M.D. News (Republished in the Foster Swift Health Care Law Report)
April 2008
The rapid growth of information technology in health care has transformed medical practice in the past decade. Not surprisingly, the massive amounts of information contained in electronic medical records, computerized billing and practice systems, email servers, and similar repositories have also become part of the litigation landscape affecting physicians and other healthcare professionals.
As a part of basic risk management, it is advisable to take appropriate steps to ensure proper management, retention, retrieval and disclosure of "electronically stored information" ("ESI"). The process is not unduly burdensome and is well worth the effort.
Waiting until litigation is a risky and unnecessarily expensive strategy. Multimillion dollar lawsuits have been lost in federal court due to inadequate retention and production of electronic files. On a more practical basis, the costs of responding to requests for ESI can be considerably lower when proper management policies are routinely followed.
1. Conduct an inventory of the electronic information used in clinical practice and business operations.
The first step is determining what kind of information is collected and kept, how and where it is stored, and how it is backed up. Most physicians are surprised by the types and locations of ESI disclosed by a thorough inventory and by the volume of digital information about patients housed outside the legal medical record.
Physician practices may have electronic medical records, billings and claim information, patient information management systems, laboratory and diagnostic data, application-specific data, dictated transcription, practice management records, correspondence and e-mails, voicemails, etc. ESI can be stored on individual and networked computers in the office, remote networks and servers, computers at other locations, portable devices, backup and archival systems, and third-party sites.
2. Develop, document and implement retention and destruction policies for electronic information.
Both the current federal and proposed Michigan court rules provide "safe harbor" protections for organizations with established policies and practices for retention and destruction of ESI. Developing proper retention policies requires consideration of clinical, business and legal requirements. In particular, any policies must comply with federal and state provisions governing electronic protected health information. Special attention should also be given to policies governing email usage and retention. Industry studies indicate that 15% to 20% of a healthcare provider’s emails contain personal health information.
An important requirement of the e-discovery rules is the duty to preserve ESI and suspend any routine file deletion procedures when a person reasonably knows or anticipates that the information could be material to a potential legal action. A policy should be in place to determine when and how to enforce "litigation holds."
In order for these policies to be effective, it is essential to document the specific procedures, educate the involved personnel, and monitor compliance on a regular basis.
3. Adopt policies and procedures for retrieving and producing electronic information in litigation.
Once appropriate management and retention policies are in place, the next step is preparing for effective retrieval and production of ESI. A physician practice must be able to properly respond to subpoenas for patient information. It must also be prepared to search for, identify and produce ESI required in litigation. The responsibility for responding to these requests should be assigned to specific individuals. Well-defined and effective search and retrieval procedures should be documented and followed.
While preparing for the prospect of litigation is never a welcome task, a common sense approach to managing ESI combined with the establishment of proper policies and procedures can go a very long way toward protecting a physician’s practice.