1 Volume 15, Number 1 Winter 2009 A risk management tool for the healthcare industry Perspectives E-Discovery and electronically stored information: friend or foe?
2 A risk management tool for the healthcare industry Perspectives E-Discovery and electronically stored information: friend or foe? Volume 15, Number 1 Table of contents E-Discovery and electronically stored information: friend or foe page 1 Case study page 5 Risk tips page 6 With the widespread use of computers at hospitals and their use in internal communications and clinical documentation, electronically stored information (ESI) has created many practical efficiencies while also compounding discovery headaches and distribution liability at an equally rapid rate. This article will define ESI, provide an analysis of the recent amendments to the Federal Rules of Civil Procedure that relate to ESI, and discuss the future of ESI for healthcare providers. I. What is ESI? ESI encompasses all information that can be read or stored in a digital format, including patient records, s, word processing files, web pages, financial reports/spreadsheets, scanned documents, audio files, video files, x-rays, MRIs, photographs and other digital images and information. Although ESI is usually accessible, searchable and provides an efficient means for updating records, it also poses numerous challenges during the discovery phase of litigation. Healthcare retention policies have traditionally focused on hardcopy materials, such as paper and microfilm. Today, the same information is often stored, distributed, and analyzed electronically. The ability to create and store electronic data and information has resulted in increased demands by litigants to preserve, retrieve and produce ESI, including metadata. Metadata includes information behind the scenes of the document. Examples of metadata include the time and manner of creation, when it was viewed, and when any modifications were made. Efforts to uncover ESI within the context of litigation are generally referred to as e-discovery, which encompasses the access, use, disclosure, preservation and handling in litigation of data and computer-generated documents that are transmitted, stored, and backed up electronically. Not surprisingly, the costs associated with e-discovery have tracked its proliferation in recent years. For example, the cost of e-discovery in commercial litigation in the U.S. was estimated at $700 million in 2004 with future costs increasing to of over two billion by i E-discovery requests may include requests for administrative data, personnel/employment data, insurance/health savings account data, financial data, commercial data, health information exchanges, health and medical records/films, claim data (employment, malpractice, commercial), clinical data, and quality data. i Leigh Jones, The Surging Evolution of E-Discovery, National Law Journal (Aug. 12, 2004). 1
3 Some of the e-challenges facing healthcare providers include: managing the storage, backup, and destruction practices for enormous amounts, types, and categories of data; determining the relevancy of requested information (particularly when programs are used that write over old information such that old information may still exist); determining all the places where the requested information may be stored; the improper disclosure of financial data and/or information protected by HIPAA; and the preservation of privilege. II. E-Discovery in the FRCP Recent amendments to the Federal Rules of Civil Procedure (FRCP) and the procedural rules of many states have specifically addressed the issue of ESI management and use in litigation. The FRCP govern the process and procedures for all civil lawsuits in the U.S. district courts. Although the FRCP apply to federal court cases, state rules tend to mirror the federal rules. On April 13, 2006, the U.S. Supreme Court approved amendments to the FRCP aimed at e-discovery. These amendments took effect December 1, 2006 and emphasized that ESI is discoverable and is required to be produced. Specifically, the amended rules provide that ESI may be the subject of a scheduling order and, if used in support of a party s claims or defenses, should be disclosed during the initial disclosure phase unless used solely for impeachment purposes. ii However, a party need not provide discovery of ESI from sources the party identifies as not reasonably accessible because of undue burden or cost. However, on motion to compel discovery, a court may order discovery from such sources if the requesting party shows good cause. iii Therefore, the burden is initially on the party objecting to the disclosure/production to demonstrate they complained of costs or burden, and then shifts to the requesting party to demonstrate good cause. The good cause analysis is a factored analysis that includes arguments relating to: the specificity of the request; the availability of the information from more easily accessible sources; the failure of the responding party to produce relevant information that is no longer easily accessible; the likelihood of finding relevant and responsive information that cannot be obtained from more easily accessible sources; predictions of importance and usefulness of the information; and the resources of the parties. ESI was also added to the FRCP business record production rules. It provides that if an answer to an interrogatory may be determined by examining, auditing, compiling, abstracting, or summarizing a party s business records (including ESI), the responding party may (1) specify the records that must be reviewed and (2) give the other party a reasonable opportunity to examine, audit, and copy the records. Importantly, the FRCP advisory committee has warned that when opting to permit the other party to inspect your ESI, you may be required to provide technical support, information on application software, and direct access to your electronic information system. iv When disclosing/producing ESI, the FRCP require that ESI be produced in the form that it is ordinarily maintained or in a reasonably useful form. Parties are not, however, required to produce the same ESI in more than one form. v ii FED. R. CIV. P. 16(b); 26(a)(1). iii Id. at Rule 26(b)(2). iv Id. at Rule 33(d). v Id. at Rule 45(d). 2
