By Bruce H. Nearon, CPA and Reed D. Gelzer, MD, MPH
In 2023, U.S. healthcare spending reached $4.9 trillion, $14,570 per person, and 17.6 percent of GDP.[1] Publicly traded healthcare companies’ valuation of assets and liabilities are backed in part by transaction records of patient care services initiated and documented in EHRS. Knowledgeable accountants may conclude upon examination that EHRS have substantial departures from good internal control.[2],[3],[4]
Introduction to Electronic Health Records Systems (EHRS)
U.S. EHRS are currently overseen by a non-regulatory “Certification” regime. After extensive “Certification” cheating,[5] the regime was reduced to self-attestation.[6] The same Final Rule updated legal requirements for audit data and reporting functions in EHRS by updating the reference Standard ASTM E2147–18.[7] This Standard was incorporated by reference as U.S. law, originally under the HITECH Act.[8] However, E2147–18 conformance is not assured. Various weaknesses are illustrated by cases in which settlements were reached for falsifying patient records — for example, making patients appear sicker than they are. Such falsifications are central to fraud allegations by provider, payer/insurer, or benefits manager, among others.[9]
To date, non-regulatory Certification has failed to address EHRS deficiencies that result in the potential for material errors in accounting records.[10],[11] EHRS design requirements also fail to include compliance with generally accepted internal controls, laws, rules, and regulations. Therefore, the duties of compliance fall to the user. The effectiveness of compliance, in turn, must be assessed by the auditor presented with records, reports, and other outputs from EHRS. This latter responsibility is especially important in publicly traded corporations, to prevent errors in the inputs used to calculate shareholder value for publicly traded healthcare entities and third-party payers. Systematic deficiencies, ineffective internal controls, and ineffective external financial auditing could result in material misstatement of the financial statements and over- or undervaluation of share prices. They also impact other critical interests of an efficient and effective healthcare enterprise, including the true cost of business operations, the true workload of critical professionals, and the true value of services.
Basic History, from ARRA[12]/HITECH[13] Forward
HIPAA was codified in 1996 in 45 CFR (the United States Code of Federal Regulations), Parts 160 and 164. In 2009, the HITECH Act[14] modified HIPAA as “privacy, security, and enforcement rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act to strengthen the privacy and security protection for individuals’ health information.” HITECH’s compliance date for covered entities was September 23, 2013.
To implement HITECH, standards for EHRS specify that the date, time, patient identification, and user identification must be recorded when an EHRS record is created, maintained, or exchanged.[15] In plain English, HITECH requires that any record access requires an entry in an audit log. Current EHRS audit log requirements are specified in a Standard included by reference in HITECH, namely ASTM E2147–18[16] sections 7.1.1 through 7.1.9.[17]
Entities subject to HIPAA and HITECH consider addressable standards and rules as a safe harbor and not necessary and may not document the reason why a rule has not been implemented unless they are subject to an independent audit.[18] Standards may provide an incentive to avoid the added burden and resulting costs of compliance implementation. An auditor may consider identifying and reporting where this avoidance option has been elected.
Covered entities are also required to regularly review the audit logs of EHRS;[19] however, the meaning of “regularly review” is not defined. It is imperative that “regularly” does not mean an “as-needed” review, since such a review is neither regular nor periodic. Consider the number of audit log records in even the smallest healthcare entity with a less complex system. Such a system would generate thousands of log entries daily. The accuracy and completeness of the audit log data may be enhanced by an independent audit of the implementation of the relevant sections in ASTM E2147–18. Audit logging technology, properly implemented, would satisfy the HITECH technical safeguards standard that requires implementation of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EHRS.[20] Ways to effectively review audit logs for suspected fraud or error are by using suitably designed and appropriately implemented log analysis software, data analytics, and artificial intelligence in real time as EHRs are created, recorded, processed, stored, accessed, modified, disclosed, reported, or deleted. HITECH also requires that the status, whether enabled or disabled, of the audit log that records the events specified in ASTM E2147–18 be recorded, that the audit log be protected and tamper-resistant, and that the technology used for EHR has the enabled capability for the detection of alteration.
