How Biometric EVV Prevents Medicaid Fraud — And Why GPS Systems Can't

The $100 Billion Problem Nobody Is Solving Correctly

Medicaid fraud costs US taxpayers an estimated $100 billion per year. A significant and growing share of that comes from home health billing fraud — ghost visits, buddy punching, and GPS spoofing that defeats the Electronic Visit Verification (EVV) systems mandated by the 21st Century Cures Act.

The law was well-intentioned. Require every home health visit to be electronically verified. Capture the caregiver's identity, the patient's location, and the time of the visit. Create an audit trail. Stop the fraud.

The problem is how states and agencies implemented it.

Why GPS-Based EVV Fails

The dominant EVV implementation today is GPS-based: the caregiver opens an app on their phone, the app records their GPS coordinates, and that coordinate is submitted as proof they were at the patient's home.

This is trivially defeated.

GPS spoofing apps are freely available on both iOS and Android. A caregiver can set their "GPS location" to any address in the world while sitting at home. The EVV system receives a coordinate that matches the patient's address. The visit is approved. The claim is paid. The patient never received care.

Buddy punching is equally simple. One caregiver logs in on behalf of another. PIN-based and phone-tap systems have no way to verify that the person holding the phone is the person whose credentials are being used.

Ghost visits — billing for visits that never happened — are the most egregious form. Without physical proof of presence, agencies have no way to dispute fraudulent claims in a RAC audit.

What Hardware Biometrics Change

VerifiedKnock replaces the GPS coordinate with something that cannot be faked: a biometric-activated NFC tap at the patient's physical door.

Here's how it works:

1. The caregiver presses their thumb on the ATKey.Card — a FIDO2/PKOC biometric smart card. The fingerprint match happens entirely on the card's secure element. The biometric never leaves the hardware. No cloud, no database, no breach risk.

1. The activated card is tapped to the NFC sticker or VerifiedAmbient™ reader mounted at the patient's door frame. This creates a cryptographically signed, timestamped visit record. The record is bound to the specific NFC hardware at that physical address.

1. The visit record is unforgeable. It contains the caregiver's biometric credential ID, the NFC tag's hardware address (physically at the patient's door), and a cryptographic timestamp. There is no GPS coordinate to spoof. There is no PIN to share. There is no phone to hand to a colleague.

The 21st Century Cures Act Compliance Mapping

The Act requires EVV systems to capture six data elements:

All six requirements are satisfied. No GPS. No phone. No PIN.

The Rural Compliance Gap

There's a second failure mode of GPS-based EVV that rarely gets discussed: rural connectivity.

Home health agencies serving patients in rural areas — West Texas, Southern Illinois, Appalachia, rural California — frequently operate in areas with limited or no cellular coverage. A GPS-based EVV app that requires a data connection to submit a visit record creates a compliance gap every time a caregiver is in a dead zone.

VerifiedKnock is offline-first by design. The biometric match and NFC tap happen entirely on-hardware, with no internet connection required. Visit records are stored on-card and sync to the agency's system when connectivity is available.

This is not a workaround. It is the architecture.

What This Means for Home Health Agencies

If your agency is currently using GPS-based EVV, you have fraud exposure you may not be aware of. The question is not whether your caregivers are committing fraud — it's whether your EVV system could detect it if they were.

VerifiedKnock provides the only EVV solution where the answer is definitively yes.

We are currently accepting applications for our pilot program. Selected agencies receive full hardware and software implementation at no cost during the pilot phase.