Healthcare Business Management Association - HBMA
Leading the Business of Healthcare Login

The Ever-Shifting Sands Beneath the Billing Enterprise
By Reed D. Gelzer, MD, MPH
HBMA RCM Advisor: The Journal of the Healthcare Business Management Association


The Ever-Shifting Sands Beneath the Billing Enterprise

Electronic health record (EHR) systems aren’t
as safe as you might think.

The records a billing company receives as outputs from electronic health records (EHR) systems are commonly accepted on trust. However, now that nearly everyone is using EHRs, we’re finding that they aren’t “records” at all. Insurers and law enforcement professionals are increasingly recognizing that EHRs are well-suited for records counterfeiting, with predictable (and long-anticipated) results. This presents special challenges (and opportunities) for billing companies seeking value-added services and risk reduction.

First of all, readers often ask, “What is an EHR?” (Or EMR,1 as often the terms are used interchangeably). For this article, to be brief, the main issue is more what an EHR (or EMR) isn’t. EHRs are not records keeping systems in that EHRs are not designed, and often are not configured, implemented, or used in a manner that meets federal or state requirements for business records. As a result, EHR “records” are commonly not records.

This profound oddity arises because there are no regulations for these systems, nor does any agency (federal or state) oversee them for accuracy, safety, or security. Furthermore, most EHR contracts stipulate that the user holds all the risk and, in some instances, even indemnifies the EHR vendor.2 EHR records systems, unregulated and without oversight, produce records-like outputs. These “record-like” objects, unless the user sees to it, frequently won’t qualify as valid, accurate, complete episode of care records according to payer agreements or to federal and state laws defining business records.

Furthermore, there’s no market transparency for EHR systems because errors, harms, and defects are not publicly reported anywhere and EHR contracts often stipulate that harms cannot be reported to anyone but the vendor. Since competitive markets require transparency, there is no normal market, and the purchaser/user is fully exposed to “buyer beware” risk, but blindfolded.

How This Applies to Your Company
Given the current absence of any public or private organization that requires or assures that EHRs actually capture and produce accurate records, what does this mean for your company? A foundation of the billing enterprise is the presumption that clinical care records are authentic and therefore suitable for coding and as support for service claims, regardless of payment model. What, if any, duty does a billing company have to exercise some due diligence on the clinical records that, in one way or another, fulfill your intention that you add real value based on real records of care actually and properly provided? On what basis may a billing company protect itself from problematic records whose purchase and use is entirely out of your control?

One way to think of this is the dilemma of companies building cars or airplanes. These companies don’t make the steel; they buy steel based on technical specifications that assure that the steel meets the necessary requirements for safe cars and safe airplanes. What are those companies’ exposures when they learn, as GM, Ford, and Boeing did last year, that one of the major suppliers, Kobe Steel, had been faking steel specifications for years?3 We’re also all familiar with the Volkswagen “gaming” of emissions reporting systems.4

For one thing, it certainly doesn’t reflect well on your company if it turns out you simply eyes-wide-shut believed that the steel delivered was the steel expected, especially when a car crashes or a plane fails. Furthermore, if you actually observe oddities that give you concern, inaction under such circumstances produces risks to your firm, too. Among the long, long list of unenforced or under-enforced rules, there’s this key warning: Under HIPAA, the “awareness” requirement for False Claims Act was expanded from “knew” to “knew or should have known.”

The obvious dilemma for the billing company is, do you tell your customer you have concerns about the veracity of their records, and then watch them take their business elsewhere? Since the federal government has chosen to underfund fraud investigations and since payers have similarly been ill-disposed to call out records counterfeiting, it is unlikely you’ll get caught up in litigation. Nonetheless, what is the prudent path for you?

Advertisement. Click on image to visit advertiser's website. Story continues below.

What You Should Do to Protect Your Company
In the world of EHRs, first and foremost, protect yourself from the start. The “start” is your engagement agreements with your customers. Review with your legal counsel how to add language that insulates you as much as possible from liabilities that properly reside with your customers.

Another key area will be your internal policies and procedures for what to do if you are presented with problematic records in the course of your normal business operations. One anecdote, for example, was a billing firm presented with records with “impossible” service dates, where it was known that the clinician of record was out of the country. Another common anomaly is the “nonsense” record. An example of this is the record with the presenting complaint of “headache” but the review of systems says explicitly “no headache.” This is a definitively non-accurate “nonsense” record. It is increasingly likely that payers will begin kicking out such records and some payers report doing this already.

Consider at least offering, as a service, a records quality review option that will open the door to a discussion with your client where you end up with a definitive agreement that you are accepting their records as “complete and accurate” and, by mutual agreement, keeping the burden on the client to maintain quality controls. The Association for Healthcare Documentation Integrity (AHDI), for example, offers resources for supporting clinical documentation quality assurance (not be confused with revenue-enhancement directed CDI).

Lastly, there’s at least one example where EHR companies are quietly inserting tools that will permit insurers and other investigators to easily reveal counterfeit records. They are not necessarily telling their customers those features now exist, so your customers aren’t telling you. Watch out, for example, for a new option button in the billers view that indicates something like “Hide copied.” If you see that, test it, and make sure your policies and procedures clearly define what you do with that new view.

Your business has other areas where unregulated EHRs can have substantial impact. For those of you who are looking at acquisitions, or are involved in healthcare acquisitions, similar cautions apply. Since EHRs are not regulated in any manner for fitness as business records, and since there is no market expectation that they comply with any accounting rules (e.g., GAAP), it is also prudent to add “records authenticity risk” to any due-diligence checklist. Unfortunately, in 2019 and for the foreseeable future, U.S. markets remain subject to the uncertainties of unregulated EHRs and the counterfeit records they can generate, whether intentional or not. Thus, for example, no AR valuation methodology can be safely presumed to be reliable if records counterfeiting isn’t part of the analysis.

Reed D. Gelzer, MD, MPH, has 30-plus years’ service in the healthcare field, including 11 years in rural primary care practice and in data quality and legal record attributes of medical records, then three years as an EHR vendor. At Trustworthy EHR LLC, he’s focused on clinical trustworthiness, data quality, and business record accuracy.

1 EMR = Electronic Medical Record. For our purposes here, the same problem of propensity to counterfeiting, exists in both.

2 Koppel, Ross, Kreda, David, “Health Care Information Technology Vendors’ “Hold Harmless” Clause: Implications for Patients and Clinicians” in Journal of the American Medical Association, 2009;Vol. 301 Issue 12, pp.1276-1278.

3 Stapczynski, Stephen, Suzuki, Ichiro, and Suga, Masumi, “Japan’s Kobe Steel May Have Faked Data for Over a Decade” in Bloomberg News, October 17, 2017, (accessed 10/17/18 at

4 For example, see and




 Return to Issue Index