November 7, 2011
Discovery Processes in the Electronic Age
By Elizabeth S. Roop
For The Record
Vol. 23 No. 20 P. 20
EHRs add a layer of complexity that smart organizations will address well before requests arrive.
EHRs may be driving improvements in clinical workflows and care quality, but the same cannot be said of their impact on hospital processes for responding to subpoenas and other legal discovery demands. If anything, the growing prevalence of EHRs has created entirely new headaches when it comes to compliant electronic discovery.
“It definitely is more complicated,” says Debra S. Nelson, RHIT, corporate privacy officer for Trinity Health in North Dakota. “The simple questions suddenly become more muddied and you have to think about them a little differently.”
For example, the question of whether a record is complete is complicated by the fact that bits and pieces of data are scattered across multiple IT systems, mobile devices, etc and exist in multiple formats. Because images and reports may be coming into the EHR from partner facilities and telemedicine consultations that impact data ownership, it is often difficult to determine a record’s custodian.
Then there is the question of what exactly makes up the legal medical record. Depending on where a hospital is in its transition to EHRs, the legal record could actually be a hybrid of paper and electronic files. It may also include items such as electrocardiograms, scans, and fetal monitor strips.
“You have to take a look at all of these components and make sure how you are defining them from a legal and risk perspective is really how you want the record defined,” says Nelson. “For example, you may have quality forms in an electronic format that should not be part of the legal record, but because they are part of the electronic record, they could be subject to discovery unless you specifically have a law or policy that excludes them.”
These issues barely scratch the surface when it comes to identifying and resolving discovery challenges in the age of EHRs. The sheer complexity of the process is one reason many hospitals are ill-prepared to deal with it.
“Hospitals, like many other organizations, have been basically ignoring this whole issue. They wait until they get that subpoena or notice of deposition and then start scrambling. That’s the wrong thing to do,” says Steven J. Fox, a principal with Post & Schell, PC, who chairs the firm’s IT group and cochairs its data protection group.
Policies to Control Chaos
The right thing to do, according to Fox, is to have iron-clad policies in place that define the legal medical record and establish how and when data are saved or deleted. It is also crucial that the entire staff is aware of and adheres to these policies to avoid any unexpected surprises during e-discovery that could impact the outcome of any litigation.
“It’s OK to delete certain records based on federal and state law. What’s not OK is waiting until that notice of deposition comes in and having someone say, ‘We should be deleting a lot of these e-mails because they look bad,’” says Fox. “On the other hand, if they have a policy … that certain e-mails are automatically deleted after 90 days … don’t wait until there’s a problem with litigation and say, ‘We’ve never done that, so let’s do it now.’”
When it comes to defining the legal medical record and developing policies that dictate how it is maintained—in particular with regard to data retention—the best approach is a committee that includes representation from all departments involved in the creation, maintenance, storage, and deletion of any or all parts of the record.
At Trinity, which defines its legal medical record as any data that print from a patient’s EHR, the policy committee includes legal, HIM, privacy and security, EHR, and IT. Each of these departments brings a specific knowledge regarding the medical record and the IT system that is crucial for ensuring the creation of a comprehensive retention policy.
For example, EHR, IT, and HIM contribute expertise specific to the definition and management of metadata, which are typically requested as part of e-discovery. Major metadata are the date-and-time stamp reflecting a record’s creation, the author’s name, the date and time of any amendments or corrections, and the various versions resulting from those changes. Minor metadata include physician tables and the date/time a document entered the system interface.
“You especially need to know when metadata are purged out,” says Nelson. “You need to make sure major pieces of metadata are kept intact or, if not, that you can still go out and retrieve them in a format that will work.”
Other significant challenges a committee must address are determining the information’s origination, what formats it appeared in, and where it is going within the EHR. It’s a challenge exacerbated by the rise of mobile computing and the growing use of e-mail and instant messaging as primary forms of communication between physicians, patients, and clinical departments.
As a result of this trend, pieces of the legal medical record aren’t necessarily limited to the actual EHR system. They may be stored on smartphones, tablets, or thumb drives. They may also be backed up and stored off site. All these concerns need to be addressed in the e-discovery policy.
“You’ve got so many places where information originates that it’s really a significant problem just figuring out where this information is, what to do with it, and how to keep track of it. That’s the biggest issue,” says Fox. “This needs to be controlled by a policy.”
Backtracking to Create Order
In a perfect world, policies defining the legal EHR and data retention for e-discovery purposes would be developed before or in conjunction with system planning and implementation.
“That would make sense because that’s where you’re converting paper records to electronic. Or if you’re setting up a completely separate record, it’s a good opportunity to say, ‘This is what we had pre-EHR,’” says Fox. “It really should be part of the whole implementation. That way, as you’re implementing the system, you’ll be able to know where to look for all these things.”
