Shadow IT in healthcare: the risks of Excel reporting

Shadow IT in healthcare rarely starts as rebellion. It starts as a workaround. A quality lead needs a snapshot of monthly outcomes for a payer. A care coordination manager needs a list of high-risk patients who missed follow-up. Finance needs a quick reconciliation between encounters, authorizations, and charges. The official systems cannot answer the question fast enough, so someone exports a report, pastes it into Excel, adds a few columns, and shares it “just this once.” Then the spreadsheet becomes the operational truth.

That is why Excel is often more trusted than official reports. It reflects what teams actually do, not what the EHR is configured to show. It includes the exceptions, the manual fixes, and the context that lives in people’s heads. Over time, that trust becomes dependence. The spreadsheet stops being a supplement and starts functioning like the organization’s real reporting layer.

The hidden cost of just one more spreadsheet is that each new file creates another version of reality, another set of assumptions, and another place where protected health information (PHI) can travel without controls. In a 2026 environment defined by $7.42 million breach costs and $262 billion in industry-wide claim denials, this trust is becoming a profound liability.

Shadow IT is any software, tool, workflow, or data store created or adopted outside IT governance. In healthcare, the definition is broader than unauthorized apps. Shadow IT includes unofficial reporting pipelines built from exports, copy-paste processes, and personal drive storage that effectively replace governed reporting and analytics.

Paradoxically, highly regulated environments often create more shadow IT. When formal change processes are slow and rigid, teams do not stop needing answers, they simply find them elsewhere. Staff building parallel systems isn’t a character flaw; it is a predictable response to friction.

Across ambulatory settings, behavioral health programs, and value-based care (VBC) organizations, these homegrown tools manifest in high-risk patterns:

• Excel trackers: Used to monitor referrals, prior authorizations, care gaps, and outreach attempts.
• Manual outcome dashboards: Built from EHR exports combined with payer rosters and manual adjustments.
• Offline audit sheets: Separate logs maintained to avoid missing strict program deadlines.

The problem is not that these tools exist; it’s that they are systemically relied upon for decisions, audits, and performance reporting while sitting outside the controls that healthcare compliance frameworks assume.

Rigid EHR reporting structure – Many EHR report builders are designed around templates, fixed fields, and narrow use cases. A care manager’s question rarely matches the schema of a billing report. A quality lead’s question often requires combining clinical and operational context, which the reporting module was not designed to do.

One-size-fits-all dashboards that fit no one are another trigger. Dashboards look good in demos, but frontline leaders often need messy views: lists of patients with missing steps, lists of encounters with documentation gaps, or cohorts defined by operational events like missed appointments paired with clinical risk. When dashboards cannot be tailored quickly, teams build their own.

Long turnaround times for custom reports push people to self-serve. If IT takes weeks to deliver a report, the organization trains staff to work around IT. The work does not wait.

The biggest driver is the inability to combine clinical data, care coordination activity, and revenue and quality metrics in a single view. Those elements often live in different systems, or in different modules of the same system, with different identifiers and timing. Excel becomes the default integration layer because it can join tables, add notes, and deliver a “good enough” answer fast.

That is the empathy point. Teams choose Excel to solve real operational questions. The critique starts when the organization accepts the workaround as normal and forgets that the workaround is not controlled.

The convenience of using the familiar and quickly accessible Excel sheets in healthcare comes with some major risks that leaders can no longer ignore.

Operational risk: conflicting versions of truth

Operational risk shows up as inconvenience at first. Conflicting versions of truth are inevitable when the same dataset exists in multiple files with different assumptions. One spreadsheet includes patients attributed last month. Another includes patients attributed yesterday. A third has manual exclusions. When leaders make decisions using different versions of the same truth, meetings become debates about the spreadsheet, not the business.

Manual data refresh cycles create invisible time lags. A weekly refresh sounds reasonable until a payer deadline changes or a sudden staffing shortage makes the refresh slip. Then the decisions are based on outdated snapshots. That is how small process drift turns into missed targets.