4 The automated deletion of ESI can be cause for a spoliation instruction. The Federal District Court for New Jersey addressed the issue of whether or not an adverse evidentiary inference was warranted where a defendant failed to place a litigation hold on ESI and the files were deleted in the regular operation of the system. It held [i]f a party has notice that evidence is relevant to an action, and either proceeds to destroy evidence or allows it to be destroyed by failing to take reasonable precautions, common sense dictates that the party is more likely to have been threatened by that evidence. vi Further, where a defendant failed to make a good faith search of ESI, intentionally withheld ESI, and made misrepresentations to the plaintiff and court regarding back-up tapes, sanctions of adverse inference and reversal of burden of proof were imposed. vii Therefore, when litigation is anticipated, healthcare providers should: (1) preserve ESI by suspending ordinary destruction practices; (2) identify and gather relevant sources of ESI; (3) process the collected ESI; (4) review the collected ESI; and (5) produce the data that is responsive and not subject to a claim of privilege or objection. Hospitals should not wait for requests for electronic information before developing a procedure to respond to such requests. An interdisciplinary committee with representation from senior management, legal counsel, health information management, and information technology should work together to develop an e-discovery procedure. A useful interactive tool can be found at EDRM.net vi Mosaid Technologies, Inc. v. Samsung Electronics Co., 348 F.Supp. 2d 332 (D.N.J. 2004). vii Broccoli v. Echostar Communications Corp., 229 F.R.D. 506, 510 (D.C. Md. 2005). 3
5 III. Future of ESI for Healthcare E-health and E-discovery are likely to only increase in the coming years. The Bush Administration called for a nationwide adoption of electronic medical records (EMR) programs by 2014 and, to facilitate that goal, a congressional panel approved a major health information technology bill that would open up approximately $560 million in loans and grants over the next five years to healthcare providers in rural areas and small practices. viii Such concerted efforts toward standardization are likely to impact not only the discovery process; but potentially the manner in which health care is provided. Some commentators have even suggested that using EMR programs that have templates which may not reflect the actual custom and practice in a particular jurisdiction may, over time, result in national standards of care that do not presently exist. ix The increased use of ESI, EMR, and e-discovery has created an opportunity for collaboration between health information management personnel, information technology personnel, senior management, and legal counsel. Due to the sophistication of e-discovery requests that may come to healthcare providers from opposing counsel or state/federal agencies, such requests should be thoroughly reviewed and discussed with appropriate information management and/or information technology personnel. Healthcare providers should first determine if the requested information can be retrieved and then, more importantly, be sure that any responsive information is not deleted so as to avoid adverse exposure through a spoliation instruction and/or claim. viii The Protecting Records, Optimizing Treatment, and Easing Communication through Healthcare Technology Act of 2008 aims to promote e-health records for all Americans by ix Amy Jurevic Sokol, J.D., M.H.A. & Christopher J. Molzen, J.D., The Changing Standard of Care in Medicine: E-Health, Medical Errors, and Technology Add New Obstacles, 23 J. Legal Med. 449 (2002). 4
6 Case study A 35-year-old registered nurse underwent Lasik surgery at our insured's ambulatory surgery center. Lasik is a procedure that uses a laser to reshape the cornea and correct vision problems such as nearsightedness. In order to perform the procedure, detailed measurements of the patient's cornea are taken and programmed into a computer. This information is then used to guide the laser during the procedure. The patient had her corneal measurements taken at her doctor's office. The information was sent to the ambulatory surgery center and entered into its computer. During the usual procedure for Lasik surgery at the center, the patient is placed on a special table in the operating room (OR). The OR houses the computer console containing pertinent information on all patients who are scheduled to have Lasik surgery. When the circulating nurse selects the patient's name from a list on the computer screen, a large pop-up screen appears confirming the patient's name and some demographic information printed in bold, red letters. As a safeguard, the computer also has an audible component which states the patient's name at this time. Once the name has been selected, the OR table moves towards the physician so that the patient is correctly positioned for the surgery. The circulating nurse clicks on this screen, and additional information comes up, including the corneal measurements and other information required by the physician. The physician is responsible for checking this screen. The computer feeds the corneal measurements to the laser, and the physician fires the laser to perform the surgery. After each eye is operated on, the computer generates a document that contains the patient's name, and the procedure performed. In this case, according to the allegations, the circulating nurse selected the wrong patient. During each of the next steps, the circulating nurse failed to notice that the wrong patient name and data were on the screen. The physician apparently did not review the final screen, or perform a time out to ascertain that the correct patient and procedure were listed. The audio component of the computer system had been disabled. Neither the circulating nurse nor the physician noticed the discrepancy on the first computer generated record. It wasn't until the second record was generated that they noticed the error. Because the computer used another individual's corneal measurements to guide the laser, the patient's cornea was reshaped incorrectly and is distorted. As a result, she allegedly suffered significant damage to her eyesight in both eyes. She has depth perception problems, cannot read clearly, has an intense halo effect and is unable to drive at night. She is also unable to perform detail work. These problems cannot be fully corrected by eye-glasses or contact lenses. This case was settled in excess of $500,000, with liability apportioned equally between the ambulatory surgery center and the physician.