Unfortunately, given the magnitude of EHR planning and implementation and the resources required to ensure it goes smoothly, e-discovery issues are pretty low on the priority list—if on the list at all. Plus, even with a “big bang” implementation, it’s highly unlikely that every department will be online at the same time.
That was the case at Trinity, which underwent a systemwide EHR rollout in 2006. According to Nelson, prior to implementation, it was difficult to define all the components of the electronic record or understand department-specific practices that could impact the final legal record. Attempting to set e-discovery policies into stone at that point would have been impossible.
“That would be ideal, but it really is tough to do,” says Nelson. “When one is going down that path … there are so many things just procedurally and politically to get the EHR up and running in all departments that when it comes to defining the legal EHR, you just don’t have enough information to make those decisions.”
Thus, many hospitals are forced to find a way to create order from chaos after deployment. And given the rapid rate at which new data are created and exchanged, it’s a situation that can quickly spiral out of control.
That is when some facilities find it beneficial to bring in an outside vendor to help them ferret out all the data that exist within the system that they will likely be required to produce in e-discovery. In some cases, this can’t be done until old data are converted into a readable format.
“When data first gets created, it’s at their fingertips. But as time goes by, it fades into the infrastructure. IT is managing it to make sure the data is safe by making copies for disaster recovery and archiving it, so you have to go deeper and deeper into the system,” says Jim McGann, vice president of information discovery for Index Engines, which provides enterprise discovery solutions and cloud-based software to index, search, access, and manage data. “It’s not hard to execute policies. It’s hard to understand where the data are to apply those policies.”
According to McGann, a common problem for hospitals is retaining too much data for too long. In some cases, technology has advanced to the point where it is no longer possible to “see” what information backups and archives contain to determine whether they may be subject to e-discovery.
In other cases, the problem stems from IT and legal not communicating with each other about what needs to be retained, in what format, and for how long. Often, the data protection policies that IT follows conflict with proper legal procedures or they have not been updated to reflect changing compliance requirements.
“[Hospitals] have been burned many times in the past for getting rid of information that they shouldn’t have. They’re under the microscope, and they panic and save everything. This creates a liability. Plus, the volume of data itself is just too much. It’s not a good thing,” says McGann. “It’s not the policy; it’s how to apply the policy—especially if you think about a 10-year-old backup tape with no label. … They have no clue what is on it, but the data was held onto and secured in the repository. Data retention wasn’t well thought out because many regulations and requirements didn’t exist [at the time]. The game has changed and they have to restructure.”
Using an indexing service to extract and tag data is a cost-effective way for hospitals to see what they have and determine what needs to be retained and what needs to be purged. It also helps organizations better understand the kinds of electronic data they have so policies can be refined to streamline e-discovery.
The reality, says McGann, is that “more than 95% of data is stuff that doesn’t need to be kept. It’s all about separating the useful from the irrelevant. … There are people who can help [hospitals] do this. There is a path to solving the challenge and doing it so it’s in line with all the policies.”
An Orchestrated Response
In addition to knowing where data subject to e-discovery reside and having clear retention policies, healthcare organizations must create procedures dictating how e-discovery is processed. In particular, hospitals should have an organizational structure that clearly defines who is in charge of receiving the request and who is responsible for handling information collection.
As with policy development, these procedures are best designed and carried out by committee—a sort of formal response team for litigation—that at minimum includes representation from legal, IT, and medical records. This committee should meet on a regular basis to review existing policies and refine them as necessary.
This way, “When notice comes in, they are not scrambling. Everyone knows who gets it because it is in the policy. They can immediately act on it,” says Fox.
Also imperative is that the policies and procedures be disseminated to all employees who may need to know what to do when a record is placed in litigation hold, meaning it cannot be changed in any way.
“The time to teach people is not after the fact but well before anything happens,” says Fox. “Every hospital should have something in place right now to deal with these issues. … It’s much better to spend a little bit of money and time up front so it will be relatively easy to comply and everyone will know their job and what to do.”
Nelson concurs, noting that ignoring the issue until notice is received will serve only to expose the facility to significant legal risk. As the volume of data increases and the systems and devices used to access that data multiply, hospitals without airtight e-discovery policies and procedures in place will find out the hard way that the cost of noncompliance is far higher than the price of prevention.
“Because of the cause of e-discovery, we want it to go away. We want to believe our whole mission is to treat people in wellness or sickness, that HIM holds the legal record, and everything is puppies and rainbows,” Nelson says. “But in the real world we have e-discovery. It’s not going away. … It is very complex with lots of moving parts.”
— Elizabeth S. Roop is a Tampa, Fla.-based freelance writer specializing in healthcare and HIT.