Healthcare is one of the most data-intensive industries in the world, perhaps second only to the financial services sector. This landscape is being pushed to new levels of complexity due to the digitization of patient medical records, the emergence of online tools to enhance communication between providers, patients and insurers, and the new litany of healthcare information compliance requirements.

Aside from the business operational issues created by these developments, the legal departments at healthcare organizations are facing an increasingly daunting challenge that uniquely resides within their purview: how to manage eDiscovery responsibilities.

For example, patient safety work product and alternative communication resources like texting and video patient consults make especially appealing targets for lawyers or government investigators seeking to pursue an action against a healthcare organization. These records contain a wide range of data – such as patient health problems, prescribed medications and laboratory reports – that can be used to build a case, so they are often sought during eDiscovery. This can be dangerous territory for health care organizations since it requires the careful handling of electronic records containing personally identifiable information and highly sensitive data that could make an enormous impact in a case.

Based on our experience working with healthcare organizations of every size and structure, here are seven common challenges we see.

1. Data Security
The 2016 Data Breach Investigations Report (courtesy of Verizon) documents a reality of doing business in the world today: no industry, organization or region is safe from cyberattacks that wish to compromise their data. For healthcare organizations, this is a particularly risky consideration when transferring data covered by privacy regulations and must be handled in an encrypted format. It is crucial that all data hosting be securely conducted in SOC2-audited data centers, that data is encrypted in transit, and that the data network operates in a high-availability configuration with redundant firewalls, switches and storage arrays. Moreover, an eDiscovery provider and its data center should hold an ISO27001 accreditation, conduct regular penetration testing and be audited via an accredited third party.

2. Software Platform
An important decision to make is whether to build your eDiscovery program with a service provider (often referred to as a “Managed Services” model), buy a system or some combination of systems available from third-party vendors and stand it up behind your own firewall, or perhaps create some sort of hybrid platform that balances your needs of professional services (project management, technology, consulting) with best-in-breed tools and processes. While there are many off-the-shelf offerings from which to choose, most healthcare organizations do not have the time, resources or expertise to implement these solutions internally. Many organizations find the hybrid option combines a fixed-price managed eDiscovery service that is powered by an industry-leading software platform, but administered by experts who partner with the organization’s legal and IT teams.

3. Roles and Responsibilities
The roles of IT, information governance, legal and external service providers are starting to blur. Does the healthcare organization issue the litigation hold and then collect the data and provide it to a vendor to process, cull and host? Or do they take a first bite at the apple and try to mitigate what is sent outside their firewall? Healthcare executives need to ask themselves whether they can reduce the data volumes effectively with the tools we have today. If not, should we invest in a collections and data minimization tool? Do we rely on a service provider working with outside counsel? There is no universal answer to these questions, it comes down to the culture of the health system and the technical acumen of its staff.

4. Regulation
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act directly impact health care providers, health plans, and healthcare clearinghouses (covered entities) as they provide the legal framework for enforceable privacy, security, and breach notification rules related to protected health information. Moreover, there is a tremendous amount of uncertainty swirling around regarding the fate of the Affordable Care Act and its related regulations. It’s important that all health care organizations adhere to HIPAA/HITECH Act compliance requirements throughout the eDiscovery process, including a policy to work only with eDiscovery providers who have successfully passed an independent third-party audit for HIPAA/HITECH Act compliance. Bear in mind that law firms are not exempt from this requirement if they too wish to host sensitive client data.

5. Data Volumes & Types
Many healthcare organizations tell us they are frustrated with a “bell curve” principle that seems to apply to the litigation and investigations they must confront. In other words, there are often a huge number of cases that are relatively small and simple, contrasted at the other end of the spectrum with a small number of cases that are huge and complex. This can be a vexing challenge for legal departments and their IT colleagues and truly underscores the importance of a coherent Information Governance plan in the organization. Rather than waiting until you’re in the middle of a firefight, health care organizations should develop clear and consistent policies for information governance and data retention that apply across the entire ecosystem. It may seem safest to keep everything forever, but storing data that is no longer useful only exacerbates the problem of managing the bell curve of data volumes. Unstructured data types continue to grow in the healthcare arena. Think about all the new ways patients can communicate with their healthcare providers — email, smart phone apps, texting, video conferencing and online web portals. Health systems must think about who controls each of these communication channels. How can this data be collected, searched, reviewed and produced if necessary? What is the data retention and use policy for each source?

