INTRODUCTION
When the threat of litigation or government investigation arises, a health care provider faces the dual challenge of complying with state and federal discovery rules by timely issuing a litigation hold and complying with stringent regulatory requirements for patient privacy and security. When addressing these issues, the efficacy of the health care provider's data management often is placed in stark relief. For general counsel to sleep well at night, a plan should be in place to preserve data and implement a litigation hold that also recognizes data management issues and confidentiality concerns.
I. THREE NIGHTMARES (THAT DON'T HAVE TO BE): DATA MANAGEMENT, PATIENT CONFIDENTIALITY, AND DISCOVERY OBLIGATIONS
A. Data Management Is a Growing Area of Concern for Health Care Providers
The volume of data is growing. Ninety percent of the data in the world were created in the past two years.1 For most organizations, data double every 18 to 24 months.2 The majority of this newly created data is stored electronically. In 2003, 92 percent of new data were electronically stored, and only 0.01 percent of new information was stored in paper.3 Today, nearly all businesses create, manage, and store a wide variety of electronic data that includes e-mails, reports, documents, spreadsheets, databases, calendars, voicemails, faxes, and instant messages.
Health care providers have been specifically incentivized to create electronic records by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009.4 The HITECH Act sought to improve health care delivery and patient care in part by hastening the nationwide development of electronic health record (EHR) technology. An EHR is a health care record that is kept in an electronic format on a computer, and includes a patient's health information together with documents accumulated by the patient from visits to other health care providers over time.5
Some EHRs also may include audio files from dictation and free text from transcription of handwritten notes. As the volume of data grows, health care providers face the task of finding sufficient storage space for these electronic data while still being able to locate files and meet regulatory requirements. In addition, the volume of data at issue is the factor that has the greatest impact on the potential cost of e-discovery.6
B. Patient Health Data Must Be Retained Confidentially
Health care providers also must meet regulatory requirements that govern access to this growing mountain of data. Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA),7 known as the administrative simplification provisions, requires the establishment of national standards for electronic health care transactions. Under the requirements of Title II, the Department of Health and Human Services promulgated five rules regarding administrative simplification, including the Privacy Rule and the Security Rule.
The Privacy Rule establishes national standards for the protection of health information and outlines who can access personal health information.8 The Privacy Rule permits disclosure of otherwise protected health information in the course of judicial or administrative proceedings if disclosed in response to a court order, grand jury subpoena, administrative request, or civil investigative demand.9 Disclosure is permitted in response to a subpoena or discovery request of a party when (1) the individual who is the subject of the protected health information has been given notice of the request or (2) there is a qualified protective order in place.10
The Security Rule puts into operation the protections of the Privacy Rule by addressing safeguards that covered entities must put into place to secure electronic protected health information.11 The Security Rule requires administrative, physical, and technical safeguards for limiting access to electronic data.12 Relevant to this discussion, the Security Rule requires that personal health information must be readily available and retrievable.13 The Security Rule also requires disaster planning and backup of data.14 All health care providers must be able to comply with these regulations, even as the volume of data grows.
C. When They Arise, Discovery Obligations Must Be Met
A health care provider also must comply with the obligation to identify, locate, and preserve data. This duty arises when litigation or government inquiry is reasonably anticipated, threatened, or pending.15 This duty to preserve stems from the common law duty to avoid spoliation of relevant evidence for use at trial.16 Once this duty arises, a party "must suspend its routine document retention/destruction policy and put in place a 'litigation hold' to ensure the preservation of relevant documents."17
The most common events that ordinarily give rise to the duty to issue a litigation hold in the health care field are:
- Pre-litigation discussions with an opposing party or their counsel
- Receipt of a demand letter
- Receipt of a subpoena
- Receipt of a complaint
- Inquiry from the state or federal government or regulatory agency
- The receipt of a civil investigation demand
- Contemplation of federal investigation or inquiry
Although procedures for implementing a legal hold are not explicitly outlined in the Federal Rules of Civil Procedure, the rules provide an outside boundary for the time by which issues concerning the implementation of the litigation hold should be discussed with opposing counsel. Rule 26(f)(2) provides that the parties must meet to confer about any issues about preserving discoverable information at least 21 days before the Rule 16(b) conference. The Rule 16(b) conference must take place within the earlier of 120 days after any defendant has been served with the complaint, or 90 days after any defendant has appeared. Thus, the litigation hold must be in place and any issues with preservation identified within approximately three months of the time the complaint was served.
