Narrowing the Scope of Medical Malpractice E-Discovery Requests
I remember it like it was yesterday. I was at trial, sitting at the defense table and the plaintiff’s electronic medical records (EMR) expert was testifying before the jury. There he was, trying to invent conspiracy theory after conspiracy theory about how a defense witness lied about being physically present at the hospital during a certain time period. The crazy thing is that plaintiff’s pretrial electronic discovery requests never mentioned that witness. I remember thinking to myself: “This case now involves medicine, the law, and information technology (IT). The jury has to think this is the ‘trifecta’ of snooze. How did we get here?”
Thankfully, the judge did not permit much of the expert’s testimony, and he was ineffective as a witness. Because of this, our cross examination was short and we did not need to call our EMR expert and/or IT witnesses. We also did not lull the jury to sleep. Although this story had a “happy ending,” this incident could have easily spiraled out of control.
How? Had the trial judge not had a grasp of the issues surrounding the EMR, audit trails, metadata, and other e-discovery requests, the expert’s testimony could have easily caused the trial to go south. Our team was able to narrow the scope by the time of trial to limit the impact of plaintiff’s expert’s testimony.
Unfortunately, prior to trial, we could not have predicted that we would get to that point. That said, this experience allowed me to develop ways to better prepare when dealing with electronic discovery requests. A very broad overview of the history of the EMR and applicable statutes is first necessary in order to provide context for electronic discovery in medical malpractice litigation. This, of course, will be explained through the lens that has been encountered in Pennsylvania state courts.
HITECH Act, HIPAA and Associated Regulations
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted in 2009 as part of the American Recovery Reinvestment Act. It provides guidelines for individuals who handle electronic health records and was written with the intention of creating a nationwide electronic patient record system by way of stimulating the adoption of electronic health records by 2014.
Under this act, health care entities received financial incentives for demonstrating “meaningful use” of electronic health records. In other words, these healthcare entities were incentivized to implement electronic health records to improve the quality, safety, efficiency, care coordination, privacy, and security of individuals. In addition to financial incentives, health care entities could also be subject to penalties for failing to comply.
As one might imagine, with an entirely new method of maintaining/managing/organizing medical records, the HITECH Act expanded the scope of the Health Insurance Portability and Accountability Act (HIPAA). HITECH mandated that all entities as well as their business associates that handled or managed health information comply with HIPAA due to privacy and security concerns.
This protection of patient/vendor security is also reflected in the Code of Federal Regulations (CFR). For example, Section 164.306 of the CFR requires covered entities to, “ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits,” 45 CFR Section 164.306 (a)(1). Section 164.316 requires a covered entity or business associate to implement reasonable and appropriate policies and procedures to comply with the standards set forth in Section 164.306.
In addition to the above-referenced regulations, Sections 170.210 and 170.314 of the CFR are cited in the plaintiff’s discovery requests. They are as follows:
45 CFR Section 170.210(e)
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:
(e) Record actions related to electronic health information, audit log status, and encryption of end-user devices.
45 CFR Section 170.314(d)(3)
The secretary adopts the following certification criteria for complete EHRs or EHR modules. Complete EHRs or EHR modules must include the capability to perform the following functions electronically, unless designated as optional, and in accordance with all applicable standards and implementation specifications adopted in this part:
(d) Privacy and security.
(3) Audit report(s). Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards at § 170.210(e).
See 45 CFR Section 170.210(e) and 45 CFR Section 170.314(d)(3).
HIPAA, HITECH and their implementing regulations were created primarily for privacy and security purposes. In fact, under HITECH, entities are required to notify and inform patients and vendors of any security breaches to mitigate harms including identity theft and reputational harm. Whereas I can appreciate the necessity of various statutes for protection, privacy, and security purposes, electronic discovery requests in medical malpractice claims oftentimes fall outside the categories of “security” and “privacy.”
Addressing and Analyzing the Plaintiff’s Electronic Discovery Requests
Plaintiffs attorneys in medical malpractice cases often serve vague electronic discovery requests, such as:
Please state whether the defendant has an audit trail for (insert name) in conformance with 45 CFR Sections 164.306 and 164.316. If so, please produce said audit trail for the period (insert time).
In my experience, plaintiff’s counsel often believes that an audit trail or other electronically stored information will include a “smoking gun.” In other words, it is a common belief that the hospital or doctor’s office is hiding something substantial outside of the electronic medical records. Although the above is a classic example of an overbroad, catch-all discovery request, plaintiff’s attorneys frequently represent that they are simply entitled to the information and that the data is easy to produce.
Nonetheless, if you truly analyze these reasons, neither have any relevance to the case at hand. In fact, I have been in several situations where judges have requested opposing counsel’s interpretation as to why the electronic discovery requested was relevant or necessary, and plaintiff’s counsel was unable to explain. And here lies the problem: attorneys are requesting information that they do not understand.
Don’t get me wrong, not all opposing counsel is this way. But, it is important as defense attorneys to be able to truly dissect opposing counsel’s request and convey the irrelevance to the judge. If not, in the worst case scenario, you could end up granting access to your client’s entire EMR system!
That being said, here are several tips when dealing with these types of requests.
- Know your statutes and current case law. There currently is very little appellate case law in Pennsylvania providing guidance for responding to these types of electronic discovery requests. Rule 4009.1 of the Pennsylvania Rules of Civil Procedure, however, allows a party to request electronically stored information in various formats. But it also permits the opposing party to object. See Pa. R. Civ. P. 4009.1. Pennsylvania law also governs electronically stored information with a “proportionality standard” which requires the court, within the framework of discovery granting each party the opportunity to prepare its case, to consider: the nature and scope of the litigation, including the importance and complexities of the issues and amounts at stake; the relevance of the electronically stored information and its importance to the court’s adjudication in the given case; the cost, burden and delay imposed on the parties; and the ease of production. Pa.R.C.P. 4009.1 Explanatory Comment (2012). Based on this framework, there is no “entitlement” to these electronic requests.
- It is always burdensome. Contrary to assertions, the majority of the electronic information and documentation requested in discovery is difficult to produce and may even require system manufacturer assistance. That is time and money.
- Relevance is the key. As previously stated, many times opposing counsel is unable to articulate why certain documents are even being requested. Is it based upon the actions of a nurse? Physician? Physical therapist? Opposing counsel’s discovery request should always be relevant to the case at hand. If not, be prepared to argue in court.
- Listen to arguments and narrow the scope. If you have to go to court, make sure that opposing counsel is not only able to articulate why such documents are relevant, but insist that the scope of the request be narrowed to a particular time frame, person, or event (e.g., discharge date). If you feel that the judge is inclined to rule against you, it is important to attempt to have the court order compelling discovery narrowed to exactly the particular conduct at issue. This stops opposing counsel from potential fishing expeditions and also eliminates the “guesswork” of interpreting a vague discovery request. Furthermore, it minimizes the burden for your client by reducing unnecessary production of electronic data and materials.
- Know your client’s IT team and system(s). The better you understand your client’s system(s), the easier it is for you to narrow the scope and frame your arguments. The best way to understand the system(s) is to know your client’s IT team, who is intimately familiar with the capabilities of the EMR system(s).