6. Speed
Healthcare organizations are unfortunately vulnerable to being dragged into disputes that require the review and production of sensitive data very quickly, in order to comply with intense litigation or investigation deadlines. The only way to achieve this is to know in advance where all of your data is stored. For example: How are your company’s emails automatically archived? Do you use cloud servers or onpremises servers? What types of electronic communications platforms do your employees use? It is essential that all members of the team are on the same page with respect to where the data resides in the corporate IT landscape so that you can move as quickly as the production notification requires.

Product liability litigation brings with it some unique e-discovery challenges, risks and costs for litigants on both sides of the table.

The recent news that Johnson & Johnson has been ordered by a Texas jury to pay more than $1 billion to patients whose artificial hips had to be surgically removed was the latest attention-grabber in the world of product liability litigation. The verdict includes more than $30 million in actual damages for the six plaintiffs and more than $1 billion in punitive damages, the largest reported punitive award against a company in 2016.

The stakes are high for all involved in product liability matters, especially regarding properly managing the e-discovery process. A 2016 study by Gibson Dunn found 32 decisions in the first half of last year pertaining to failure to preserve evidence under Rule 37(e). Among those decisions, 13 granted sanctions against opposing counsel.

Of course, e-discovery is challenging for most large organizations and for all sorts of cases across the litigation spectrum. But product liability litigation brings with it some unique e-discovery challenges, risks and costs for litigants on both sides of the table, such as the following:

  • One side (typically the defense) often has a disproportionate amount of data collected and produced during discovery;
  • Matters often grow out of government investigations or shareholder suits. While the specific allegations may be different, much of the data may be the same; and
  • In some instances, the relevant data may be spread out over several decades, reside in different sources and exist in different formats with various outside counsel.

The challenge is to design a repeatable, responsive, and costeffective e-discovery process that addresses these issues. The good news is that today’s technology tools in conjunction with best practices are here to help.

Challenges and Practice Tips
Sharing our collective experience as in-house counsel, outside counsel and an e-discovery service provider, here are some pieces of advice and suggested steps that organizations facing product liability litigation can take to contain and manage the e-discovery process.

1. Data Organization and Structure
A company facing product liability litigation often starts with one or two individual cases related to a product, so they may use different outside counsel for each matter and collect data separately. Data for these matters may be scattered on various databases with varying formats and levels of security.

It’s important to identify data sources, take receipt of all relevant data and then consolidate everything into a single, highly secure database accessible via the internet to both in-house and outside counsel. The best way to start is to create a core database.

With each product, there is science, development, testing, patents and prior art, marketing and sales data—all of which will be relevant to all plaintiffs. The “core” database should be organized in folders by type and custodian, with the precise number of levels and structure itself determined through collaboration with outside counsel. The benefit of this core is that while it can be static, your team can significantly reduce the learning curve for future users and matters, which translates into cost savings.

As you populate and manage the database, be sure to set up access restrictions based on each party’s permissions. Perform regular, in-depth audits of legacy tracking sheets to make sure that access is appropriate.

2. Unify Objective Coding
For many of these matters, data may not be coded consistently in the different databases residing with different outside counsel. For example, one might find multiple, redundant tags for the same concept or product component. Because of this, tag-based searches become extremely difficult, unreliable, and more time-consuming than necessary with the potential of inadvertently missing documents.

It’s essential to evaluate all tags and fields and identify likely redundant values. Next, consolidate all tags within a standardized set of fields, enabling easier and more accurate searching and identification of relevant documents.

Responsive, privilege and issue coding decisions can be scattered among various counsel and databases. When this happens, there are no opportunities to re-use or reference past work product from one matter to the next, thereby causing the client to pay to re-review documents.

The solution is to track coding decisions in each matter involving a certain product. At the matter conclusion, consolidate coding fields to allow for comparison and consistent re-use of coding calls among multiple matters moving forward.

3. Application of Filtering Criteria
Each product liability matter may have its own set of filtering criteria, including search terms and date restrictions. Factors affecting the criteria include how the data was collected, who collected the data and when, what discovery requests were addressed, and what the producing law firms determined were the criteria.

Production of privilege material is perhaps the number-one concern of clients. At the top of the list here is to determine the criteria upon which prior and current counsel withheld documents. Consistent treatment of such criteria in future productions can be assisted with today’s technology. The goal is to consolidate search terms in one location, including conversion of syntax for optimal coverage in a single database, which allows for a consistent and effective set of terms. This eliminates the need for redundant work.

4. Production Tracking/Validation
Sometimes corporate counsel have little information about what documents were produced in past matters, making any comparisons of past strategies or re-use of work product difficult. This presents a risk of not knowing what was produced in the past and creating additional costs associated with the re-review of identical data.