If a health care provider does not have a litigation response plan that can identify, locate, and preserve data quickly, it will need to promptly create one when litigation is threatened.
II. BEST PRACTICES FOR IMPLEMENTING A LITIGATION HOLD IN VIEW OF DATA MANAGEMENT ISSUES AND PATIENT CONFIDENTIALITY CONCERNS
Given the nature of their business, health care providers are likely to receive threats of litigation or investigation which range from collections issues, payment issues, employment matters, medical malpractice allegations, or regulatory issues. Litigation becomes a matter of not if, but when. So when the health care provider receives a threat of litigation, what should it do to preserve data and implement a litigation hold, in view of data management issues and patient confidentiality concerns?
A. Determine What Data Potentially Are Relevant
The duty to preserve is a duty to preserve all potentially relevant information related to the threatened litigation.18 This includes retaining documents that the health care provider knows, or reasonably should know, are relevant in the action, are reasonably calculated to lead to the discovery of admissible evidence, are reasonably likely to be requested during discovery, or are subject to a pending discovery request.19 Exactly what documents should be preserved will depend on the case. General counsel should meet with outside counsel to discuss the parameters of the threatened litigation or investigation to make that determination.
B. Determine Custodians of Relevant Data
A proper litigation hold is targeted to the custodians of potentially relevant data. General counsel and outside counsel should discuss who potential custodians are. First, general counsel or outside counsel will need to determine the people who have direct involvement or knowledge of the events surrounding the threatened litigation or government inquiry. Interviews may need to be completed to determine who these individuals are.
Second, general counsel or outside counsel will need to determine whether additional persons are data custodians, or have the responsibility to create, manage, or preserve specific types of records. This may include IT employees, or managers of a business area.
Finally, general counsel or outside counsel must find out if any contractors or third parties handle relevant data. This may include contractors that handle off-site data storage, computer systems, or files. The obligation to preserve data exists, even if the management and possession of data is contracted out to a third party, as long as the organization maintains authority or control over the data.20
The potential custodians then should be interviewed to determine if they are in fact custodians of potentially relevant data. Custodians of potentially relevant data should be asked about what types of potentially relevant data they have, and where it may be located. "Once a 'litigation hold' is in place, a party and [its] counsel must make certain that all sources of potentially relevant information are identified and placed 'on hold,' " which will "involve communicating with the 'key players' in the litigation in order to understand how they stored information. . . . Unless counsel interviews each [player], it is impossible to determine whether all potential sources of information have been inspected."21
C. Determine What Data Custodians Have and Where It Is Located
To properly implement a litigation hold, general counsel and outside counsel must know what data the custodians have and where it is are located. To make this determination, the best practice is to create a litigation response team that includes outside counsel, general counsel/risk management, and IT. While custodians should be interviewed about what potentially relevant data they have, they may not know exactly how it is backed up and where it is located. The litigation response team's task is identification of the data custodians have, confirmation of where the data are located, and identification of what systemic changes must be made to preserve data.
First, the litigation response team should identify where the custodians' potentially relevant data, in all sources and formats, are stored in active systems, legacy data systems, archival systems, back-up media, portable systems, and third-party systems.22 Second, the litigation response team should identify where data are physically located. For example, are back-up tapes stored offsite? Are hard drives sent to storage?
Finally, the litigation response team should identify the organization's policies that are in place that affect data. For example, if the health care provider has a "retention policy" (a plan for regular data destruction) that affects relevant data, it must be suspended. If there is no retention policy, the litigation response team should ask if there are defaults in software for deletion, or informal policies for destruction. Software may have auto-delete features, IT systems may have a practice of overwriting tapes or hard drives, or a person's data may be deleted when that person leaves the organization. These defaults and practices that affect relevant data also must be suspended.
Ideally, the health care provider has an information governance system with a "data map" of the organization.23 An effective data map would provide the answers to the three questions a litigation response team must answer.
