Discovery requests for electronic data can be especially burdensome in healthcare because of the vast amount of data involved. Some patient information must be redacted.
• Avoid keeping data longer than legally required.
• Have a plan for preserving and accessing data.
• Compliance systems can bring business value.
Electronic discovery (e-discovery) is employed more and more by plaintiffs’ attorneys seeking large volumes of data, particularly for class-action lawsuits and similar large-scale proceedings.
E-discovery issues can be particularly challenging in healthcare, says Christopher J. Adams, JD, chief strategic counsel with the law firm of McDermott Will & Emery in Washington, DC. Preserving electronic data for discovery can be far more difficult than in the past, when records retention meant not throwing out an old file box of records.
“The scope of what a healthcare provider has to deal with is significantly larger than most corporate entities,” Adams says. “The first challenge is getting your hands around just how much data you’re dealing with.”
From there, the organization must have policies consistent with state and federal law on data retention not affected by a legal hold, he says. Other questions include who is custodian of the data, where is it being held, who is responsible for implementing a legal hold, and how data is controlled and accessed on nonemployee devices.
“Healthcare is a particularly risk-heavy area for e-discovery, compared to almost any other industry we deal with,” Adams says. “There are some healthcare organizations that handle this issue very well, but it’s a cost-benefit analysis that determines how well or how poorly most do with this. A program to save all this electronic data can cost a tremendous amount of money in software and people they have to hire.”
Create a Plan
Even without a robust records retention policy and staff for monitoring e-discovery, healthcare organizations should employ one or two people responsible for recognizing when a situation requires preservation of records and knowing how to conduct that process, Adams says.
“Having that game plan goes a long way toward compliance and mitigating the chance of getting a spoliation claim,” Adams says. “This should be a repeatable, well-defined process that specifies who is responsible for each step of the process. Having a plan on paper is one thing, but it’s not worth much if no one knows who is responsible and no one carries out the steps in the plan.”
Personally identifiable information (PII) can be problematic in e-discovery because, in some cases, it is difficult to remove and protect from view. The personal information must be redacted before providing data in e-discovery. Adams says that process can be difficult and time-consuming because of a lack of consistency in how it is recorded on forms, for instance.
Software can redact the PII, but a human eye is still required to go back and verify that all the data were removed properly, Adams says.
Data loss is another potential problem with e-discovery, Adams says. This becomes a bigger risk as healthcare organizations move more data management and storage to electronic systems, and particularly to cloud-based systems, he says.
“The need to maintain and save data in usable formats is becoming more challenging to healthcare providers,” Adams says. “If you have traditionally printed out ECG recordings and filed those paper records, maybe now it’s an electronic file that you can save as part of the patient file. But you can’t store data on these machines forever. Where that data goes and how it is accessed can become an issue in a legal hold.”
Don’t Keep Too Much
E-discovery in healthcare is subject to the same expectations and obligations as any other industry, notes Kelli Brooks, JD, global leader of forensic technology services and the partner-in-charge of forensic technology services practice in the Los Angeles office of professional services company KPMG.
The presence of PII does not change how the law requires discovery of data, Brooks says. Furthermore, many healthcare e-discovery requests will involve records with much PII, she says.
“Typically we don’t see as much in the e-discovery space around how an individual was treated because those malpractice cases are handled individually rather than in a class-action suit,” Brooks says. “The broad class-action activity in healthcare has involved more medical devices or drug interactions, so those are going to look more at issues like vendor concerns, fraud, payment information, and financial audits.”
Complying with e-discovery can be expensive and tedious, but that is sometimes because healthcare organizations have too much data available, says Steven Stein, JD, a principal in KPMG’s cybersecurity practice, principal in the U.S. advisory services practice, member of the cyberservices team, and co-chair of KPMG’s privacy and information governance services practice in Chicago.
“Companies are amazing at retaining information, and they are terrible at deleting that information at the end of the retention period. As a result, the data is there when the discovery request comes in, and if it’s there, it may have to be produced,” Stein says. “Companies have to figure out a coherent strategy for not just maintaining the information but for deleting it at the appropriate time so that it has a proper and well-defined life cycle.”
There sometimes is a business need for retaining data past the legal requirement, but if you still hang on to it, “you’ve just broadened the pool of places you need to go to collect, process, and review data for production in discovery,” Brooks says. “The more data you have, especially when you didn’t need to keep it in the first place, the more complex and exponentially expensive your e-discovery gets.”
Supporting e-discovery does not have to be a system separate from other operations in the healthcare organization, notes Michael J. Boland, JD, firm-wide e-discovery manager with the Clark Hill law firm in Chicago. There is a business value beyond e-discovery compliance to the ability to access data rapidly and efficiently, he says.
“We are living now in the world of data analytics, which is all about improving our product and making ourselves better. Having access to that kind of data allows you to do that, so a process that ensures you can comply with electronic discovery requests doesn’t have to be just a straight cost resource,” Boland says. “You can look at it in terms of it being a data resource and look for the business value there rather than it just being something you have to put in place to protect yourself.”
• Christopher J. Adams, JD, Chief Strategic Counsel, McDermott Will & Emery, Washington, DC. Phone: (202) 756-8604. Email: firstname.lastname@example.org.
• Michael J. Boland, JD, E-discovery Manager, Clark Hill, Chicago. Phone: (312) 985-5519. Email: email@example.com.
• Kelli Brooks, JD, Global Leader of Forensic Technology Services and Partner-in-charge of Forensic Technology Services, KPMG, Los Angeles. Phone: (213) 533-3389. Email: firstname.lastname@example.org.
• Steven Stein, JD, Principal in U.S. Advisory Services Practice, Member of the Cyberservices Team, Co-chair of Privacy and Information Governance Services Practice, KPMG, Chicago. Phone: (312) 665-3181. Email: email@example.com.