It’s important to create a series of object-based fields for matter productions (including both client and third-party data), thereby tracking production-related information (e.g. past bates numbers, production dates, parties of production, and other statistical type data). This system can be expanded to compare past and future productions across matters, as part of a pre-production validation check. This is where the “core” we discussed earlier can be identified and a master production group for each plaintiff matter can be developed.

5. Case Materials
Case materials (e.g. pleadings, correspondence, and transcripts) related to past, present and future matters are typically not consolidated in a single, easily accessible location. This causes both in-house and outside counsel to incur additional hours locating documents.

Work with your e-discovery team members to load case materials from the client’s internal drive to the central database. Then duplicate the exact existing folder structure to allow the case teams intuitive and familiar formats. You may also want to discuss a potential objective coding process, which would allow for easier searching and retrieval of specific documents.

Moreover, for many companies, there is no single location to share reference documents or often-changing tracking materials. If this applies to you, establish a Client Notes tab so that all litigation team members can efficiently upload and update general case materials (e.g. production trackers, which often change over the lifetime of a matter) in a single location. This process streamlines communication and reduces unnecessary outside counsel billable time.

6. Data Integrity
With some product liability matters, it can be difficult to identify issues (e.g., due to poor text quality, etc.) that were often spread across multiple databases. By consolidating data in one location/database, litigation professionals can identify and remediate issues comprehensively across all existing data. For example, you may want to introduce tags to identify documents with poor text quality and propose the possible use of text comparison tools to be consistent in the identification of duplicate or near duplicate documents. Another area where this is important is in foreign language documents as reviewers need a way to accurately identify documents that require foreign language treatment.

Product liability litigation often involves complex, high-stakes cases with the potential to have a material impact on a company’s bottom line. The best way to avoid all of the potential challenges explored in this article is to treat every matter like it will turn into a full-scale multi-district litigation. Be organized and consistent up-front and you will avoid many of these pitfalls.

By establishing and implementing a disciplined electronic evidence management process that can be applied across various jurisdictions and data formats, you can reduce e-discovery risks and costs at the same time.

Awareness is important, as non-compliance with the new rules could lead to potentially jaw-dropping financial penalties.

The European Union’s (EU) new General Data Protection Regulation (GDPR), which goes into full effect in May 2018, creates a comprehensive regulatory regime for the way that personal data of EU citizens will be handled by organizations globally. Organizations that may process (i.e. collect, store, or otherwise handle) personal data of EU citizens are scurrying to be compliant with this strict new framework. The stakes are enormous: The GDPR substantially increases penalties for privacy violations to as much as four percent of a company’s annual global revenue.

How Did We Get Here?
The roots of the new GDPR can be traced back nearly 40 years, when the French parliament approved the Data Protection and Liberties Act in 1978. This law prohibited the processing of “sensitive” data, which included information related to the health or sexual life of individuals, but also any identifying information related to racial or ethnic origin, political opinions, religion or trade union affiliation.

A few years later, the Council of Europe in Strasbourg drew up The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) in 1981. The guidelines strengthened data privacy across Europe by creating legal protections for individuals specifically related to how personal data was electronically handled, setting Europe on a pathway toward a unified approach to the regulation of data privacy. The Strasbourg Data Protection Treaty was ratified in 1985 and was later amended in 1999 to clarify a few details in light of changing technologies.

In the meantime, the European Commission became concerned that as member states continued to adopt their own data protection laws, divergent data protection legislation could impede the free flow of data within the EU. Accordingly, in 1995, the European Commission adopted Directive 95/46/EC to regulate the processing of personal data throughout the EU. The directive contained seven core principles member states were expected to implement, but the principles were high level and served more as guidelines. As a result, data protection regulation in member states continued to diverge.

As time progressed and technologies evolved, these differences in how various nations within the EU implemented the directive began to create increasing confusion regarding how personal data should be treated across borders. This not only became a concern for corporations as the guardians of that data, but also for regulators who were tasked with determining which country’s data protection laws should take precedence in any given situation.

Implications for E-discovery
Legal observers are hopeful that the GDPR will bring more certainty to the lingering debate: e-discovery versus data privacy—who prevails? There has been a long-standing tension between EU privacy rights and U.S. e-discovery obligations, which the directive and various EU country-specific data privacy laws made even more challenging when faced with collection, processing, review, and production tasks along the e-discovery lifecycle.