Ignorance of where data are located will not protect any organization that fails to fulfill its duty to preserve. In Coleman (Parent) Holdings v. Morgan Stanley, Morgan Stanley discovered additional e-mail back-up tapes from a certain time period months after the court had entered an agreed order compelling the production of electronic documents from that time period.24 In response to an adverse inference motion, Morgan Stanley argued that the tapes were not clearly labeled as to their contents and were not located where e-mail back-up tapes were customarily stored.25 The court granted the motion. It found that Morgan Stanley had to admit that it had not done a good faith search for the oldest e-mail back-up tapes.26 It issued an order that reversed the burden of proof for two claims and included a statement of evidence that Morgan Stanley's failure to produce e-mails was proof of a guilty conscience and was proof that punitive damages were appropriate.27 A data map, or thorough investigation by the litigation response team, will help avoid this result by aiding the organization in completing a good faith search for relevant data.
D. Create a Strategy for Managing Privacy and Regulatory Concerns
When interviewing custodians about the data they have, outside counsel should try to determine whether any data other than EHR contain personal health information. Even where there are company policies against it, personal health information still may be found in e-mail, instant message chat transcripts, dictation files, and other forms of data. Sources of data which may contain personal health information should be noted, so that the organization can assess compliance with the Privacy and Security Rules, and so that outside counsel can assess whether notice or a protective order will be required under the Privacy Rule when data are produced.28
In addition, outside counsel should make note of any potential violations of the Security Rule. For example, a custodian may assert that certain data are not readily accessible. While information that is not readily accessible may be protected from discovery under the Federal Rules of Civil Procedure,29 data with personal health information must be readily accessible under the HIPAA Security Rule. Another example is that questions to a custodian about the location of data or the work of the litigation response team may reveal that data are not properly physically safeguarded.30 Implementing a litigation hold may serve the dual purpose of a review of the organization's Security Rule compliance.
E. Implement a Tailored Litigation Hold and Stop Destruction
With these foundational tasks completed, outside counsel and the health care provider now can implement a litigation hold. There are five hallmarks of a properly implemented litigation hold. First, a properly implemented litigation hold should describe the matter at issue, instruct the custodian to preserve all relevant paper and electronic documents,31 and include examples of the types of information at issue and potential sources of that information.32 A litigation hold must instruct custodians on exactly what information should be preserved, rather than leaving custodians to decide on their own what to retain.33
Second, a litigation hold should plainly instruct custodians not to destroy documents. The consequences of noncompliance with the litigation hold and the duty to preserve should be outlined.34
Third, the litigation hold should outline a mechanism for collecting the preserved records. Every piece of data has "metadata," which is data about data. For electronic files, metadata may include a file's name, size, dates of creations, and dates of last access. If custodians receive a litigation hold and begin opening or printing electronic files with relevant data, they may change the metadata. If potentially relevant to the case, include instructions in the letter explaining metadata, and explain how all data will be collected so that metadata will be preserved. For instance, in some cases a self-collection software tool may be sent to the custodians. In other cases, a forensic collection may be required, and the custodians should receive instructions about scheduling that collection.
Fourth, consideration should be given to whether the litigation hold is in an e-mail, letter, or oral notice. Some courts, including the U.S. District Court for the Southern District of New York, have held that "the failure to issue a written litigation hold constitutes gross negligence."35 Other courts have held that sanctions may not be imposed where there is no written litigation hold as long as a party has implemented "the appropriate actions."36 Consider what is appropriate for your case in your jurisdiction.
Finally, the organization should consider requiring signed confirmation of compliance with hold notices from each of the custodians,37 or holding a meeting with custodians to go over the written notice and allow them to ask questions. Mere circulation of a litigation hold is not enough to meet the duty to preserve; rather, a party must take affirmative steps to make sure custodians comply with the hold and preserve relevant evidence.38 Signed confirmation of a hold or attendance at a question-and-answer meeting will confirm that custodians understood their preservation duties and obligations, in case the litigation hold is ever scrutinized by opposing counsel or the court.
F. Follow-Up to Implementation of the Litigation Hold
The litigation hold should continue to be monitored after it is implemented. Litigation is a long process, and investigations can be protracted. If the litigation hold is never mentioned again, custodians could think that the duty has been met and that data management can go back to "normal," leading to data destruction. The health care provider, with the assistance of outside counsel, should send reminders to custodians about the litigation hold. The hold also should be updated as the company learns more about the litigation or threatened inquiry. Custodians may need to be added or new sources of data identified.