7 Risk tips The above case demonstrates that even when using sophisticated technology, with built in safeguards, errors can still occur. The Swiss Cheese Model of medical error describes how there may be several steps in any procedure where an error can be prevented. In this case, there were at least three places where safeguards were present, but not followed. Had any one been followed correctly, the error would not have occurred. 1. Patient identification The circulating nurse did not choose the correct patient from the list of patients who were to have surgery that day. Instead, he clicked on the patient name just below it. It may be difficult to pick a name from a lengthy list if the font size is small and the names are spaced close together on the page. Hospitals should look at their computer lists to assess whether it is easy to inadvertently choose the wrong item. Font size and spacing may need to be enlarged and other safeguards may be needed to make it difficult to select the wrong name. The circulating nurse had two other opportunities to check that he had the correct information when the first "pop-up" screen came up, and when the screen with the corneal measurements came up. His failure to do so prevented discovery of the error. 2. Disabled audio alarm Many risk managers are familiar with the problem of staff disabling or turning down the volume of alarms on monitors, infusion pumps and other equipment, thus missing important notification of changes in a patient's condition. In this case, a nurse at the ambulatory surgery center disabled the audio component of the computer system, which stated the patient name, because she found it annoying. Although the staff and managers knew that the audio had been disabled, no one ever corrected the problem. The knowledge, and lack of correction, of this problem made it more difficult to defend this suit. Had the audio been functioning, it could have served as an additional notice to the staff that they were about to perform surgery using incorrect corneal measurements. 3. No time out At the time of the incident, the ambulatory surgery center did not have a formal process for time out for its ophthalmic surgeries. The usual practice was for the operating physician to review the information on the computer screen, and confirm that the correct patient name was selected before performing the surgery. Although those procedures would not meet Joint Commission standards for a Universal Protocol, following them would have alerted the physician that he was about to perform the surgery on the wrong patient. The failure of the physician to confirm that the correct patient was selected made this a tough case to defend. The case study described above is based on an actual situation, but information has been changed to protect confidentiality and highlight potential risks. Zurich neither endorses nor rejects the recommendations of discussion presented. Further, the comments in this newsletter are for general distribution and cannot apply to any single set of specific circumstances. If you have a legal issue to which you believe this article relates, we urge you to consult your own legal counsel. For more information, contact Susan Salpeter, assistant vice president Healthcare Risk Management, Specialties at or visit us online at C. Incorporate mandatory adherence agreements for Missed an issue? If you would like to review past issues of Perspectives, visit our Web site at 6
8 One Liberty Plaza 30th Floor New York, New York A A (01/09) Contributors Susan Salpeter is assistant vice president and director of Healthcare Risk Management for Zurich's specialty healthcare business. She is responsible for the management and provision of all healthcare risk management services for Zurich s healthcare professional liability products. Ms. Salpeter was previously risk manager for Loyola University Medical Center, where she was responsible for all loss control activities for a 500-bed teaching hospital, outpatient services, employed physicians and residency program. She is an R.N. and received her bachelor s degree from Washington University, and an MBA from the Kellogg Graduate School of Management with a concentration in Health and Hospital Administration and Finance. Ms. Salpeter is certified by ARM and is a Fellow of the American Society for Healthcare Risk Management.