Under the federal Electronic Visit Verification mandate, care providers for people with disabilities or the elderly confined to their homes will need to check in and out with a device equipped with GPS. It isn’t a security risk mandate per se, but the use of connected devices for this could add some risk.

What is Electronic Visit Verification?

As a result of the 21st Century Cures Act, the federal Electronic Visit Verification (EVV) mandate requires electronic proof of every Medicaid-funded visit for personal care services (PCS) as of Jan. 1, 2021, and will require electronic proof for home health care services by Jan. 1, 2023. The Cures Act requires independent, electronic visit verification for certain types of Medicaid visits.


Learn more

The use of smart phones for this check-in (whether through programs where employees can bring their own device (BYOD) or end-of-life devices) leads to the problem. As states prepare to comply with this mandate, several state requests for proposals have proven that a GPS-enabled smartphone is the preferred method of EVV deployment.

Why? Smartphones enable providers to deliver care in any approved location, while also capturing the required GPS location.

Key Ways to Prepare

While there are countless smartphones on the market, many consumer phones do not often meet the technical or security needs for a compliant EVV program. Those that do are often too costly for EVV purposes.

There are three basic options for health care providers to deploy a successful EVV program:

  • Leverage a BYOD setup.
  • Purchase new devices from your cellular provider.
  • Use low-cost specialty devices.

Adoption of EVV has stalled because all three of these approaches fail to meet providers’ needs for a cost-effective, secure and easy-to-use solution.

How Does Electronic Visit Verification Work?

A BYOD environment relies on each employee to own a device that meets baseline standards for this project — the right make and model, operating system (OS) version and not jailbroken or rooted. It also ensures employee privacy and protected health information (PHI) remains secure. A BYOD program must be built to ensure all privacy laws, both employee and patient, are protected. Other costs from the ongoing management, employee payback and how complex it can be to roll out a BYOD model, and roll it out well, have made this approach expensive.

Purchasing new devices and carrier services guarantees the devices are uniform and allows a provider to develop a detailed EVV program. However, the capital costs that often come with buying new hardware and the recurring data plan payments have made this method too costly at scale.

Devices that have been sourced as EVV-use-only devices in the past have been the lowest-cost option. As a result, these devices are often past end-of-life before they have even been purchased and deployed. In this state, these devices no longer receive any OS updates, patches or app updates. These devices must be configured by hand, and there is no way to provide updates to apps or the OS without removing every device from the field one by one. These end-of-life devices do not support wireless updates.

The security and compliance risks here are obvious. Without being able to update these devices, there can be no security fixes, new functions, or app improvements made to these devices without manual work. This increases the potential for PHI and compliance violations.

What Can Providers Do?

Providers are now tasked with building their own mobile practice that does a lot of things at once. First, it needs to comply with the EVV federal mandate and state programs. Next, it also needs to make fiscal sense and allow for an effective long-term strategy. Three main pillars that should be the foundation for every provider’s mobile strategy are protection, compliance and cost.

1. State EVV Programs Require Excellent Device Security and Control

Protection for any health care app must be a primary focus. In this case, secure and accurate client and location data must be processed through the EVV app. That data must remain separate from any other personal accounts or apps on the device. The most effective way of doing this is to leverage an OS enterprise management solution like Android Enterprise. With it, both OS and app updates can be performed without the end user having to do anything. Use of the device is limited — users cannot use the device as a hotspot, access the internet or factory reset the device.

2. Software must be compliant With the Electronic Visit Verification Federal Mandate

As state programs decide how to comply with federal rules, providers need a way to electronically check in on visits starting this year. They need to be able to make changes quickly and for a sensible cost. Providers need to build a mobile practice that can deploy right away but is flexible enough to adjust over time without needing major costs and changes.

3. Consider all costs that come with using an EVV solution.

Providers should make sure to account for potential hidden costs. When choosing a BYOD program, they should ensure data reimbursement for end-users and deployment and maintenance costs are included. Providers should look for options that allow them to build a solution for low recurring costs, which includes data, device upkeep and hardware costs, while avoiding larger up-front costs. This will allow long-term cost planning and pivoting as needs change over time.

Solutions for Today

In order to continue to serve patients at the highest level and remain compliant with federal guidelines, providers will need to continue to invest in this area. Groups that develop cost-effective, flexible and long-term EVV plans will be the most successful now and into the future.

One cost-effective and compliant solution is a device built just for Electronic Visit Verification, like the LINK smartphone. These devices address the three main needs for providers — security, compliance and cost — by including cellular data plans and mobile protection along with hardware leases.

Learn more about addressing the federal Electronic Visit Verification mandate using mobile security technology.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…