Once a company no longer is required to preserve the information that was subject to the legal hold, the hold can be released, and all retention policies can go back to normal.
III. CONCLUSION: COST SAVINGS FOR THE FUTURE AND RESTFUL NIGHTS
Properly implemented, a litigation hold can lead to future cost savings for a health care provider. Identifying custodians and relevant data from the outset not only helps the health care provider avoid spoliation motions and their consequences, but also can assist with early case assessment and lead to a more targeted data collection if the case progresses. In addition, a health care provider can use the implementation of the legal hold as a way to spot-check Privacy Rule and Security Rule compliance.
Strong data management can lead to the efficient implementation of a litigation hold that complies with regulatory requirements. Weak data management can cause the health care provider to scramble when litigation arises. If properly prepared for, a litigation hold should not keep you awake at night.
Footnotes
1 DEIDRE PAKNAD & RANI HUBLOU, CGOC, INFORMATION LIFECYCLE GOVERNANCE LEADER REFERENCE GUIDE 5 (2012), available at https://www.cgoc.com/files/CGOC_ILG_LeaderReferenceGuide.pdf.
2 Id.
3 Milberg LLP and Hausfeld LLP, E-Discovery Today: The Fault Lies Not in Our Rules, THE FEDERAL COURTS LAW REVIEW (2011), available at http://www.fclr.org/fclr/articles/html/2010/Milberg-Hausfeld.pdf.
4 Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, 123 Stat. 226 (2009), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf.
5 Anna M. Bryan, et al., Electronic Discovery and Healthcare Litigation: Government Influence on Conversion to Electronic Health Records, and How It Has and Will Continue to Impact the Discovery Process, THE HEALTH LAWYER (October 2010), available at http://www.whiteandwilliams.com/media/site_files/42_EFB%20ELECTRONIC%20MEDICAL%20RECORD%20DISCOVERY%20ARTICLE.pdf.
6 Jeffery Fehrman and Eric Feistel, E-Discovery Research Roundtable: Buyers' Perspectives on Challenges and Solutions (EDRM White Paper, December 2010), http://www.edrm.net/resources/edrm-white-paper-series/e-discovery-research-roundtable-buyers%E2%80%99-perspectives-on-challenges-and-solutions.
7 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996), available at http://attorneygeneral.utah.gov/cmsdocuments/HealthInsurancePortabilityandAccountabilityAct1996.pdf.
8 Summary of the HIPAA Privacy Rule, Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html (last visited Nov. 7, 2012).
9 45 C.F.R. § 164.512(e)-(f), available at http://op.bna.com/hl.nsf/r?Open=byul-927mzh.
10 Id. A qualified protective order prohibits the parties from using or disclosing protected health information for any purpose other than the litigation or proceeding for which the information was requested and requires that the protected health information be returned to the covered entity or destroyed at the end of the litigation. Id.
11 See Summary of the HIPAA Security Rule, Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html (last visited Nov. 7, 2012).
12 45 C.F.R. § 164.310 (physical safeguards), § 164.312 (technical safeguards), and § 164.314 (organizational / administrative safeguards), available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=29f78bb19361d59060658edf25c75b04&tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl.
13 45 C.F.R. § 164.308(a)(7), available at http://op.bna.com/hl.nsf/r?Open=byul-927n44.
14 Id.
15 See, e.g., Managed Care Solutions Inc. v. Essent Healthcare Inc., 736 F. Supp. 2d 1317, 1324 (S.D. Fla. 2010); John B. v. Goetz, No. 3:98-0168, 2010 WL 8754110, at *65 (M.D. Tenn. Jan. 28, 2010).
