The sale and merger of medical practices into larger medical groups or hospital networks is an ongoing trend that began almost a decade ago. A key component of these transactions has been the valuation of the target medical practice; the purchase price is often calculated through a combination of the quality of earnings, operational efficiency, and a regulatory compliance risk assessment. All these components are strongly tied to the quality of the electronic medical records (EMR) system, which makes assessing EMR’s reliability critical to proper valuation of the practice and a strong indicator of the degree of risk to the acquirer. Such risk is elevated when the EMR does not comport with acceptable documentation requirements for Medicare, Medicaid, and private payors, as well as for applicable privacy, cybersecurity, and business records requirements. This article provides a framework for analysis of one of the most significant aspects of medical practice value: the practice’s treatment data.

Valuation of Medical Practices

A medical practice is only as valuable as its records say it is. The acquirer’s challenge is how to assess that value during a due diligence process pursuant to a purchase. The common answer is somewhat related to the asking price; more importantly, however, the overall value depends on the EMR. Acquirers should look to their valuation and transaction teams—CPAs, attorneys, medical consultants, and systems analysts—to do a deep dive and provide answers that will yield a transaction in which all these viewpoints are satisfied.

To those unfamiliar with the technical and functional aspects of EMRs as elements of value, valuation can seem like an exercise fraught with peril. Overvaluation is possible because of underrating of risk; such risk is present when EMR quality is excluded from due diligence, and this is increasingly material for the parties to such a transaction. Across the healthcare industry, aggregate impact grows because, for example, the American Medical Association estimates that between 2012 and 2016 the number of doctor-owners has reduced from 53% to 47%, while hospital ownership of medical practices has risen (Carol K. Kane, “Policy Research Perspectives Updated Data on Physician Practice Arrangements: Physician Ownership Drops below 50 Percent,” AMA, 2017, Although the rate of change from 2012 to 2016 is not fast, the drop of ownership below 50% is notable; in other words, fewer than half of the medical doctor population now owns their own practices. Some statistics put the healthcare market concentration at 90% in 2016, signifying a high acquisition rate of primary care physician and other medical practices (Brent D. Fulton, “Health Care Market Concentration Trends in The United States: Evidence and Policy Responses,” Health Affairs, September 2017,

Mergers and acquisitions are expected to increase even more due to a retiring work force (Robin Brooks, What Will Happen to Financial Markets When the Baby Boomers Retire, IMF working paper, 2000,, increasing regulations, and the stagnation of doctors’ salaries and operating expenses. These factors incentivize the integration of medical practices into larger networks in order to increase profitability. While exact statistics on the volume of the most recent sales of medical practices are elusive, anecdotal indicators appear repeatedly as a bellwether of rising sales.

How does EMR Figure into a Practice’s Value?

As an information system, EMRs are in the class of enterprise resource planning (ERP) software. As such, they basically do everything that a medical practice requires to achieve its business objectives. CPAs should have ready resources and tools to evaluate apparent anomalies and not accept what the user or vendor offers as an explanation of a “material” anomaly. Business objectives reflected in EMRs include:

  • Operational effectiveness: This entails lining up resources with needs for those resources, such as having accurate patient records for the right specialist assigned to the right treating room on the right days of the week. Another example is providing records for a timely and accurate payroll to the practice’s administrative staff.
  • Financial effectiveness: This goal is to maximize cash inflow and enable the best use of assets; for example, production of accurate claims, following up on claims queried or rejected by the insurer, and keeping track of the types of issues raised when such claims are adjudicated, sometimes referred to as “rejection errors.”
  • Compliance: This enables compliance with laws and regulations. One example is assuring audit function sufficiency, which is required by HIPAA and regulations pertaining to reimbursement, and then maintaining an audit trail of changes to EMR records. Compliance also requires enabling only authorized personnel to create, change, or delete entries while accurately attributing author, date, and time to recorded entries.

The quality of EMRs has often been missed or ignored when creating an appropriate value for medical practices.

An EMR is often divided into modules that roughly fall into these categories. Sometimes these modules overlap or interact with each other; for example, when the treating physician records a medical diagnosis, it could affect compliance requirements if certain illnesses (such as HIV) are noted.

Questions to Ask

When planning a practice acquisition, some strategic questions arise. Is the acquirer buying a practice that will continue to hold value (and hopefully increase it), or is the practice a lawsuit or investigation waiting to happen? What is the value of the target practice? There is a persistent risk that EMRs do not tell the whole story; worse, they may fabricate treatment narratives to unlawfully inflate reimbursements. Such risk has not traditionally been objectively factored by accountants and lawyers, due in large part to misunderstandings about how EMRs work and how they are deemed qualified for use in patient care.

