Viewpoint

E-Discovery - The New Reality

Sissy Holloman, University of North Carolina Hospitals
and
Sharon L. Klein, Pepper Hamilton, LLP

For many in the health care industry—particularly academic medical centers (AMCs)—the federal e-discovery rules highlight significant gaps in policy and procedure regarding extracting and preserving documentation pertinent to pending lawsuits. These rules create enhanced concerns regarding a new category of discoverable information—"electronically stored information" or ESI.

It's easy enough to see why discovery rules were changed to address ESI. Up to 90 percent of business records are created and stored electronically, and 30 percent of business records only exist in electronic format. An estimated 70 percent of companies use e-mail to negotiate contracts, and 63 percent of companies use e-mail to discuss human resources issues. Billions of business-related e-mails are exchanged daily.

Federal Rules Changes in Six General Categories

• Early Attention to E-Discovery Issues—Courts will address ESI discovery in the Rule 16 Scheduling Order. Initial disclosures will include a description of ESI and a discussion of any issues relating to discovery, including sources, systems, forms of production, and assertion of legal privilege after inadvertent disclosure.
• Reasonably Accessible—Parties are not required to produce documents that are not "reasonably accessible" because of undue burden or cost to produce.
• Privilege and Work Product Issues—Under the amendment, if a party inadvertently produces ESI that it later claims is privileged or attorney work-product, the producing party may request its return, sequester, or destruction.
• Interrogatories and Requests to Produce—The revised rules clarify that the option to produce business records in response to interrogatories includes the production of ESI. The producing party must identify the information, including metadata, to permit the inspecting party to locate and identify records.
• Sanctions—Sanctions may apply against those who cannot produce relevant documents. Absent special circumstances, sanctions will not be imposed if ESI is lost as a result of the routine, good-faith operation of the responding party's system.
• Litigation Hold—Policies and procedures must require the suspension of routine destruction of documents if necessary to comply with preservation obligations related to litigation (or anticipated litigation), via a "litigation hold."

So What's an Academic Medical Center to Do?

How an AMC responds to e-discovery rules will differ based on the AMC's size, governance, priorities, and other factors that make it unique. The following is a basic list of questions and issues to be resolved, but you may want to generate your own list.

Initial Compliance Steps:

• Identify an initial diverse, multidisciplinary team.
• Identify your electronic systems, the types of information each system generates, and their capabilities for storage and retention.
• Determine what information your AMC feels must be retained and for how long.
• Determine who is affected-presumably everyone who has access to information.
• Determine which systems are affected-all electronic systems that house pieces of the designated record set (DRS) or other information pertinent to a lawsuit, including all record storage devices (e.g., PACS, X-ray, PDAs), e-mail, voicemail, instant messaging, pagers, metadata.
• Involve your legal counsel to understand the legal process, how discovery works, and the specifics of the rules.

"Reasonably Accessible" Information

• Determine which portions of your electronic information would be considered "reasonably accessible" for release, and which would not. This analysis includes a determination of cost and burden to produce.
• Determine which information can be produced in the form it is ordinarily maintained, and which can be produced in a form reasonably usable.

What Must be Retained and for How Long

• Once you determine-based on the capabilities of your systems-what can be retained, you should differentiate between what must and what should be retained.
• Compare how long such information must be retained to how long your systems can retain it. If a system can't retain its information for the required period, you should determine if additional software or a new system is warranted, or if the information cannot be retained, should it be deleted.

Policy Considerations

• Define for your AMC what is part of the DRS for HIPAA purposes, who should be contacted to obtain each piece, and what will be the legal record for disclosures.
• Ensure your release of information policy addresses all systems housing the DRS. It must designate what can and cannot be released, address electronic as well as paper records, and indicate the format in which information is released.
• You should develop a comprehensive record retention/destruction policy and determine how long each type of information should be retained. Include in your analysis legal, patient, and business considerations.
• Consider the possibility that media used for record storage can deteriorate. Require data to be retrieved in an acceptable timeframe and format.
• For disaster recovery, determine what information is necessary from each system and ensure that the information can be recovered if it is inadvertently destroyed. Consider additional software or a new system purchase.
• The policy should address when litigation will be deemed "reasonably anticipated," and should provide for education regarding a "litigation hold."
• Determine the types of information that may be legally privileged and which system houses this information, who will determine what is privileged, and who will review and approve release (or retention) of privileged information.
• Decide how long e-mail should and can be retained, and how retention is audited.
• Decide what types of information and discussions are appropriate for e-mail. You should include confidentiality and litigation considerations. Answering these questions and developing a sound information policy are just the beginning of addressing the ramifications of ESI. Education about your policies (especially for physicians and others with significant time constraints) is crucial, as is auditing compliance. However, working with legal counsel and information managers, AMCs can get on track for proper management of ESI.

Answering these questions and developing a sound information policy are just the beginning of addressing the ramifications of ESI. Education about your policies (especially for physicians and others with significant time constraints) is crucial, as is auditing compliance. However, working with legal counsel and information managers, AMCs can get on track for proper management of ESI.