Are Electronic Medical Records Worth the Costs of Implementation?

Executive Summary

Electronic medical records (EMRs), as a cornerstone of a more intelligent, adaptive, and efficient health care system, have the potential to improve the overall health of our society and begin to rein in the trillions of dollars spent on health care each year. However, implementation and utilization of such record systems brings its own significant costs and challenges which must be carefully considered and overcome in order to fully realize the potential benefits.

Implementing an EMR system could cost a single physician approximately $163,765. As of May 2015, the Centers for Medicare and Medicaid Services (CMS) had paid more than $30 billion in financial incentives to more than 468,000 Medicare and Medicaid providers for implementing EMR systems. With a majority of Americans now having at least one if not multiple EMRs generated on their behalf, data breaches and security threats are becoming more common and are estimated by the American Action Forum (AAF) to have cost the health care industry as much as $50.6 billion since 2009.


It may seem obvious that in 2015 most health care providers in the U.S. are tracking patient encounters through an EMR system. However, that was not the case a few years ago. While roughly three quarters of Americans had a computer in their home in 2009,[1] only 21.8 percent of office-based physicians and 12.2 percent of non-federal acute care hospitals were using a “basic” EMR system.[2] Seeking to speed along adoption throughout the rest of the industry in order to take advantage of the many benefits which could be made possible by system-wide utilization, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (enacted as part of the American Recovery and Reinvestment Act) provided financial incentives for Medicare and Medicaid providers who become “meaningful users” of EMRs.

Some of the initial benefits of EMR use include better patient care coordination and disease management, fewer medical errors, increased productivity, and the reduced costs which could result if all of these objectives were achieved. The long-term benefits include more targeted public health initiatives; more effective preventive health measures; personalized, predictive medicine; significant reductions in national health expenditures as we are able to determine the most effective treatment options for the lowest cost; and ultimately a healthier society. However, none of these benefits will be achieved without providers, the federal government, and patients incurring significant upfront costs for both implementation and information security.

Adoption Rates and Implementation Costs

Only a few years after passage of the HITECH Act, adoption has significantly increased and much more information is being gathered and reported electronically. An estimated 78 percent of office-based physicians were using some form of EMR system in 2013, and 48 percent were using a qualified “basic” system.[3] Among non-federal acute care hospitals, 76 percent were using a “basic” system by 2014.[4] The CMS reports that, as of May 2015, more than 468,000 Medicare and Medicaid providers (87 percent) have received payments through the HITECH Act totaling approximately $30.4 billion.[5] That amounts to roughly $65,000 per provider in federal subsidies.[6] One thing worth noting is that the subsidies were not exclusively available to new EMR adopters, nor were they available to all EMR adopters; rather, the subsidies were available to providers with EMR systems that met “meaningful use” standards determined by CMS. This has resulted in increased payments for providers who had already adopted such technology, thus providing them a reward for something they had already done. Additionally, providers who are unable to afford the upfront costs of such systems not only lose out on the subsidy, but, as of January 1, 2015, are now facing financial penalties for not meeting the new standards.[7]

Based on research by Dr. Neil Fleming, et al, the following chart shows the average cost for a physician practice transitioning to EMR use between 2009 and 2011, both for a physician practicing on their own (total cost of $163,765) and for a practice with five physicians ($233,298).[8] Because many of the costs are fixed, such as the software and much of the hardware, it is much cheaper to share the costs amongst multiple providers in a single practice.

Is It Worth It? Evidence Shows Mixed Results So Far

While the costs for many providers transitioning to an EMR system have been largely offset by the federal incentive payments, the evidence thus far seems to suggest that most providers are not yet seeing the payoff. Research by David Dranove, et al, analyzing hospitals using EMR systems from 1996-2009, found that these early adopters, on average, had increased costs, at least for the first three years after adoption.[9] There were differences, though, based on the strength of the local Information Technology (IT) labor supply. In areas without a strong IT workforce, costs increased 4 percent, but in IT-intensive areas, hospitals with basic EMR systems saw cost decreases of 3.4 percent three years after adoption. As the number of workers in IT-related jobs continues to increase and EMR technology is adapted and improved, all areas may begin to see cost decreases.[10]

Research by Michael Howley, et al, examining thirty ambulatory practices for two years after EMR implementation found that, on average, productivity declined by an average of 15 patients per physician per quarter following implementation of an EMR.[11] At the same time, reimbursements to the practices actually increased. The researchers found that this was not a result of upcoding or more generous reimbursements per charge, but rather a significant increase in the number of ancillary procedures billed following EMR implementation. While we look to increase access to care and simultaneously decrease costs, this study finds that physicians are instead receiving more money for treating fewer patients—which runs counter to the intended result.

It is not surprising that increased productivity has not yet occurred. A study by the Agency for Healthcare Research and Quality (AHRQ) found that only 14 percent of providers in 2013 were sharing data with health care providers outside their organization, hindering the ability to improve patient care coordination as desired.[12] The “meaningful use” requirements are being implemented by CMS in various stages, gradually increasing the number and type of advanced functionalities which must be included in qualifying EMR systems. For now, EMRs are still primarily viewed as an administrative tool. A survey analysis from Software Advice finds that the most commonly requested functionality for an EMR system continues to be billing (45 percent) followed by claim support (27 percent) and patient scheduling (23 percent).[13] Additionally, 60 percent of EMR purchasers in 2015 are replacing current EMR systems, which may delay full interoperability and the use of the more advanced functions as providers continue to spend time learning new systems.[14] As more providers progress through the various stages, each requiring more advanced functionality and use among a greater percentage of patients, the systems should begin to provide more comprehensive benefits. Researchers have found significant reductions in medication errors and, consequently, reductions in mortality rates for hospitalized patients, with use of computerized provider order entry (CPOE, a mandatory functionality of EMR systems in Stage 1 of the meaningful use requirements); the reductions increased as CPOE was used for larger percentages of patients.[15]

