EHR Compliance: The Two Biggest Risks You Need To Know About

Posted on September 24, 2020 by Miles Bodzin, DC

By Dr. Miles Bodzin & Dr. Brian Capra

When it comes to EHR compliance, there are two compliance risks that could put you out of business overnight. Yes, it’s a scary thought, but in this article you’ll learn what the two biggest risks are and what you can do about it.

The term “compliance” is a bit of an enigma.  What is it referring to?

  • HIPAA?
  • PCI?
  • Medical Necessity?
  • Coding/Billing?
  • Discounting?
  • OSHA?
  • State board marketing compliance?

The term “EHR” can be a little misleading as well since most EHR companies today are providing much more than Electronic Health Records.  

So where do you begin?  

For the purposes of this article, let’s focus on what could put you out of business the fastest.

  1. HIPAA Violations
  2. Improper Discounting

HIPAA Violations

Each HIPAA violation could cost you as much as $50,000 per violation.  That means that a practice that violates the privacy of one patient could put them out of business.  Violations rarely happen in isolation.  If there is one violation there are probably many others.  

The biggest exposure we see these days is with client-server EHR companies.  Client-server systems are those that are not cloud-based, although even cloud-based systems are not all created equal in terms of HIPAA compliance.  

Patient data is some of the most valuable data there is on the black market.  If you were a hacker, where would you go to get such data?  Would you try to hack a HIPAA compliant data center?  Or would you try to hack a small practice where data is sitting on a server in the back office?  

You would likely choose the latter.  Why?  

Small practices are busy. They tend NOT to keep their firewalls up to date.  It is relatively easy to hack into their wifi network and have a field day.  

Client-server systems also have other inherent weak spots. For example, online patient intake forms, and nightly data backups to the cloud.

In the event of a data breach, who will be fined?  It’s not the “tech guy” who is also a patient.  The responsibility is that of the practice owner.

Moving your EHR to the cloud is a big way to mitigate this risk.  By doing so, you’re basically outsourcing the liability.  As long as that cloud system uses the highest level of encryption to transmit data over the internet and their data center is a true HIPAA compliant data center, you’re in a much better position.

In the case of a data breach, the EHR company is on the hook. In most cases, they are covered by insurance for such a breach.  Remember though, these data centers are staffed 24/7 with the highest level of security possible.  You decrease the risk while maintaining ownership of your patient data.

Improper Discounting

When using your EHR, it’s common practice to apply discounts to your services.  When posting your services, it’s important to make sure the discounts are compliant and posted correctly.  In summary, there are four primary ways to provide discounts compliantly:

1 – Required by Mandate

This is if the patient is covered by a State or Federal program with a mandated fee schedule (Medicare, Medicaid, etc.). When patients are receiving a mandated discount (i.e. Medicare), in essence, you are agreeing to accept what they reimburse by treating the patient.

For example, if your fee is $55 for a service and Medicare’s allowed amount is $35, you have not agreed to charge $35, you have agreed to discount your $55 service by $20.

2 – Documented Hardship

Patients who meet state and or federal poverty guidelines or other special circumstances outlined in your “Hardship Policy” may be offered a discount for a period of time as determined by the clinic. Verification of hardship status is required. Lastly, no more than 5% of your patient base population should be on hardship.

Note, you cannot define someone as “hardship” simply because they are cash patients. This is important as we have seen examples where doctors say they use hardship discounts for all cash patients. This is not a compliant practice.

3 – Contractual Agreement

This is if you’re a participating provider in the patient’s health insurance plan.

If you are a member of a Discount Medical Plan Organization (DMPO), the patient will be entitled to network discounts similar to your insured patients.

Like mandated discounts, you are agreeing to accept what the insurance company or DMPO allows by treating the patient. For example, if your fee is $55 for a service and the insurance company or DMPO allowed amount is $35, you have not agreed to charge $35 you have agreed to discount your $55 service by $20.

