Navigate the E-Discovery Maze
By Elizabeth S. Roop
For The Record
Vol. 21 No. 4 P. 14
Paper? That’s relatively easy to keep tabs on. Electronically generated information? That’s a different animal, one that needs its own task force.
Complying with e-discovery requirements under the Federal Rules of Civil Procedure is a question of when, not if, for most healthcare organizations. Yet many continue to struggle with establishing the protocols and policies that will allow them to efficiently respond to discovery requests in a rapidly expanding electronic healthcare environment.
“Most healthcare facilities are dealing with huge volumes of information, and when you add to that the fact that there is a lot more remote access available, it is difficult to know what you have to be able to do to gather it,” says Joan W. Feldman, JD, a partner with Shipman & Goodwin LLP in Connecticut. “Traditionally, when you had a paper request, you knew where to find that paper. Now, it’s not all within your control physically. The biggest challenge is that you don’t know what’s out there. It’s like trying to prove a negative.”
Striving for Clarity
In an attempt to clarify the discovery process for electronically stored information, the Federal Rules of Civil Procedure were amended in 2006 to require its inclusion in any discovery disclosures and responses. The new regulations go beyond information stored in electronic medical records and other health information systems to include any electronic data, including e-mail and instant messages.
E-discovery is also no longer a primarily federal issue. Fourteen states have adopted e-discovery rules that are similar or identical to those at the federal level.
“You’ll also find e-discovery in other government language, like tax regulations, so it’s already out there,” says Sandra Nunn, RHIA, CHP, MA, enterprise content and information manager at Presbyterian Healthcare Services in Albuquerque, N.M. “There isn’t an organization that is not affected by tax regulations. It’s unrealistic to think you can dodge the e-discovery bullet.”
That is why healthcare organizations are—or should be—taking a close look at their information management practices related to data access, use, disclosure, retention, and litigation hold to ensure they are positioned to comply with inevitable e-discovery requests.
One of the first things they’ll find in their review is that e-discovery entails a greater volume of information than its paper counterpart—information that comes in multiple forms and from multiple sources.
“From a practical standpoint, the volume with e-discovery is much greater. E-documents can be more easily duplicated, including e-mail communications, which have been at the forefront of e-discovery as the [form of] communication that has replaced phone calls and written correspondence,” says Mary-Jo Rebelo, Esq, director and shareholder in the litigation department of Pittsburgh-based Houston Harbaugh, PC and a member of the firm’s executive committee. “A document encompasses many more things now than [before] e-discovery—e-mail communications, voice mail, instant messaging. You have so many different sources of information now. You can’t just ask where to look for documents. … Now it’s with individuals, as well as on devices.”
In other words, while it was once possible to find whatever documentation was required in filing cabinets and desk drawers, today’s information is also likely to be found on laptops, cell phones, BlackBerrys, and PDAs. Exacerbating the problem is the popularity of telecommuting and providing remote access to company networks and systems. As a result, “Even a home computer may have business-related information on it,” says Rebelo.
The electronic environment and amended e-discovery regulations have also given new importance to the role of metadata—information trails embedded in every electronic document that map out everything from creation and edit dates to recipient, view, send, and access histories.
“That metadata gives us information that we never had before and wouldn’t have had in the paper world,” says Jonathan Sablone, a partner with the U.S. and international law firm Nixon Peabody LLP who cochairs its Alternative Investment Litigation Team and leads the firm’s E-Discovery Committee. “More importantly, I can sift through it electronically. If you have a file that someone e-mails to 20 people, then gets forwarded to another 20 and replied to, in the old paper world, you’d have to review that e-mail a thousand times. With metadata, you can collapse it into one e-mail with a history chain. It saves a lot of time.”
At the same time, metadata can cause headaches and legal complications when proper protocols for responding to an e-discovery request have not been implemented. For example, if in response to an e-discovery request, an employee forwards all relevant e-mails to his or her supervisor, metadata could be considered spoliated (the legal term for intentional destruction, alteration, or concealment of evidence) because by opening and/or forwarding the e-mail, the metadata have been altered.
“It’s important that the protocols are in place to retain and manage [data] but also so that collection can be done in a forensically sound way,” says Sablone. “It all starts with data management and retention. That’s where an organization needs to begin. Once you get a discovery request in litigation, you’re at the mercy of what systems were in place. At that point, it’s too late” to make changes.
Establishing the Team
To effectively and efficiently manage compliance with e-discovery regulations, healthcare organizations must establish clear-cut policies that address the following key areas:
• discovery and disclosure;
• retention and destruction;
• litigation hold or preservation order;
• spoliation; and
• disaster recovery.
Doing so will require a team effort that combines the expertise of, at minimum, clinical, executive management, finance, HIM, IT, legal, risk management, and compliance departments. Depending on the request and facility, other appropriate departments such as radiology, laboratory, and emergency services may also be involved.
By building an interdisciplinary task force that represents all the departments within which data that may be subject to discovery requests are captured and/or reside, an organization can break e-discovery compliance down into more manageable processes.
“I don’t think any one person or department can be responsible on its own,” says Feldman. “What a lot of institutions are doing, and what we support, is the concept of developing an e-discovery team that takes the iceberg and chips away at it to figure out who will respond when a request is presented.”
In “Litigation Response Planning and Policies for E-Discovery,” the AHIMA e-Discovery Task Force recommends establishing a multidisciplinary task force to serve as an organization’s litigation response team. This team should do the following:
• conduct an assessment of current practices;
• implement new policies and procedures to manage the e-discovery process;
• oversee the identification, preservation, search, retrieval, and production of electronic and other relevant information related to litigation;
• provide input to legal counsel about the forms, formats, methods, status, costs, location, and burden of production of information; and
• oversee the ongoing review, monitoring, and evaluation of the organization’s e-discovery processes.
