When verification is also surveillance - EVV devices could intrusively track Medicaid recipients

Executive Summary

We came across a great article written by Jacob Metcalf that we are sharing below on the topic of maintaining privacy and security.

Securing personal data is a topic of rising conversation in this day and age. It is extremely easy for third party individuals to gain access to personal data. Read more about this topic below

Contact Person: Jacob MetcalfPoints, February 27, 2018

We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.

What would it feel like if you needed to verify your identity and physical location with your state government via a GPS-enabled biometric device every time you exercised a civil right? And if you didn’t properly check in, you ran the risk of losing that right — or of losing your health, or even a family member’s life?

What would it feel like if the government then outsourced the responsibility for managing that check-in process to a third-party contractor that required you to use a clunky, custom-made device with a slow UI — and a backend database prone to leaking protected personal health data to other people? What if the recipient of the contract to build those devices and maintain those databases was a major lobbyist behind the law establishing this obligation?

EVV in Ohio

A client in Ohio attempts to use the preferred EVV device, demonstrating confusion about whether the front-facing camera on the device is actually operable.


My guess is that you would be infuriated. I certainly wouldn’t stand for it. Yet this is the scenario being enacted for Medicaid recipients who utilize personal care attendants (PCAs) and in-home health care aides (HCAs).

Buried in the 21st Century CURES Act, signed by President Obama in 2016, is a directive for states to adopt Electronic Visit Verification (EVV) technologies and services that will track and verify the labor provided by caregivers to Medicaid recipients and their families. By electronically logging when and where a caregiver begins and ends a shift, EVV is intended to ensure that the services billed were actually provided, which ostensibly offers some fraud-protection to both care recipients and taxpayers.

The core purpose of in-home care assistants is to ensure that differently-abled persons and their families are able to live the fullest life possible in their own community and not in an institution.

At first glance, EVV seems like a simple distributed time clock, but it also represents a deceptively intrusive tracking of the lives of Medicaid recipients. Caregivers for the disabled are required to work flexible hours and in a variety of locations. Recipients of these services are people who may need help getting to a doctors appointment one day, or getting around the mall another day, or none at all the next day. Parents of disabled children might need relief one day in order to attend their other child’s recital and need none the next day because Grandma is in town. Furthermore, many caregivers have more than one client and many clients have more than one caregiver. That trip to the mall might involve a shift change at the food court, or attending a recital might involve a shift change back home. And in states that allow family members to be paid as caregivers, the majority of PCAs and HCAs may also be family members.

Due to this wide variety of working conditions, caregivers checking into work is not as simple as punching a time clock. Thus, EVV technologies are intended to verify when and where care assistants provide billable labor. According to the law, states must adopt EVV systems that can verify:

  • Type of service performed;
  • Individual receiving the service;
  • Date of the service;
  • Location of service delivery;
  • Individual providing the services; and
  • Time the service begins and ends.


There’s some ambiguity about whether states must adopt a single service provider or can create open standards to which care-giving agencies subscribe. Some states have already started rolling out the devices and the situation is not promising. In Ohio, clients are sent a device produced by the home medical care data services company Sandata (a chief lobbyist for the EVV rule in the 2016 CURES Act) which are CAT-manufactured military-grade cell phones running a custom Android OS. These devices are smartphones with a camera and microphone, although the state of Ohio claims that the cameras have been disabled (without offering further specifics) and that the microphone is only turned on when the recording function is triggered.

Yet the discussions of these devices among clients is full of confusion and distrust about what types of data the devices are technically capable of recording. Conversations in anti-EVV Facebook groups include Medicaid clients who have relied on family members to decompile similar software offered by Sandata to try to get a sense of the technical specifications of the devices. Other users note they store the devices in the garage, the doghouse, in a drawer to soundproof the microphone, representing a number of folk theories about how to foil potential surveillance. The most innocent explanation of how these devices work may be true, but the widespread confusion indicates that the relevant government agencies and device manufacturers are not taking seriously the legitimate privacy concerns of the clients. It further indicates that we should doubt these were designed using participatory design practices and appropriately field tested.

There is the further issue of how biometric data is used in automated verification system. The devices in Ohio use voice recordings or electronic signatures for a client to confirm the logged work, although there is no public communication that explains whether voice verification is done using biometric analysis, nor explanations about when and where that biometric data is stored. In the public prospectus for the EVV system in California, Sandata proposes using biometric facial data to confirm provider and client identities, and yet offers no explanation of how, when and why that data will be used. As we will see, those details matter.

The core purpose of in-home care assistants is to ensure that differently-abled persons and their families are able to live the fullest life possible in their own community, and not in an institution. Altogether, access to Medicaid, the protections under the Americans with Disabilities Act and the 1999 Olmstead v. L.C. ruling, establish that Americans with disabilities are entitled to receive — as a statutory civil right — independence-sustaining support from caregivers of their choosing in their own homes and communities. This is supported by a somewhat kludgy public policy of treating Medicaid recipients as employers whose employees are paid by the state’s Medicaid office or via a third-party agency.