16 See, e.g., Silvestri v. General Motors, 271 F.3d 583 (4th Cir. 2001); Chambers v. NASCO Inc., 501 U.S. 32 (1991).
17 Zubulake v. UBS Warburg LLC (Zubulake V), 229 F.R.D. 422, 431 (S.D.N.Y. 2004).
18 Zubulake v. UBS Warburg, LLC (Zubulake IV), 220 F.R.D. 212, 217 (S.D.N.Y. 2003).
19 Id.
20 See Chura v. Delmar Gardens of Lenexa Inc., No. 11- 2090-CM-DJW, 2012 WL 940270, at *7 (D. Kan. March 20, 2012) (holding that defendant nursing and rehabilitation center was required to obtain any responsive documents in the possession of its third-party IT service provider where defendant has authority or control over the documents); In re Flash Memory Antitrust Litigation, No. C-07-00086-SBA, 2008 WL 1831668, at *1 (N.D. Cal. April 22, 2008).
21 Zubulake V, 229 F.R.D. 422, 432 (S.D.N.Y. 2004).
22 This e-health records management checklist from the North Dakota Health Information Technology Advisory Committee is a helpful resource for locating possible forms and sources of health care provider data, http://www.healthit.nd.gov/files/2010/07/hit_e-health_records_management_checklist.pdf.
23 Information governance is a collaborative, multidisciplinary approach to implementing effective information management programs. Information governance teams typically include individuals from legal, IT, records management, compliance officers, and business department managers. Information governance teams often create and update "data maps." A data map catalogs the organization's records, including a description of data that are maintained, the location of the original data, the location of any replicated storage of data (such as backup systems), and the applicable data retention policies. A proactive company can find cost savings by creating a data map before a lawsuit is ever filed or threatened, keeping it current, and providing it to all outside counsel at the beginning of a case. When provided, outside counsel can use a data map to quickly triage the information to determine what data will be relevant, what data are irrelevant, and what potential preservation issues may be.
24 No. 03-5045, 2005 WL 674885, at *3 (Fla. Cir. Ct. March 23, 2005).
25 Id. at *4.
26 Id.
27 Id. at *5.
28 If litigation begins and a party sends a subpoena or document request for data that would include personal health information, have a procedure in place to make sure that the person whose health information is at issue has submitted a HIPAA release under the Privacy Rule. If not, outside counsel should discuss with the organization whether to seek a protective order to treat the information as confidential. Courts have been willing to craft protective orders that protect the privacy rights of nonparties even where disclosure is required. See United States v. Sutherland, 143 F. Supp. 2d 609 (W.D. Va. 2001).
29 Fed. R. Civ. P. 26(b)(2)(B).
30 For example, Blue Cross Blue Shield of Tennessee recently settled a case with HIPAA related to violations of the Privacy and Security Rules. BCBST had stored 57 unencrypted computer hard drives with personal health information in a leased facility in Tennessee, and the hard drives were stolen. Press release, Department of Health and Human Services, HHS Settles HIPAA Case with BCBST for $1.5 Million (March 13, 2012), available at http://www.hhs.gov/news/press/2012pres/03/20120313a.html.
31 Zubulake IV, 220 F.R.D. 212, 218 (S.D.N.Y. 2003).
32 The Sedona Conference Commentary on Legal Holds:
The Trigger & the Process, 11 The Sedona Conference Journal 265, 283 (Fall 2010), available at https://thesedonaconference.org/download-pub/470.
33 John B. v. Goetz, No. 3:98-0168, 2010 WL 8754110, at *70 (M.D. Tenn. Jan. 28, 2010).
34 The Sedona Conference Commentary on Legal Holds, supra note 32, at 283.
35 University of Montreal Pension Plan v. Banc of America Securities, 685 F. Supp. 2d 456, 465 (S.D.N.Y. 2010), abrogated by Chin v. Port Auth. of New York & New Jersey, 685 F.3d 135, 162 (2d Cir. 2012) (rejecting the notion that a failure to institute a litigation hold is gross negligence per se, and instead finding that failure to adopt good preservation practices is one fact in the determination of whether discovery sanctions should issue).
36 Kinnally v. Rogers Corp., No. CV-06-2704-PHX-JAT, 2008 WL 4850116, at *7 (D. Ariz., Nov. 7, 2008).
37 The Sedona Conference Commentary on Legal Holds, supra note 32, at 283.
38 See 915 Broadway Associates LLC v. Paul, Hastings, Janofsky & Walker LLP, No. 403124/08, 2012 WL 503075, at *9 (N.Y. Sup., Feb. 16, 2012).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