The operational kicker is that Excel scales poorly with complexity. The more the organization grows, the more it relies on fragile individual knowledge. When one person who owns the spreadsheet goes on leave, the system has no resilience and it turns into a continuity problem.

Clinical and care coordination risks: falling through cracks

Care coordination is fundamentally longitudinal and spreadsheets are not designed for that. It is about what happened last month, what is scheduled for next week, what barriers exist, and what the care plan is trying to achieve. When those threads are broken into exports and spreadsheets, teams lose the ability to see the patient’s journey as a whole.

Disconnected views of care plans, outcomes, and follow-ups are common. Care managers might track outreach in a spreadsheet while clinicians update plans in the EHR. The result is mismatched reality. The spreadsheet says the patient was reached. The EHR shows no documented plan update. Or the plan was updated, but the spreadsheet lists the case as open. This is how patients fall through cracks that are created by tooling, not by intent.

Intervention effectiveness becomes almost impossible to measure when tracking is manual. Spreadsheets can show counts, but they struggle to answer causal questions like “did the outreach reduce ED visits” or “did follow-up after discharge reduce readmissions.” Those questions require consistent identifiers, timestamped activities, and repeatable cohort logic. Excel tends to replace those with manual notes and unstable filters.

Revenue and financial risk: the billion dollar leak

Revenue leakage often hides behind spreadsheets that seem to work. Missed charges often come from simple mismatches: a service is delivered, documented in one place, but the billing workflow relies on a separate tracker. If the tracker is incomplete, the service never becomes a claim.

Delayed or inaccurate reporting for payers is another risk. Value-based arrangements, quality programs, and managed care contracts depend on timely reporting. When reporting is built manually, the organization becomes vulnerable to delays, rework, and disputes. That is not only an operational issue. It is a financial one because payment is increasingly tied to performance proof.

The deeper financial problem is that spreadsheets mask error rates. In a healthcare context, research on spreadsheet errors has found high prevalence of material errors in real-world healthcare spreadsheets, with error rates that would be unacceptable in governed systems. The point is not that Excel is bad. The point is that unaudited spreadsheets in complex environments are statistically likely to contain errors, and those errors can become financial decisions.

Compliance and audit risk: auditability

Compliance risk is the one that can turn a “workaround” into a crisis. The issue is not that spreadsheets cannot be used in regulated environments. The issue is that spreadsheets are not built for auditability.

Lack of audit trails is the first weakness. When a regulator or payer asks, “Who changed this data, when, and why,” a spreadsheet rarely provides a reliable answer. Version control becomes a nightmare when files are emailed, copied, and edited by multiple people. Even cloud collaboration does not automatically create the kind of immutable audit evidence that audits expect.

This matters in behavioral health and program-heavy environments because reporting requirements can be frequent and strict. CCBHC quality measure reporting, for example, is built around defined templates and data submission expectations, and guidance has been updated to reflect measure changes. When reporting becomes a manual spreadsheet exercise, every submission cycle becomes a scramble, and every scramble increases the risk of errors or missing evidence. Payer audits and program audits ask “can you prove it” and that is a challenge with spreadsheets.

IT and security risk: the 2026 reality

Leaders often underestimate security risk until a breach occurs. In 2026, the average healthcare breach costs $7.42 million. A spreadsheet containing PHI that sits outside governed systems violates the HIPAA security rule regarding technical safeguards and access controls.

Spreadsheet sprawl across inboxes and desktops creates a distributed phi repository with no central monitoring. As of 2026, the rise of shadow AI where staff use unauthorized AI tools to summarize or analyze these very spreadsheets has added an average of $670,000 to breach-related costs. Unmanaged PHI significantly increases your attack surface.

Behavioral health and care coordination environments are structurally primed for Shadow IT because the work is multi-dimensional. Outcomes are not just clinical. They are functional, social, engagement-based, and program-specific. Program structures are complex. One client might be in therapy, medication management, case management, and community support. Reporting needs to reflect that reality.

