute EHR systems and third-party platforms securely access resident and patient data within PointClickCare.
Why PointClickCare Is Requiring 3-Legged Authentication
The Post-Acute care environment is uniquely complex—often involving multiple providers, vendors, and care settings collaborating around the same patient record. PointClickCare's move to 3-legged authentication is designed to give Post-Acute providers greater control and visibility into how their data is shared.
3-legged authentication enables:
- Explicit provider-controlled authorization
- Clear permissioning for third-party Post-Acute vendors
- Improved auditability and security for resident data
- Reduced risk of unauthorized or over-permissioned access
This approach aligns with modern healthcare interoperability standards, HIPAA expectations, and the growing demand for secure data exchange in Post-Acute care.
What Is 3-Legged Authentication?
In a traditional system-to-system model, data access can happen silently in the background. In contrast, 3-legged OAuth places the Post-Acute provider in control.
Here's how it works
- A Post-Acute EHR or third-party platform requests access to PointClickCare
- The provider explicitly approves that request
- Access is granted with defined, revocable permissions
For Post-Acute organizations managing sensitive resident data across multiple facilities and partners, this model provides critical transparency and control.
What This Means for Post-Acute Providers
If you are a Post-Acute provider using an EHR or physician documentation platform that integrates with PointClickCare, this change raises an important operational question:
Is my Post-Acute EHR vendor already compliant with 3-legged authentication?
Vendors that are not currently built for this authentication model will need to:
- Re-architect their PointClickCare integration
- Complete PointClickCare's validation process
- Ensure full compliance by February 1, 2026
While this work happens behind the scenes, delays or incomplete implementations could impact Post-Acute clinical workflows, data access, and continuity of care.
Why This Matters Beyond Compliance in Post-Acute Care
This requirement is not just a technical update—it reflects a broader shift in Post-Acute healthcare technology.
Across the industry, expectations are rising around:
- Provider-controlled data access
- Secure Post-Acute interoperability
- Stronger identity and access management
- Clear accountability for third-party integrations
Post-Acute platforms that are already aligned with these standards are better positioned to scale, integrate, and adapt as regulatory and security expectations continue to evolve.
Where DocNow Fits in the Post-Acute Landscape
DocNow was built specifically for Post-Acute care, with security and interoperability as foundational design principles. The platform already supports 3-legged authentication, fully aligning with PointClickCare's Marketplace requirements.
For DocNow Post-Acute customers, this means:
- No disruption to PointClickCare integrations
- No transition risk as the deadline approaches
- Continued secure, compliant access to resident and patient data
DocNow's approach reflects a commitment to building technology that meets the real-world needs of Post-Acute providers—today and in the future.
Resources for Post-Acute Technology Partners
PointClickCare has published detailed documentation to support Marketplace partners implementing and validating 3-legged authentication:
PointClickCare Developer Portal - 3-Legged OAuth Documentation:
https://developer.pointclickcare.com/spa/documentation/three-legged-oauth-used-for-most-api-calls
Final Thoughts for Post-Acute Providers
By requiring 3-legged authentication by February 1, 2026, PointClickCare is reinforcing a clear standard for secure, provider-controlled data access in Post-Acute care.
Now is the right time for Post-Acute organizations to:
- Confirm EHR vendor readiness
- Review how third-party access is managed
- Ensure technology partners align with modern Post-Acute security standards
The move to 3-legged authentication ultimately strengthens the Post-Acute care ecosystem—supporting better security, transparency, and trust.