Security Costs

Besides the costs to the federal government and the providers themselves to implement these new electronic systems, increased security threats and privacy concerns are adding even greater costs. While the average cost of a data breach per record compromised over the last several years, according to the Ponemon Institute, has held relatively steady generally, the average cost of data breaches in the health care industry has been more volatile and has increased sharply in the last two years, as shown below. The average cost of a data breach in the U.S. in 2014 was $217 per compromised record, compared to $398 in the health care industry.[16]

In 2013, 90 percent of hospitals claimed to have a computerized system capable of conducting or reviewing a security risk analysis.[17] Despite this, the number of data breaches, and the number of records compromised, continues to climb, as shown in the charts below. This is costing the industry more and more money and costing patients their peace of mind.

Given the nearly 135 million health care records that have been compromised in more than 1,200 separate data breaches since October 2009,[18]AAF estimates the total cost of these breaches to be $50.6 billion in less than 6 years.[19]  It is important to recognize that the majority of this cost comes from the exceptionally high number of records compromised so far this year, despite there being less than half the number of data breach incidents to date in 2015 compared with 2014. This amounts to an increase in the average number of records compromised in a single breach of 160 percent from 2014 to 2015 (even when the outlier in which nearly 79 million records were compromised in a single breach in 2015 is removed). As the year continues, the number of records compromised and the resulting cost will increase even further. Already, more has been spent on responding to security breaches of health care records in the first six months of 2015 than the total amount of federal incentives paid through the HITECH Act to make this transition happen.

The dramatic increase in the average number of records compromised in a single breach is alarming and may be a consequence of the more connected health care system for which we are striving. With the growing number of electronic records and increased sharing among providers, the number of records potentially accessed in a single incident is growing exponentially. Recognizing this, Blue Cross Blue Shield has just announced they will offer customers identity protection beginning in 2016.[20]

Conflicting Interests

While the low rate of data sharing mentioned previously may largely be due to the reportedly high costs charged by EMR vendors for such capabilities—which the Obama Administration is trying to curb—it is important to understand that some of this “data blocking” may be intentional. Despite the myriad benefits which could accrue to the health care system as a whole through access to the trove of information being collected, the conflicting interests of the various stakeholders—namely providers and payers—means that it is not in stakeholders’ self-interest to share their information. Essentially, under the current payment models, one person’s revenue gain is another person’s revenue loss. Thus, it will likely require a complicated policy solution in order to bring all of the players together for the benefit of society as a whole. Even federal agencies are conflicted on how to best tackle these issues. The Health and Human Services’ Office of the National Coordinator for Health Information Technology is working on a plan to improve electronic information exchange by creating industry standards, but the Federal Trade Commission warns that there could be unintended consequences which stifle competition.[21]


Widespread use of electronic medical records could bring beneficial change to the health care system in a variety of ways, largely because they are the foundational piece to many technologies and analyses that could change health care delivery. Having every patient’s data stored electronically, in a standardized form creating an easy transfer and comparison of data among providers, insurers, and researchers will allow the recognition of patterns that could provide smarter, more targeted personal, population, and public health measures. For example,  the development of not just personalized medicine, but predictive medicine; reductions in medical errors; better disease management and treatment adherence; predicting and potentially preventing disease outbreaks; elimination of insurance fraud; identification of the most effective treatments for the fewest dollars; and identification of the best treatments that are worth the extra money.

All of these potential advances could greatly improve health outcomes and help bend the health care cost curve. Unfortunately, these advances come with significant costs, both financially and in terms of personal privacy. Going forward, policymakers should work to ensure limited resources are used in a more cost-effective manner. Changes to EMR policy have been part of recent legislative and executive action. Efforts to align various conflicting interests were included in the recently passed H.R. 2, Medicare Access and CHIP Reauthorization Act of 2015, for example. CMS recently announced that entrepreneurs and innovators will be given access to Medicare data for research purposes. The House-passed H.R. 6, the 21st Century Cures Act, encourages greater access to and use of health care data for research purposes. [22] As EMR adoption continues to increase along with the type of information gathered, policymakers should work with experts and the public to ensure that the appropriate balance is struck between sharing information to allow advancements and providing necessary privacy protections.

[2] To qualify as a “basic” HER system, the program must be able to: record patient history and demographics, track patient problem lists, store physician clinical notes, record a comprehensive list of patients’ medications and allergies, provide for computerized ordering of prescriptions, and allow for electronic viewing of lab and imaging results.,

[6] Calculating average amount per provider is difficult given that a “provider” may be a hospital, which is eligible to receive up to $6.1 million over the course of the program. Medicare physicians may receive up to $44,000 and Medicaid physicians are eligible to receive up to $63,750.

[7] Providers are allowed to apply for a hardship exemption if unable to meet the criteria; if approved, these providers would not be penalized.

[18] (Data available through June 26, 2015, for breaches in which 500 or more records were compromised; thus, the actual total is even higher.)

[19] This estimate assumes cost per record breached in 2015 is the same as the cost in 2014: $398. A conservative estimate for average cost per record compromised in 2015 of $350, to account for possibility that costs may decline as has happened in previous years, would result in a cost of more than $46 billion.


Download PDF