Month: February 2013

Ineffective eDiscovery Processes Raise the Cost of Healthcare

Bill Tolson eDiscovery, Information Management, Technology , ,

Healthcare disputes arise for many reasons.  Healthcare providers challenge payors’ claims policies, practices and actual payments.  Health insurance beneficiaries and healthcare providers dispute coverage decisions by payors.  Patients file malpractice claims when the end result of a medical procedure doesn’t meet their expectations. Healthcare disputes can lead to litigation which also leads to eDiscovery. Healthcare eDiscovery can be complex and burdensome due to the myriad formats used as well as the data security requirements imposed via federal and state regulatory requirements.

New healthcare information management requirements are changing the way healthcare organizations evolve their enterprise infrastructures as new regulatory requirements direct how information is created, stored, shared, referenced and managed. As new information governance technology is adopted and changes how patient and business records are utilized, healthcare providers as well as healthcare payors and suppliers will have to change and adapt how they respond to eDiscovery.

Healthcare eDiscovery Key Requirements and Recent Developments

The 2006 amendments to the Federal Rules of Civil Procedure (FRCP) established that all forms of ESI are potentially discoverable if not deemed privileged or heresy by the Judge, and apply to all legal actions filed in federal courts on or after December 1, 2006. Under the FRCP, any information potentially relevant to the case, whether in paper or electronic format, is subject to an eDiscovery request. Many states have adopted the federal rules of civil procedure in whole or in part with respect to defining what’s discoverable when it comes to electronic data.

The eDiscovery process for the healthcare industry is the same as for any other industry except that special care has to be taken with patient data. When attorneys do handle protected health information (PHI), they must be aware of state and federal legal ramifications of being exposed to this type of information. Failure to do so could lead to significant fines and damaged reputations stemming from the improper handling of PHI.

Effective Healthcare eDiscovery steps

eDiscovery is a complex process that requires a multidisciplinary approach to successfully implement and manage. Healthcare organizations should consider the following activities to successfully prepare for eDiscovery.

  1. Establish a litigation response team with a designee from the legal, HIM, and IT departments
  2. Review, revise, or develop an organizational information management plan
  3. Identify the data owners or stewards within the organization
  4. Review, revise, or develop an enterprise records retention policy and schedule
  5. Audit compliance with the records retention policy and schedule
  6. Penalize non-compliance with the records retention policy and schedule
  7. Conduct thorough assessment of the storage locations for all data including back-up media
  8. Review, revise, or develop organizational policies related to the eDiscovery process
  9. Establish an organizational program to educate and train/retrain all management and staff on eDiscovery and records retention compliance

The eDiscovery process is equivalent to searching warehouses, waste baskets, file cabinets, home offices, and personal notes to find that “needle in the haystack” that will help prove the other side’s claims. Healthcare organizations are finding it especially difficult to respond to and review the huge amounts of data due to additional healthcare specific data formats and regulatory requirements around patient privacy.

The huge expense of information review during litigation coupled with the high risk of enforcement action by regulatory authorities drives many legal professionals to seek a more proactive, defensible and cost efficient approach.

 

 

 

Coming to Terms with Defensible Disposal; Part 1

Bill Tolson eDiscovery, Information Management , , , , , ,

Last week at LegalTech New York 2013 I had the opportunity to moderate a panel titled: “Defensible Disposal: If it doesn’t exist, I don’t have to review it…right?” with an impressive roster of panelists. They included: Bennett Borden, Partner, Chair eDiscovery & Information Governance Section, Williams Mullen, Clifton C. Dutton, Senior Vice President, Director of Strategy and eDiscovery, American International Group and John Rosenthal, Chair, eDiscovery and Information Management Practice, Winston & Strawn and Dean Gonsowski, Associate General Counsel, Recommind Inc.

During the panel session it was agreed that organizations have been over-retaining ESI (which accounts for at least 95% of all data in organizations) even if it’s no longer needed for business or legal reasons. Other factors driving this over-retention of ESI were the fear of inadvertently deleting evidence, otherwise called spoliation. In fact an ESG survey published in December of 2012 showed that the “fear of the inability to furnish data requested as part of a legal or regulatory matter” was the highest ranked reason organizations chose not to dispose of ESI.