Implementation of Audit Logs Review under HIPAA and HITECH
Use of EHR copy/paste functions (hereafter “Copy”), may increase fraud risk. A key problem with Copy, including “cloning,” is false attribution. False attribution misrepresents the data and records’ original source. Examples include misrepresenting care by attributing service record content from one patient to another and, for the same patient, from one date to another. Another common example is the attribution of machine-authored service records to human authors. These misrepresent the healthcare providers’ roles, about which information must be accurate for making sound decisions. Generally, most software applications enable Copy. Cloning is an EHRS utility, capturing an existing record and misattributing it to a new record. Audits of internal control over financial reporting (ICFR) may use different tests for Copy and cloning. In either instance, the audit objective is that internal controls reasonably assure that EHRS records documenting financial transactions are accurate and complete so that billing charges, and thus receivables and payables, are not misstated.
During an audit of a healthcare provider’s ICFR, the auditor should consider if the provider has documented policies and training for the use of Copy and cloning. The risk of financial fraud and harmful clinical errors are increased if auditors fail to consider Copy and cloning, and if providers do not have policies and training regarding their use. Auditors should also be aware of other tools, like machine-authored pre-created or auto-populated records, that may create documentation for services not performed.
Policies, procedures, and controls that are properly designed become moot when users can disable or bypass them. Where program participation and contractual obligations require attestation to “complete and accurate” records, such statements are false when the record employs EHRS misleading attribution tools. Suitably designed and implemented audit logs that include capture of initial or original and subsequent providers’/authors’ services improves the reliability of EHRS records.
Lastly, an EHRS auditor may consider the risk related to log storage limits. Log entries in all systems are voluminous, and storage overload could result in improperly configured logging systems automatically shutting down, over-writing earlier records, or otherwise rendering the system inoperable. In some cases, audit logging may never have been enabled, unintentionally disabled (for example, during software upgrades), or intentionally disabled to hide fraud.
Implications of the Deficiencies in EHR Systems
When EHRS include inaccurate or fraudulent records, a healthcare entity’s revenue and earnings per share (EPS) are likely to be misstated. The overstatements at one entity may approximate the percentage of possible errors and fraud across the healthcare industry. In accounting, every debit has a credit, so errors at healthcare providers may may cascade to third-party payers of claims, for whom an equivalent misstatement may exist in claims-related liabilities and expenses, resulting in misstated financial statements. A key question: are these possible misstatements material?
Revenue and earnings per share (EPS) are key numbers that have a direct relationship to the valuation of share prices and assets and liabilities in merger and acquisition offers. If these accounts for public companies are over- or understated, then their share prices, or merger and acquisition offer prices may also be over- or understated. This means that buyers of shares in healthcare entities or of the entities themselves may have paid too much and sellers of shares in third-party payers or these entities may have sold them for less than they are worth.
©2025
[1] Centers for Medicare and Medicaid Services, “Historical,” CMS.gov, accessed April 6, 2025, https://www.cms.gov/data-research/statistics-trends-and-reports/national-health-expenditure-data/historical.
[2] Hollis Ashbaugh-Skaife et al., “The Effect of SOX Internal Control Deficiencies on Firm Risk and Cost of Equity,” Journal of Accounting Research 47, no. 1 (2009): 1–43, https://www.jstor.org/stable/25548010.
[3] Khairul Ayuni Mohd Kharuddin et al., “Internal Control Weakness, Remediation Failure, and Audit Opinions: Evidence from the US Listed Firms,” Review of Economics and Finance 21 (2023): 1628–1637, https://refpress.org/wp-content/uploads/2023/11/Paper-12_REF.pdf.
