Under the federal Electronic Visit Verification mandate, care providers for people with disabilities or the elderly confined to their homes will need to check in and out with a device equipped with GPS. It isn’t a security risk mandate per se, but the use of connected devices for this could add some risk.

What is Electronic Visit Verification?

As a result of the 21st Century Cures Act, the federal Electronic Visit Verification (EVV) mandate requires electronic proof of every Medicaid-funded visit for personal care services (PCS) as of Jan. 1, 2021, and will require electronic proof for home health care services by Jan. 1, 2023. The Cures Act requires independent, electronic visit verification for certain types of Medicaid visits.


Learn more

The use of smart phones for this check-in (whether through programs where employees can bring their own device (BYOD) or end-of-life devices) leads to the problem. As states prepare to comply with this mandate, several state requests for proposals have proven that a GPS-enabled smartphone is the preferred method of EVV deployment.

Why? Smartphones enable providers to deliver care in any approved location, while also capturing the required GPS location.

Key Ways to Prepare

While there are countless smartphones on the market, many consumer phones do not often meet the technical or security needs for a compliant EVV program. Those that do are often too costly for EVV purposes.

There are three basic options for health care providers to deploy a successful EVV program:

  • Leverage a BYOD setup.
  • Purchase new devices from your cellular provider.
  • Use low-cost specialty devices.

Adoption of EVV has stalled because all three of these approaches fail to meet providers’ needs for a cost-effective, secure and easy-to-use solution.

How Does Electronic Visit Verification Work?

A BYOD environment relies on each employee to own a device that meets baseline standards for this project — the right make and model, operating system (OS) version and not jailbroken or rooted. It also ensures employee privacy and protected health information (PHI) remains secure. A BYOD program must be built to ensure all privacy laws, both employee and patient, are protected. Other costs from the ongoing management, employee payback and how complex it can be to roll out a BYOD model, and roll it out well, have made this approach expensive.

Purchasing new devices and carrier services guarantees the devices are uniform and allows a provider to develop a detailed EVV program. However, the capital costs that often come with buying new hardware and the recurring data plan payments have made this method too costly at scale.

Devices that have been sourced as EVV-use-only devices in the past have been the lowest-cost option. As a result, these devices are often past end-of-life before they have even been purchased and deployed. In this state, these devices no longer receive any OS updates, patches or app updates. These devices must be configured by hand, and there is no way to provide updates to apps or the OS without removing every device from the field one by one. These end-of-life devices do not support wireless updates.

The security and compliance risks here are obvious. Without being able to update these devices, there can be no security fixes, new functions, or app improvements made to these devices without manual work. This increases the potential for PHI and compliance violations.

What Can Providers Do?

Providers are now tasked with building their own mobile practice that does a lot of things at once. First, it needs to comply with the EVV federal mandate and state programs. Next, it also needs to make fiscal sense and allow for an effective long-term strategy. Three main pillars that should be the foundation for every provider’s mobile strategy are protection, compliance and cost.

1. State EVV Programs Require Excellent Device Security and Control

Protection for any health care app must be a primary focus. In this case, secure and accurate client and location data must be processed through the EVV app. That data must remain separate from any other personal accounts or apps on the device. The most effective way of doing this is to leverage an OS enterprise management solution like Android Enterprise. With it, both OS and app updates can be performed without the end user having to do anything. Use of the device is limited — users cannot use the device as a hotspot, access the internet or factory reset the device.

2. Software must be compliant With the Electronic Visit Verification Federal Mandate

As state programs decide how to comply with federal rules, providers need a way to electronically check in on visits starting this year. They need to be able to make changes quickly and for a sensible cost. Providers need to build a mobile practice that can deploy right away but is flexible enough to adjust over time without needing major costs and changes.

3. Consider all costs that come with using an EVV solution.

Providers should make sure to account for potential hidden costs. When choosing a BYOD program, they should ensure data reimbursement for end-users and deployment and maintenance costs are included. Providers should look for options that allow them to build a solution for low recurring costs, which includes data, device upkeep and hardware costs, while avoiding larger up-front costs. This will allow long-term cost planning and pivoting as needs change over time.

Solutions for Today

In order to continue to serve patients at the highest level and remain compliant with federal guidelines, providers will need to continue to invest in this area. Groups that develop cost-effective, flexible and long-term EVV plans will be the most successful now and into the future.

One cost-effective and compliant solution is a device built just for Electronic Visit Verification, like the LINK smartphone. These devices address the three main needs for providers — security, compliance and cost — by including cellular data plans and mobile protection along with hardware leases.

Learn more about addressing the federal Electronic Visit Verification mandate using mobile security technology.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…