The first task of the litigation response team is to analyze the issues, risks, and challenges confronting the organization in terms of complying with e-discovery requests. A significant part of that process is identifying the organization’s data, where they’re located, and who should be the official custodian.
“We like to designate data owners who are responsible for reporting to the electronic information team,” says Feldman. “Those individuals are responsible for implementing and maintaining those records and policies for their own area, so when there is a request, they can identify and control those records and get them to whomever needs to have them. The core group is different in every institution.”
That core group also differs from what it was in the paper world. In paper discovery, the official custodian was typically the HIM department. In the electronic environment, HIM may be designated as the official custodian of the patient record, responsible for its content and compliance management. However, the IT department may be the official custodian of the information system, including computers; servers; and backup, legacy, and voice systems.
“You have to examine what your core systems are that generate records, what [information] gets requested most frequently, and who the data owners are in those areas. That’s your team,” says Nunn.
Policies and Protocols
Understanding who the data custodians are and their responsibilities in the e-discovery process is critical to ensure that responses are handled in a timely and forensically sound manner. To that end, healthcare organizations need to establish specific policies and procedures governing their e-discovery response process, beginning with data management and retention.
Data management and retention policies should address two issues: what organizations are required by law to retain and what they want to retain based on business protocols.
The policy should establish the conditions and time periods for which all records, both electronic and paper, are stored, retained, and ultimately destroyed once they are no longer needed based on the legal and business requirements. It should also deal with protocols for data loss and disaster recovery.
“A record retention policy that is followed and updated regularly is paramount,” says Rebelo. “When and if you do find yourself in a litigation situation, if you don’t have the historic documents that are being requested but you can demonstrate to the courts that you have a policy in place that has been adhered to, you’re not going to get criticized by a court for failure to produce.”
That is why retention policies must also take into consideration any system upgrades or replacements that may affect the organization’s ability to access data collected and stored in earlier versions. In some cases, it may be necessary to maintain a license for earlier versions or obsolete applications to ensure that requests for older data can be addressed.
“You have to work with IT,” says Nunn. “Those records still have to be accessible. Where are they stored? Will you continue to pay for a license for your old system? You have to keep track not just of core systems but also of the other systems you’ll need to access.”
At Presbyterian Healthcare Services, a process is in place that allows them to efficiently respond to any e-discovery request regardless of its origins. Among its established policies are the following:
• decommissioning policy that dictates when records are destroyed and IT support for older versions is turned off; and
• data loss policy that details its good faith practices in case information is lost.
The organization is also developing policies governing electronic signatures and legal hold. Additionally, it is planning to deploy an archive and e-mail/document management solution that will allow enterprise-level searches of all information in Presbyterian’s core and noncore systems.
“One of the things you have to do, and HIM needs to be involved, is have an inventory of your systems. That is why HIM is joined at the hip with IT. [Together] they’ll know who the data owners are and what the IT support for the systems is,” says Nunn. “Healthcare organizations have been very focused on electronic health records, but there is a huge volume of information on paper and in smaller systems” that must also be accounted for.
To cover all the bases, the AHIMA e-Discovery Task Force also recommends organizations develop procedures governing the following:
• preservation and legal hold, which outlines the process for preserving paper and electronic information when there is a reasonable anticipation of litigation to guard against spoliation;
• production and disclosure, which outlines the steps for disclosure of records related to a legal proceeding; and
• preparation for a pretrial conference, which outlines the steps to complete prior to legal counsel attending a pretrial conference, the goal of which is to ensure that the organization is adequately prepared, has researched key issues that will be addressed, and understands what it is agreeing to in the discovery plan and the impact on pretrial activities.
The Technology Question
As is often the case in today’s electronic healthcare environment, the right technology can make all the difference. With so much of the required information already residing in databases on systems that are often linked to each other, many healthcare organizations already have what they need to collect and preserve data at the front end.
The challenge comes with retrieving that information in a forensically sound way that doesn’t disrupt the regular workflow.
“They can grab backup tapes, which can be costly and time consuming,” says Sablone. “We usually recommend a digital archive system or some type of electronic method for collecting data remotely from hard drives and to make sure on the server side that they have an archive [process], so they can collect data with no downtime.”
For individual hard drives, Sablone recommends a system that allows remote imaging, so the process can be completed overnight or at a time when it will not be disruptive. Remote imaging also protects data that might be needed in a lawsuit from being deleted.
The key is to apply a combination of protocols and technology in a way that allows e-discovery response to take place faster, easier, and less expensively.
“You can almost take the human being completely out of the process because you can do it remotely,” says Sablone. “What we’ve been finding, though, is that it can be a hard sell because most companies love the idea, but when you start talking about upgrades, you end up in a war over whose budget it comes out of.”
He notes that the process will typically involve the business unit, IT, and legal. The IT group will often have other budget priorities, while the business unit does not recognize e-discovery as a process in which they are involved. Legal, on the other hand, will often push back with the argument that they can complete the process without the benefit of new technology.
If a middle ground is not found, the end result will often be a system that is ineffective. That, in turn, increases the organization’s liability and costs.
“At this point, if you’re a healthcare organization and you’re flying blind, you’re way behind the curve. Most federal judges have been relatively lenient with companies that have been working through this, but as we get further along, they will be less lenient,” says Sablone.
— Elizabeth S. Roop is a Tampa, Fla.-based freelance writer specializing in healthcare and HIT.