What Should Be Keeping You Awake At Night: Litigation Holds In Health Care

INTRODUCTION

When the threat of litigation or government investigation arises, a health care provider faces the dual challenge of complying with state and federal discovery rules by timely issuing a litigation hold and complying with stringent regulatory requirements for patient privacy and security. When addressing these issues, the efficacy of the health care provider's data management often is placed in stark relief. For general counsel to sleep well at night, a plan should be in place to preserve data and implement a litigation hold that also recognizes data management issues and confidentiality concerns.

1. THREE NIGHTMARES (THAT DON'T HAVE TO BE): DATA MANAGEMENT, PATIENT CONFIDENTIALITY, AND DISCOVERY OBLIGATIONS

   1. Data Management Is a Growing Area of Concern for Health Care Providers

      The volume of data is growing. Ninety percent of the data in the world were created in the past two years.1 For most organizations, data double every 18 to 24 months.2 The majority of this newly created data is stored electronically. In 2003, 92 percent of new data were electronically stored, and only 0.01 percent of new information was stored in paper.3 Today, nearly all businesses create, manage, and store a wide variety of electronic data that includes e-mails, reports, documents, spreadsheets, databases, calendars, voicemails, faxes, and instant messages.

      Health care providers have been specifically incentivized to create electronic records by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009.4 The HITECH Act sought to improve health care delivery and patient care in part by hastening the nationwide development of electronic health record (EHR) technology. An EHR is a health care record that is kept in an electronic format on a computer, and includes a patient's health information together with documents accumulated by the patient from visits to other health care providers over time.5

      Some EHRs also may include audio files from dictation and free text from transcription of handwritten notes. As the volume of data grows, health care providers face the task of finding sufficient storage space for these electronic data while still being able to locate files and meet regulatory requirements. In addition, the volume of data at issue is the factor that has the greatest impact on the potential cost of e-discovery.6

   2. Patient Health Data Must Be Retained Confidentially

      Health care providers also must meet regulatory requirements that govern access to this growing mountain of data. Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA),7 known as the administrative simplification provisions, requires the establishment of national standards for electronic health care transactions. Under the requirements of Title II, the Department of Health and Human Services promulgated five rules regarding administrative simplification, including the Privacy Rule and the Security Rule.

      The Privacy Rule establishes national standards for the protection of health information and outlines who can access personal health information.8 The Privacy Rule permits disclosure of otherwise protected health information in the course of judicial or administrative proceedings if disclosed in response to a court order, grand jury subpoena, administrative request, or civil investigative demand.9 Disclosure is permitted in response to a subpoena or discovery request of a party when (1) the individual who is the subject of the protected health information has been given notice of the request or (2) there is a qualified protective order in place.10

      The Security Rule puts into operation the protections of the Privacy Rule by addressing safeguards that covered entities must put into place to secure electronic protected health information.11 The Security Rule requires administrative, physical, and technical safeguards for limiting access to electronic data.12 Relevant to this discussion, the Security Rule requires that personal health information must be readily available and retrievable.13 The Security Rule also requires disaster planning and backup of data.14 All health care providers must be able to comply with these regulations, even as the volume of data grows.

   3. When They Arise, Discovery Obligations Must Be Met

      A health care provider also must comply with the obligation to identify, locate, and preserve data. This duty arises when litigation or government inquiry is reasonably anticipated, threatened, or pending.15 This duty to preserve stems from the common law duty to avoid spoliation of relevant evidence for use at trial.16 Once this duty arises, a party "must suspend its routine document retention/destruction policy and put in place a 'litigation hold' to ensure the preservation of relevant documents."17

      The most common events that ordinarily give rise to the duty to issue a litigation hold in the health care field are:

      Pre-litigation discussions with an opposing party or their counsel Receipt of a demand letter Receipt of a subpoena Receipt of a complaint Inquiry from the state or federal government or regulatory agency The receipt of a civil investigation demand Contemplation of federal investigation or inquiry Although procedures for implementing a legal hold are not explicitly outlined in the Federal Rules of Civil Procedure, the rules provide an outside boundary for the time by which issues concerning the implementation of the litigation hold should be discussed with opposing counsel. Rule 26(f)(2) provides that the parties must meet to confer about any issues about preserving discoverable information at least 21 days before the Rule 16(b) conference. The Rule 16(b) conference must take place within the earlier of 120 days...