Under the federal Electronic Visit Verification mandate, care providers for people with disabilities or the elderly confined to their homes will need to check in and out with a device equipped with GPS. It isn’t a security risk mandate per se, but the use of connected devices for this could add some risk.
What is Electronic Visit Verification?
As a result of the 21st Century Cures Act, the federal Electronic Visit Verification (EVV) mandate requires electronic proof of every Medicaid-funded visit for personal care services (PCS) as of Jan. 1, 2021, and will require electronic proof for home health care services by Jan. 1, 2023. The Cures Act requires independent, electronic visit verification for certain types of Medicaid visits.
Learn more
The use of smart phones for this check-in (whether through programs where employees can bring their own device (BYOD) or end-of-life devices) leads to the problem. As states prepare to comply with this mandate, several state requests for proposals have proven that a GPS-enabled smartphone is the preferred method of EVV deployment.
Why? Smartphones enable providers to deliver care in any approved location, while also capturing the required GPS location.
Key Ways to Prepare
While there are countless smartphones on the market, many consumer phones do not often meet the technical or security needs for a compliant EVV program. Those that do are often too costly for EVV purposes.
There are three basic options for health care providers to deploy a successful EVV program:
- Leverage a BYOD setup.
- Purchase new devices from your cellular provider.
- Use low-cost specialty devices.
Adoption of EVV has stalled because all three of these approaches fail to meet providers’ needs for a cost-effective, secure and easy-to-use solution.
How Does Electronic Visit Verification Work?
A BYOD environment relies on each employee to own a device that meets baseline standards for this project — the right make and model, operating system (OS) version and not jailbroken or rooted. It also ensures employee privacy and protected health information (PHI) remains secure. A BYOD program must be built to ensure all privacy laws, both employee and patient, are protected. Other costs from the ongoing management, employee payback and how complex it can be to roll out a BYOD model, and roll it out well, have made this approach expensive.
Purchasing new devices and carrier services guarantees the devices are uniform and allows a provider to develop a detailed EVV program. However, the capital costs that often come with buying new hardware and the recurring data plan payments have made this method too costly at scale.
Devices that have been sourced as EVV-use-only devices in the past have been the lowest-cost option. As a result, these devices are often past end-of-life before they have even been purchased and deployed. In this state, these devices no longer receive any OS updates, patches or app updates. These devices must be configured by hand, and there is no way to provide updates to apps or the OS without removing every device from the field one by one. These end-of-life devices do not support wireless updates.
The security and compliance risks here are obvious. Without being able to update these devices, there can be no security fixes, new functions, or app improvements made to these devices without manual work. This increases the potential for PHI and compliance violations.
What Can Providers Do?
Providers are now tasked with building their own mobile practice that does a lot of things at once. First, it needs to comply with the EVV federal mandate and state programs. Next, it also needs to make fiscal sense and allow for an effective long-term strategy. Three main pillars that should be the foundation for every provider’s mobile strategy are protection, compliance and cost.
1. State EVV Programs Require Excellent Device Security and Control
Protection for any health care app must be a primary focus. In this case, secure and accurate client and location data must be processed through the EVV app. That data must remain separate from any other personal accounts or apps on the device. The most effective way of doing this is to leverage an OS enterprise management solution like Android Enterprise. With it, both OS and app updates can be performed without the end user having to do anything. Use of the device is limited — users cannot use the device as a hotspot, access the internet or factory reset the device.
2. Software must be compliant With the Electronic Visit Verification Federal Mandate
As state programs decide how to comply with federal rules, providers need a way to electronically check in on visits starting this year. They need to be able to make changes quickly and for a sensible cost. Providers need to build a mobile practice that can deploy right away but is flexible enough to adjust over time without needing major costs and changes.
3. Consider all costs that come with using an EVV solution.
Providers should make sure to account for potential hidden costs. When choosing a BYOD program, they should ensure data reimbursement for end-users and deployment and maintenance costs are included. Providers should look for options that allow them to build a solution for low recurring costs, which includes data, device upkeep and hardware costs, while avoiding larger up-front costs. This will allow long-term cost planning and pivoting as needs change over time.
Solutions for Today
In order to continue to serve patients at the highest level and remain compliant with federal guidelines, providers will need to continue to invest in this area. Groups that develop cost-effective, flexible and long-term EVV plans will be the most successful now and into the future.
One cost-effective and compliant solution is a device built just for Electronic Visit Verification, like the LINK smartphone. These devices address the three main needs for providers — security, compliance and cost — by including cellular data plans and mobile protection along with hardware leases.
Learn more about addressing the federal Electronic Visit Verification mandate using mobile security technology.
Account Executive, IBM MaaS360 & Cloud Identity