Before EMRs, the valuation of records and data on paper was quite simple; a common question was: “Did the (static, immutable) paper records evidence the treatment, and thereby the financial value of the practice?” The answer was relatively easy to quantify. It is much more nuanced and complicated in 2019 because of the changeable aspects of EMRs. In other words, the key inquiry for CPAs and lawyers is now, “Can the EMRs be trusted?” In one case of due diligence gone bad, two major EMR software vendors are paying tens of millions in fraud settlements involving reliability issues, and the U.S. Department of Justice warns that more are on the way (Tom Sullivan, “DOJ Lawyer in Greenway Case: EHR Vendors Are Now on Notice,”, Feb. 7, 2019,

Thus, the quality of EMRs has often been missed or ignored when creating an appropriate value for medical practices. Although valuation techniques such as the income approach, market approach, and asset approach are well understood by accountants and appraisers, an understanding of EMR quality is pivotal to the value drivers that underlie all these approaches.

Reliability and Integrity—Legal vs. Accounting Definitions

When discussing a quality of an information system, it is helpful to divide the measurements into two integrated areas: integrity and reliability. The accounting and legal concepts of reliability in the context of an EMR do not differ very much. Reliability of an EMR for an accountant is gauged by the effectiveness of its use by a clinician or payer. An effective information system should provide the right information to the right user at the right time. For example, a reliable EMR would provide all the required medical records to the treating physician while shielding her from administrative information overload. Conversely, a good EMR system provides the patient with all the relevant information for him, without overcomplicating matters with billing codes, diagnostic codes, and coded rejection messages from a third-party payor.

In the digital age, however, “the right information” becomes harder to define since “all the required medical records” could comprise hundreds or even thousands of pages. Increasingly, the concepts of “relevant” and of “authentic” may also apply; for example, an EMR that, in response to a request for a patient’s records, delivers information that is old, obsolete, or previously identified as wrong is not helpful.

Legally speaking, reliability is related to but somewhat different from integrity. Reliability answers the question, “Can the record be trusted?” That is, can one trace the record’s provenance and show, through audit trails and other metadata, that it can be used by stakeholders, such as other care-givers and government and private payors? For example, EMR entries can be misattributed or falsely attributed as a result of “cloning.” Another effect on a record’s reliability is copy/paste misuse, resulting in “plagiarized” entries actually authored in prior visits, possibly even by different providers. Similarly, record entries may be illicitly amended or otherwise altered with material intended to maximize reimbursement for treatment that never occurred or cost less than purported.

Thus, from a legal perspective, the quality of an EMR can be understood as founded on reliability and integrity, which are themselves based on trustworthiness and usability (Exhibit 1).

Exhibit 1

Components of EMR Quality (Legal Perspective)

The legal definition and the accounting understanding of integrity are, however, not the same. In a legal context, integrity is whether the record reflects what actually happened. From an accounting perspective, integrity means that the underlying database and the values it stores are without anomalies, such as missing records, multiple records for the same events, or records that contain incorrect or superfluous information. For example, if a patient record that shows the treatment provided also included notes on the patient’s ability to pay for services, this would be superfluous data, because ethically the creditworthiness of a patient should not be shared with the treating physician, lest it inform medical decisions in a biased way. As another example, having differing duplicate entries for the same event can cause confusion for medical providers, which may lead to inconsistency in or rejection for billing and collection and may be also a basis for regulatory sanction.

Thus, from an accounting perspective, a quality EMR can be understood as founded on reliability and integrity, which are themselves based on internal and external usage needs (Exhibit 2).

Exhibit 2

Components of EMR Quality (Accounting Perspective)

In summary, it is incumbent upon the acquirer of a medical practice to assemble a team that can ascertain the integrity of the EMR, and for the target to do its own due diligence so as to be equipped to negotiate pricing on par with the acquirer.

Assessing the EMR as a Primary Value Indicator

Based on the above, the quality of EMRs is a core indicator of the profitability of a practice, and acquirers should pay close attention to it because it reflects and underlies the gross income and operating expenses, as well as net income available to the owners as profit.

The challenge that acquiring entities face during preacquisition due diligence thus comprises a detailed evaluation of how the EMR records are originated, created, and maintained within the framework of applicable laws, regulations (state as well as federal), and best industry practices. EMR in 2019 is akin to the Tower of Babel—no two systems are alike, and very few can communicate with each other. CPAs and their EMR due diligence teams should seek clarity on the level of value that is at risk or lost due to EMR records that lack reliability or integrity. This evaluation should combine the value driver of EMR quality with the current profitability per encounter (or per patient) and the degree of compliance exposure due to ineffective EMR implementation or use.