The reporting burden is heavier too. Quality and regulatory reporting in behavioral health often involves templates and structured data-capture expectations. When EHR reporting cannot represent program structure cleanly, Excel becomes the default integration layer. Teams join data manually to create a view that reflects the patient’s real pathway.

Care coordination has a similar pattern. It requires combining disparate signals: appointments, outreach attempts, care plans, barriers, transitions, and utilization. If the reporting system cannot create a longitudinal, cross-functional view, care managers will build one. That is why Shadow IT tends to cluster around care coordination and behavioral health. The problem is hardest where the work is least reducible to a single data model.

Questions to ask your team about Shadow IT are often more revealing than any formal audit.

• Ask where “the real numbers” live.
• Ask what reports people do not trust.
• Ask how many manual steps exist between the EHR and the report used in leadership meetings.
• Ask how PHI travels when staff need quick answers.

Early warning signs you are over-reliant on Excel are usually visible in daily operations.

• Multiple versions of the same report circulate.
• One person becomes a reporting bottleneck.
• Meeting time is spent reconciling numbers rather than making decisions.
• Staff talk about “the tracker” more than the system.

Evaluating platforms that reduce Shadow IT risk should focus on outcomes, not feature lists.

• Can the platform provide role-based, permissioned views?
• Can it support longitudinal views for care coordination?
• Can it produce audit-friendly evidence trails?
• Can it reduce the manual joins between clinical, operational, and revenue data?
• Can it be configured quickly enough that teams stop building parallel tooling?

A Shadow-IT-free environment is an environment where spreadsheets are not the source of truth for regulated reporting, patient tracking, or financial decisions.

• Role-specific, permissioned views are a baseline. Operations should see operational data without exposing more PHI than necessary. Finance should see revenue integrity signals without needing raw clinical detail. Clinical leads should see longitudinal context without juggling exports. That is a permissions and design problem as much as a reporting problem.
• No-code report builders for operations and quality teams matter because they reduce the need for unofficial tooling. When leaders can answer questions quickly inside governed systems, teams stop building parallel pipelines.
• Longitudinal patient and program-level insights are the core value. If care coordination leaders can see care plans, outreach, and outcomes in one place, the spreadsheet becomes unnecessary. If behavioral health programs can see program-specific quality measures and cohort performance without manual joins, Excel stops being the integration layer.
• Built-in governance without slowing teams down is the hard part. The goal is not to create a new bottleneck. The goal is to let teams move quickly while still meeting the expectations of HIPAA safeguards and auditability.

Reporting is how an organization operationalizes its care and revenue. When it is external, it becomes detached and harder to govern.

Orchestration is the concept that connects systems without forcing a rip-and-replace. In practice, orchestration means creating a controlled layer that unifies clinical, operational, and financial data and makes it usable across roles. It also means managing the workflow logic that turns data into action, such as care gap alerts, referral follow-ups, and audit-ready documentation.

Integrated platforms replace spreadsheets without disrupting workflows when they meet two conditions. They respect the reality that organizations have multiple systems, and they provide configurable adapters/configuration without long custom development cycles. When those conditions are met, Shadow IT loses its purpose.

A practical way to reduce Shadow IT is to give teams what they are trying to build in Excel, but inside a governed environment.

• Configurable, no-code reporting reduces reliance on custom development because operations and quality teams can shape views as needs change.
• Unified data across clinical, care coordination, and  revenue workflows  reduce the manual joins that often push teams into spreadsheets.
• Program-level performance tracking and quality reporting that aligns with real operational workflows.

In value-based care, the emphasis is on metrics that connect interventions to outcomes. These are the places where spreadsheet-based reporting tends to break first, which is why an orchestration approach has higher leverage.

The key design point is governance without friction to choose between speed and control. They should be able to answer operational questions quickly while maintaining clear ownership and auditability.