[4] Yibin Lin and Chonlavit Sutunyarak, “Internal control effectiveness and stock price crash,” Journal of Infrastructure, Policy and Development 8, no. 5 (2024), https://systems.enpress-publisher.com/index.php/jipd/article/view/3458.
[5] Examples of aggregate False Claims Act settlements for Certification cheating as of 2021 are documented in Nate C. Apathy et al., “Electronic Health Record Legal Settlements in the US Since the 2009 Health Information Technology for Economic and Clinical Health Act,” JAMA Health Forum 3, no. 11 (2022), accessed May 14, 2025, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9652746/. For criminal and civil settlements for EHR systems promoting opioid prescriptions, see Department of Justice, “Electronic Health Records Vendor to Pay $145 Million to Resolve Criminal and Civil Investigations,” Department of Justice Archives, January 27, 2020, accessed May 14, 2025, https://www.justice.gov/opa/pr/electronic-health-records-vendor-pay-145-million-resolve-criminal-and-civil-investigations-0.
[6] See Department of Health and Human Services, Office of the Secretary, 45 CFR Parts 170 and 171,
RIN 0955–AA01, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, Federal Register, vol. 85, no. 85, Friday, May 1, 2020 / Rules and Regulations, pp.24562–25961.
[7] ASTM E2147 was incorporated by reference as law under ARRA/HITECH, 170.299 (c)(1). https://www.law.cornell.edu/cfr/text/45/170.299.
[8] See HHS, 21st Century Cures Act, p. 25708.
[9] See, for example, descriptions of clinicians altering previous clinical records to make patients appear sicker, in Abelson, Reed, Sanger-Katz, and Margot, “The Cash Monster Was Insatiable: How Insurers Exploited Medicare for Billions,” New York Times, October 9, 2022, A1. Digital version accessed at “How Insurers Exploited Medicare Advantage for Billions,” New York Times, nytimes.com.
[10] F. Schulte and E. Fry, “No Safety Switch: How Lax Oversight of Electronic Health Records Puts Patients at Risk,”
Fortune, November 21, 2019, accessed May 14, 2025, https://fortune.com/longform/medical-records-government-regulation-patient-risk/.
[11] See U.S. Department of Health and Human Services Office of Inspector General report 2022 OIG’s Top Unimplemented Recommendations: Solutions To Reduce Fraud, Waste, and Abuse in HHS Programs, which details non-conformance with OIG recommendations consented to by the investigation target. This appears to be the most recent version of this report. On the 2022 list, page 81, is the HHS OIG report titled Not All Recommended Fraud Safeguards Have Been Implemented in Hospital Technology, OEI-01-11-00570. The hyperlink there is active for accessing the 2013 report itself. On pages 7–8 of the latter are audit function requirements summarized in unimplemented recommendations agreed to by the HHS Office of the National Coordinator for Health IT (aka ONC) in 2013, as of 2022. The report includes specific descriptions of audit vulnerabilities reported present by interviewed hospital personnel. All of the above sources were last viewed May 14, 2025.
[12] The American Recovery and Reinvestment Act (ARRA) of 2009 was a stimulus package aimed at boosting the U.S. economy during the Great Recession. One of its key components was the Health Information Technology for Economic and Clinical Health (HITECH) Act, which focused on advancing healthcare technology.
[13] The HITECH Act was designed to promote the adoption and meaningful use of electronic health records (EHRs) in healthcare. It strengthened HIPAA privacy and security rules, extended compliance requirements to business associates, and introduced tougher penalties for violations. The act also incentivized healthcare providers to implement EHR systems to improve efficiency, patient care, and data security.
[14] Federal Register, vol. 78, no. 17.
[15] 45 CFR 170.210.
[16] ASTM E2147–18 is the current applicable version, updated by the Secretary of HHS in May 2020. All references will be to that current version.
[18] Author’s actual experience on SOC 2 attestations conducted according to SSAE 18.
[19] 45 CFR 164.308(a)(ii)(D).
[20] 45 CFR 164.312(b).