4 – Prompt Pay

You can offer patients a discount on non-covered services (i.e. cash services) when they pay for services promptly. The clinic can define what “promptly” means. For example, you may define it as, “payment on the same day or prior to when the service is provided.” Or, “within the same week or month, the service is provided. Or, “within the number of days of service being provided.”

The limitation of how large of a discount is defined by the OIG (Office of Inspector General) Department of Health and Human Services.  In 2009, they rendered an opinion letter saying that a prompt pay discount can be provided and should be between 5% – 15%:

It is for this reason that we recommend you limit your prompt pay discount to 15% or less. In practice, this means that for NON-COVERED services, you could apply a discount of up to 15% when the service qualifies for your definition of a prompt pay discount.

In summary, for all patients, the non-covered services (i.e. cash paid services) are the ONLY services that can be discounted with a prompt pay discount.

Check out our other article talking about compliant discounting!


When it comes to compliance, it’s not too uncommon to hear doctors say, “Who’s gonna enforce it?”

Well, for some perspective, the OIG seems to think it’s worth pursuing violations.

Reference to ROI by OIG for Audit Investigations. It’s boldly proclaimed by the Inspector General Daniel Levinson within the first several pages of the OIG’s 2019 fiscal year budget report requesting more funds to do their work. The statement is plain and simple: “…the OIG returned $5 to the Federal Government for every $1 invested.”

If you knew for every $1 you invested, you always got $5 in return, how many $1 would you invest?  And would you keep doing it as long as you kept getting a 5 to 1 return?

Here some examples cases from the OIG:

U.S. Department of Justice vs. Dr. Brown

Dr. Brown from Iowa has agreed to pay $79,919 to resolve allegations Brown violated the False Claims Act by improperly billing Medicare and Medicaid for chiropractic adjustments after providing free electrical stimulation to beneficiaries to influence those beneficiaries to receive chiropractic adjustments from Brown. The government alleged that this conduct violated the Anti-Kickback Statute and, in turn, the False Claims Act. The claims at issue were submitted between January 1, 2012 and September 30, 2016. 


U.S Department of Justice vs Forest Park Healthcare

Instead of billing patients for out-of-network co-payments, instituted by insurers to de-incentivize the high costs associated with out-of-network treatment, Forest Park allegedly assured patients they would pay in-network prices. Because they knew insurers wouldn’t tolerate such practices, they concealed the patient discounts and wrote off the difference as uncollected “bad debt.”


In conclusion, make sure that you’re vetting the companies that you’re going to be working with in your practice. It’s ultimately your responsibility as a business owner to ensure compliance in all areas of the business, not just your EHR.

About the authors:

Dr. Miles Bodzin is the Founder & CEO of Cash Practice Systems, Chiropractic’s #1 Technology Platform for Creating Loyal Patients.   Providing Care Plans, Payment Processing, Wellness Scores, and Email Marketing under one cloud-based platform.  Dr. Bodzin may be contacted at   To schedule a complimentary consultation with Cash Practice call (877) 343-8950.

Dr. Brian Capra founded Genesis Chiropractic Software and Billing Network in 2004. Genesis pioneered the use of cloud-based software and patented artificial intelligence workflow to help doctors increase their revenue, patient retention, compliance, and overall staff efficiency.  Dr. Brian can be contacted by email at  To schedule a complimentary consultation with Genesis call (877) 601-5986.

Original article was featured in Issue 15: September 22, 2020 of Chiropractic Economics.

Check out our other articles!

About the Author

Dr. Miles Bodzin, Founder & CEO of Cash Practice® Systems. In his senior year of Electrical Engineering college, he made a life-changing career move to pursue becoming a doctor of chiropractic. Although he struggled during his first few years in practice due to the heavy managed care environment, he applied his engineering background to develop numerous successful business systems and a software platform for running a very successful cash-based practice.

Leave a reply