In the short term, it is unclear as to how much certainty will be brought to this lingering debate of “who prevails.” However, we do envision a handful of key implications and issues to consider with respect to the GDPR and the e-discovery process:

Right to be forgotten / data portability rights
Companies lose custody and control over their own information as custodians can request the deletion of their own data and/or the transfer of their own data to another institution, potentially even during a government investigation or litigation. This brings about conflict between U.S. requirements regarding the preservation of potentially relevant evidence and the EU data subject’s right to have data deleted.

For example, a person could exercise his or her right to be forgotten after receiving a preservation notice. Will EU Data Protection Authorities consider, or even ask, whether an individual is under a litigation hold before requiring an organization to delete personal data? If an organization is required to comply with the individual’s right to be forgotten, a U.S. judge will likely respond unfavorably and assert a conflicting obligation of the need to preserve potentially relevant information.

Privacy impact assessment (PIA) obligation and information needed to complete PIAs
The information provided in PIAs is essentially an audit trail of data transfers, deletions, etc. for the company. If data were to be inadvertently deleted that was potentially relevant to an ongoing investigation or litigation, this would potentially require a company to produce its PIA or audit trail of how data was handled. A company’s compliance with the GDPR’s PIA requirements could become a shield in discovery supporting why certain data was removed from systems. On the other hand, if the PIAs were not thorough, the lack of information could become an additional source for sanctions under the new FRCP rules.

DPO requirement
How, if at all, will this impact eDiscovery, if organizations basically now have to create at least a minimal level of compliance regime around privacy issues? Will debates over privacy compliance versus e-discovery/U.S. litigation compliance become enhanced or lessened?

Answers to these questions remain to be seen. However, one positive outcome of more companies having a DPO within their legal or compliance department could be greater advocacy and education of U.S. judges and regulators regarding these conflicts and the need for resolution that may reasonably meet all parties’ objectives.

Transfer of personal data to third countries
Article 48 of the GDPR expressly states that orders or judgments by non-EU courts and administrative authorities requiring transfer or disclosure of personal data are not a valid basis for transferring data to third countries. Instead, Article 48 states that such orders or requests will be recognized only in so far as they are based on international agreements or treaties between the third country and the EU or member state, such as the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters.

As a result, litigants in U.S. courts will either need to rely on an appropriate treaty or find other acceptable bases for transferring and disclosing personal data in litigation, even though none of the existing options is well suited for U.S.-style discovery. Indeed, data controllers who find themselves in U.S. court or subject to a subpoena will continue to face a Catch-22 between complying with their obligations under U.S. law versus the GDPR—only now the stakes are much higher due to the GDPR’s higher fines.

Sanctions
This finally puts privacy on the risk level of antitrust, AML or ABC, and may make companies pause before deciding to go forward with discovery (or may result in more “conferring” during the meet and confer about such issues.) Attorneys will need to redouble their efforts during the early stages of litigation to minimize the likelihood of a full-blown conflict between a U.S. court order and the GDPR’s requirements. An increasing number of companies may also decide it is worth early settlements or even risking sanctions in U.S. court rather than face fines in the EU, particularly for litigation that is not considered a serious threat to the company or its way of doing business.

These issues will increase the strains on U.S. lawyers who not only need to protect their clients’ interests in litigation, but also need to comply with ethical guidelines related to the preservation and sharing of evidence and the certification of complete discovery such as FRCP Rule 26(g) certification.

Extraterritorial effect of GDPR
The GDPR regulations provide a broad net for EU regulators to sanction companies. Not only will data stored in the EU fall within the jurisdiction of the GDPR, but also any data created or stored in the U.S. that relates to an EU citizen will be implicated by the GDPR. Therefore, an organization should be cognizant of the services and goods it may provide to individuals with an understanding that it likely will face a heightened regulatory environment. The clash between U.S. discovery laws and EU data privacy laws will not be aided by this extraterritoriality effect.

More obligations on service providers acting as data processors
These increased obligations under the GDPR bring potentially negative implications against e-discovery service providers and/or law firms who serve as e-discovery service providers if those entities cannot meet the heightened standards. A data processor who demonstrates compliance with the heightened GDPR standards will likely be recognized as a preferred provider within the industry.

The new data protection regulatory regime set to take effect in the EU is a game-changer in the way that data privacy is regulated in the EU. Although the EU has been a leader in data privacy regulations, the GDPR clearly establishes the most comprehensive and strict regulatory framework in the world.

These new rules are comprehensive and are enforced by serious compliance requirements that contain potentially jaw-dropping financial penalties. Organizations and their counsel need take notice now so they can be fully prepared for its implementation in May 2018. One place to start is by rethinking creating new protocols for e-discovery.