A home healthcare agency in Phoenix manages 240 registered nurses and certified nursing assistants providing in-home care to Medicare and Medicaid patients across Maricopa County. Each visit must be documented in detail for billing: arrival time, departure time, services provided, and confirmation that the nurse was physically present at the patient’s home. The agency adopted a popular consumer-grade GPS time tracking app eighteen months ago. Every nurse clock-in records the GPS coordinates of the patient’s home address. Every clock-out records the departure. The clinical operations team is delighted because billing reconciliation is now nearly automatic.
Eighteen months in, a HIPAA audit by the Department of Health and Human Services Office for Civil Rights flags the practice. The auditor’s reasoning is straightforward and chilling. The patient’s home address, linked to the patient’s identity through the agency’s billing records, is protected health information under HIPAA. Storing it on a third-party time tracking app that has not signed a Business Associate Agreement (BAA) with the agency is a HIPAA disclosure violation. The penalty range under the HITECH Act enforcement tiers is $100 to $50,000 per violation, with annual caps that can reach $1.5 million per identical type of violation. The agency now has 240 nurses × eighteen months × an average of fifteen visits per week each. The exposure runs into seven figures even at the lower end of the penalty tier.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, creates a uniquely delicate compliance puzzle for home healthcare, hospice, and behavioral health staffing operations. GPS time tracking is genuinely useful in these settings: it confirms that visits actually happened, it helps Medicare and Medicaid billing accuracy, it prevents “ghost visits” billed for services that were never rendered. But the GPS data itself, combined with the patient’s identity, becomes protected health information. The compliance architecture has to separate these data flows without breaking the operational use case the agency built around the time tracking system.
Run one week of home-health visits with opaque IDs on the GPS layer, and see whether HIPAA and EVV finally coexist.
No credit card, up and running in 2 minutes.
See sectorWhen GPS data becomes PHI
HIPAA defines protected health information as data that identifies an individual (or could reasonably be used to do so) and relates to their health care, payment for health care, or physical or mental health condition. GPS coordinates of an arbitrary location, by themselves, are not PHI. They become PHI the moment they’re combined with information that links them to a specific patient receiving health services.
The store of “GPS coordinates + patient ID + visit duration + nurse identifier” is regulated under both the HIPAA Privacy Rule (which governs use and disclosure of PHI) and the HIPAA Security Rule (which governs technical safeguards for electronic PHI). If the time tracking system holds this combination, the time tracking system is processing PHI, and the system has to meet HIPAA’s standards, or the data has to flow differently.
Business Associate Agreements: the contractual bridge
If a covered entity (the home healthcare agency) uses a third-party service that will process PHI, the third party becomes a “Business Associate” under HIPAA and must sign a Business Associate Agreement with the covered entity. The BAA contractually obligates the business associate to safeguard PHI under HIPAA standards, to permit audits, and to report breaches. The HHS Office for Civil Rights treats unsigned BAAs as enforcement-priority violations even when no actual breach has occurred.
Most consumer-grade time tracking apps don’t offer BAAs. They’re built for general workforce time tracking, not healthcare-specific compliance. The result is a compliance failure that’s invisible until the audit hits: every time a nurse clocks in using the app at a patient’s home, the agency has technically disclosed PHI to a business associate that hasn’t signed a BAA. The violation is per-disclosure, multiplied by the number of nurses and visits over the audit period.
The architectural solution: opaque visit tokens
The clean architectural answer to this compliance puzzle is to separate the visit-time logging system from the patient-identifying data system. The time tracking app captures only operationally-needed data: the nurse’s ID, a geofence ID (an opaque token such as “Visit #4471-A” with no patient information attached), the clock-in time, and the clock-out time. The mapping between the geofence ID and the patient’s identity exists only in the agency’s own care management system, which is the HIPAA-covered system of record, presumably already meeting HIPAA standards and already part of the agency’s compliance framework.
The time tracking app sees nurses clocking in to abstract visit IDs at abstract coordinates. It has no patient identities. It holds no PHI. The agency’s care management system holds the patient mapping and combines the time tracking data with patient identifiers when needed for billing or care coordination, all within the agency’s HIPAA-compliant infrastructure. This approach preserves all the operational benefits of GPS time tracking while keeping PHI inside systems that are already HIPAA-covered.
The Medicare EVV mandate
The 21st Century Cures Act, signed into law in 2016 and gradually implemented since, requires Electronic Visit Verification (EVV) for Medicaid personal care services and home health care. The EVV system must capture: the type of service performed, the individual receiving the service, the date of service, the location at which the service was provided, the time the service begins and ends, and the individual providing the service.






