Home health agencies (HHAs) face unique challenges because they have a large number of employees who do not necessarily remain in an office environment on a daily basis. Agency managers and aides are constantly on the move: taking care of patients, coming back to the office, and then returning to patients’ homes.
Many HHAs use mileage tracking software or other geolocation software to keep track of where personnel are at any given time and for mileage reimbursement purposes. The 21st Century Cures Act set new requirements for states to establish electronic visit verification (EVV) of home health care reimbursable by Medicaid, and this software may be used for that as well. Typically, EVV determines the time a home health aide began and ended a visit and the date and location of the service provided. But are you sure that your software is not disclosing protected health information?
What is Geolocation Telemetry?
Geolocation is how software, in tandem with GPS, identifies current location in real time. It lets consumers determine where their favorite ice cream store or nearest gas station is located. Geolocation is used as a data point by large companies such as Amazon, Google and Facebook to provide a better consumer experience. However, geolocation was not designed with HIPAA or private health information in mind.
An interesting aspect of geolocation-generated telemetry is that while it can very easily provide who is using the software, what they’re doing and when and where they are doing it, determining the “why” is incredibly challenging. Context is important when looking at telemetry. For example, telemetry can tell you that Mary Smith, a home health aide, is visiting 1313 Disneyland Drive at 9:45 a.m. on a Wednesday, but it can’t tell you why she is there. The “why” is largely inferred from things like frequency of visits, length of stay and proximity to places of interest or other individuals.
Telemetry is largely unfiltered and collected at a rapid and prodigious rate. Telemetry is difficult and sometimes impossible to “opt out” of on mobile devices.
Protected Health Information
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronically, on paper or orally. The rule calls this information protected health information (PHI). Protected health information is information, including demographic information, that relates to:
- an individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present or future payment for the provision of health care to the individual,
- and that identifies them or for which there is a reasonable basis to believe can be used to identify the individual.
Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security number) when they can be associated with the health information listed above.
De-identification of PHI
The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals. The HIPAA Privacy Rule allows a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in §164.514(a)-(b).
In other words, these provisions allow a business to use and disclose information that neither identifies nor provides a reasonable basis to identify an individual. The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (also called the Safe Harbor Method).
One of the specified individual identifiers required for de-identification under the Safe Harbor Method is all geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
1) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
2) the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.
HIPAA is very clear about the definition of a patient identifier—it even considers a ZIP code to be a patient identifier.
A Case Study
Geolocation telemetry can very easily be used to determine, for example, which individuals from which ZIP codes are frequenting which hospitals and how long they’re staying there. Consider the following hypothetical scenario:
A family has recently gone through an intake process with a home health agency (HHA) and the HHA employs staff using mobile devices with software that tracks geolocation. The assigned staff member regularly uses mobile apps like Facebook or Instagram. Neighbors of the family begin receiving social network/friend notifications on their devices indicating that the agency staff member is part of the family’s social network. This may be an unauthorized disclosure that the family is now receiving home health services due to their link to an HHA on the social platform.
If your agency is using mileage tracking software or other geolocation software, particularly for keeping track of where personnel are at any given time and for mileage reimbursement purposes, we recommend doing the following:
- Use truly “offline” maps.
- Do not permit employees to use their own devices for EVV purposes; instead, supply locked-down and managed mobile devices that restrict the type of apps that can be installed.
- Make your employees aware of the issue; education is key.
- Use software providers that do not use mapping systems like Google Maps or MapQuest.