Currently, EMRs’ compliance with U.S. law is not enforced; for example, EMR audit trail functions under HIPAA. Consequently, the parties to a medical practice sale cannot rest on the assumption that an EMR in use has already met stringent governmental standards for quality and integrity. Therefore, interrogation of the EMR should be high on the due diligence list, lest fines be assessed for lack of audit control, such as the $5.5 million fine assessed against Memorial Healthcare System in 2017 (“$5.5 Million HIPAA Settlement Shines Light on the Importance of Audit Controls,” Department of Health and Human Services press release, Feb. 16, 2017,

The following is a framework for a reasonable due diligence process that dives deep into the EMR, both preacquisition and postacquisition.

Database integrity.

How much of the integrity of the EMR’s database is coded into the logic of the system, and how much of it is database driven? For example, will the underlying database prevent two patients with the same Medical Record Number being created contemporaneously, or is this a function of the program logic of the EMR software?

What level of input controls is present? How do users relate to this level? For example, while users may not be able to enter rejection errors of a third-party payor, often “Memo” or “Notes” fields are available for them to “note the account.” The problem with this is twofold; first, it puts the wrong information in the wrong place, and second, it prevents analysis of which rejection errors are experienced the most. Understanding how users interact with the system’s integrity controls is just as important as understanding the controls themselves.

Who receives which reports, and do the reports provide too much, not enough, or the right amount of details and information? Like the input challenge above, the integrity of the database should be analyzed in terms of viewing rights (i.e., who can see what data?).

EMR reliability.

Which managers look at summary and management reports, how often do they look at them, and what decisions do they make based on them?

What are the audit trail levels of controls, and what other metadata functions can reveal the presence or absence of cloned notes, copy/paste misuse, or machine-authored additions to an entry that have been improperly designed to fit within private or government reimbursement schemes?

Will the EMR reflect only treatment that was actually provided?

What auditing, reconciliations, and regular follow-ups are possible within the EMR software? For example, if a record is attested to by a doctor, then coded by a machine or a human, does the EMR software provide a place to indicate that the billing manager reviewed it for accuracy before it is submitted to a third-party payor? In contrast, if it appears that the users augment their audit trail on who approved what in a manual or paper form, the EMR’s quality may not be up to par, and external audits may readily impeach both records and claims, with profitability suffering. A common example of problematic copy (human-or machine-created) is populating a care service event record problem list with all past problems, resolved or unresolved, even if only one (or even no) prior problem was actually assessed in that service event.

Can the EMR provide information in the case of a complaint or an inquiry? For example, if an external medical provider sends over test results, will the date of the test be clearly marked in the index of results within the EMR? In a recent incident, a doctor viewed externally sourced test results and believed them to be recent because the “Date” field of the test was read incorrectly as the date the results were received instead of the date the test was performed. This illustrates how much users rely on EMR output; is such reliance in line with the specifications of the system? In the incident described above, the system worked as intended, but the doctor (the user) was untrained in how to properly use the system.

An Ounce of Prevention

Such inquires and analysis are not trivial; as can be seen from the line of questioning above, both operational and compliance effectiveness can be driven or hindered by the quality of the EMR records and how they are being used. Compliance is another point of exposure to acquiring and target entities; if a breach in compliance occurs, the target medical practice’s liability may not shift to the acquirer upon purchase. Thus, all parties would do well to understand the underlying EMR quality and negotiate with clear knowledge of the present risks.

The CPAs, attorneys, and medical consultants performing due diligence in the acquisition of a medical practice are best served if they understand and apply knowledge of information systems, valuation drivers, profitability drivers, and their interaction as it pertains to EMR records. Absent such knowledge, problems that exist preacquisition may come to haunt the acquirer and may be compounded by non-compliance with pertinent regulations. An ounce of prevention in these transactions could lead to higher profitability for current medical practices, a better valuation for both acquirers and target, and a better night’s sleep for all involved.

Yigal M. Rechtman, CPA, CFE, CITP, CISM is a partner at RSZ Forensic Associates and an adjunct professor at Pace University’s Lubin School of Business—New York Campus. He is also a member of The CPA Journal Editorial Advisory Board.
Kenneth N. Rashbaum, JD is a partner in the law firm of Barton LLP and an adjunct professor of law at Fordham University Law School, New York, N.Y.
Reed D. Gelzer, MD, MPH is a principal and cofacilitator for HL7 EHR Standards at Trustworthy EHR LLC, Newbury, N.H.