Other reasons cited included not having defined policies for managing and disposing of electronic information and adversely, organizations having defined retention policies to actually keep all data indefinitely (usually because of the fear of spoliation).

One of the principal information governance gaps most organizations haven’t yet addressed is the difference between “records” and “information”. Many organizations have “records” retention/disposition policies to manage those official company records required to be retained under regulatory or legal requirements. But those documents and files that fall under legal hold and regulatory requirements amount to approximately 6% of an organization’s retained electronic data (1% legal hold and 5% regulatory).

Another interesting survey published by Kahn Consulting in 2012 showed levels of employee understanding of their information governance-related responsibilities. In this survey only 21% of respondents had a good idea of what information needed to be retained/deleted and only 19% knew how  information should be retained or disposed of. In that same survey, only 15% of respondents had a general idea of their legal hold and eDiscovery responsibilities.

The above surveys highlight the fact that organizations aren’t disposing of information in a systematic process mainly because they aren’t managing their information, especially their electronic information and therefore don’t know what information to keep and what to dispose of.

An effective defensible disposal process is dependent on an effective information governance process. To know what can be deleted and when, an organization has to know what information needs to be kept and for how long based on regulatory, legal and business value reasons.

Over the coming weeks, I will address those defensible disposal questions and responses the LegalTech panel discussed. Stay tuned…

The Dangers of Infobesity at LegalTech

Bill Tolson eDiscovery, Information Management, Technology , , , , ,

LegalTech just concluded in New York and one of the popular hot buttons many vendors were talking about was the idea that too much corporate, especially valueless, ungoverned, unstructured information is both risky as well as costly to organizations… I agree. The answer to this “infobesity” (the unrestricted saving of ESI because storage is supposedly cheap and saving everything is easier than checking with others to see if its ok to delete) is a defensible process to systematically dispose of information that’s not subject to regulatory requirements, litigation hold requirements or because it still has business value. In a 2012 CGOC (Compliance, Governance and Oversight Counsel) Summit survey, it was found that on the average 1% of an organization’s data is subject to legal hold, 5% falls under regulatory retention requirements and 25% has business value. This means that 69% of an organization’s ESI can be disposed of.

Several vendors at LegalTech were highlighting Defensible Disposal solutions, also known as defensible disposition and defensible deletion, as the answer to the problem of infobesity. Defensible Disposal is defined by many as a process (manual, automated or both) of identifying and permanently disposing of unneeded or valueless data in a way that will standup in court as reasonable and consistent. The key to this process is to be able to identify valueless information (not subject to regulatory retention or legal hold) with enough certainty to be able to actually follow through and delete the data. This may sound easy… its not. Many organizations are sitting on huge amounts of data because their legal department doesn’t want to be accused of spoliation, so has standing orders to “keep everything forever”. Corporate legal has to be convinced that the defensible disposal processes and solutions billed as being the answer to infogluttony can actually tell the difference, accurately and consistently, between information that should be kept and that information that’s truly valueless.

To automate this defensible disposal process, the solution needs to be able to be able to understand and differentiate content conceptually; that an apple is a fruit as well as a huge high tech company. The automated classification/categorization of content cannot accurately or consistently differentiate the meaning in unstructured content by just relying on keywords or simple rules.

An even less consistent approach to categorization is to base it on simple rules such as “delete everything from/to Bill immediately” or “keep everything to/from any accounting employee for 3 years”. This kind of rules based retention/disposition process will quickly have your GC explaining to a Judge why data that should have been retained was “inadvertently” deleted.

To truly automate disposal of valueless information in a consistently defensible manner, categorization applications must have the ability to first, conceptually understand the meaning in unstructured content so that only content meeting your intended intentions, regardless of language, is classified as “of value” to the organization not because it shares a keyword with other records but because it truly meets your definition of content that needs to be kept. Second, because unstructured data by definition is “free-flowing” (not structured into specific rows and columns) extremely high categorization accuracy rates and defensibly can only be achieved with defensible disposal solutions which incorporate an iterative training processes including “train by example” in a human supervised workflow.