Print PDF



Beware: Poor Electronic Information Governance May Lead to Sanctions in Litigation
Health Law Perspectives
June 15, 2016

I.     Introduction

At a time when more than 90 percent of all information is created electronically, proper management of electronically stored information (ESI) is crucial.  Electronic information governance is the framework an organization uses to manage ESI.  In December 2015, amendments to the Federal Rules of Civil Procedure (FRCP) took effect that highlight the importance of electronic information governance in anticipation of litigation.  The FRCP amendments focus on the parties’ duties to quickly identify, preserve, and negotiate the production of relevant ESI.  Parties who are not prepared to discuss ESI, refuse to cooperate, or otherwise fail to take appropriate action may face sanctions such as attorneys’ fees or negative evidentiary inferences. 

Electronic information governance is especially important for health care providers, who must not only manage privileged and confidential business data, but must also retain and secure electronic protected health information (ePHI) for their patients.  The midst of litigation, an audit, or an investigation is a bad time to discover that the IT department has been replicating confidential information that was supposed to be destroyed, or that nurses have been text messaging ePHI with unsecure cell phones.  Effective information governance will help prevent these types of blunders.  Therefore, while the FRCP governs rules for lawyers and parties in litigation, health care providers must be aware of the changes, because their information governance practices today could have effects well into the future.     

II.     Evolution of the Federal Rules of Civil Procedure

Although discovery of electronically stored information has been occurring for decades, formal rules of procedure have been slow to follow.  The FRCP specifically govern the procedures, including the scope and timing of discovery, for civil litigation in federal courts.  Many states have similarly enacted their own rules of procedure that govern litigation in state court.  For example, in 2009, California enacted Assembly Bill 5, the California Electronic Discovery Act.  Although the Electronic Discovery Act is substantially similar to the FRCP, there are important differences.  It is also worth noting that, although rules of civil procedure are binding on litigants, they do not address the wide array of issues that arise in conducting eDiscovery.  The Sedona Conference is a non-profit organization that issues principles and commentaries that are widely considered authoritative best practices in dealing with eDiscovery regardless of the forum.   While an exhaustive discussion of binding rules and best practices is outside the scope of this article, the Sedona Conference provides very helpful resources on the matter. 

A.     Early Treatment of ESI Under the Federal Rules of Civil Procedure

The FRCP first contemplated discovery of electronically stored information in 1970.  At that time, Rule 34 was amended to add the phrase “data compilations” to the list of “documents” that were subject to discovery.  However, the information that was produced by way of data compilations was often limited to information that was easily printable as a tangible, paper document.[1]  The FRCP provided virtually no guidance with respect to the plethora of electronic information that is stored in modern information technology systems.  For example, production of a paper copy of a Word document would have been required under the 1970 FRCP.  Merely printing a Word document on paper, however, does not disclose metadata about the document, such as when it was created, who created it, and edits that may have been made to it.  As Word processing became more common place, issues arose about whether ESI, such as metadata, was discoverable apart from the tangible Word document itself.

B.     2006 Amendments to the Federal Rules of Civil Procedure

In 2006, the FRCP were substantially revised to finally address many issues related to the discovery of ESI.  The phrase “electronically stored information” was added to Rule 34, indicating that digital information was discoverable in itself, apart from tangible documents. Using the previous example of a Word document, the 2006 amendments established that metadata is ordinarily subject to discovery.  ESI was also included in the types of information that must be disclosed and discussed as part of Rule 26’s initial disclosure and discovery planning process.  The parties must further be prepared to address such topics with the court as part of the Rule 16 pretrial conference.  Rule 37 was added to address sanctions for a party’s failing to preserve electronically stored information.[2] 

The concept of reasonable and proportional discovery limitations has been a part of the FRCP since the 1980s.  However, the 2006 FRCP amendments, in conjunction with the information explosion of the millennium, inadvertently re-opened the gates for over-discovery.  In practice, a need developed for specific protections from overly broad and burdensome ESI preservation and production demands.[3] 

C.     2015 Amendments to the Federal Rules of Civil Procedure

The most-recent amendments to the FRCP, which took effect in December 2015, further refined and clarified the parties’ ESI discovery obligations.  Rule 1 was amended to emphasize that the parties share the responsibility of cooperating to develop a proportional plan for discovery of ESI.  The discovery plan should promote the just, efficient, and inexpensive resolution of the action.  Amendments to Rule 26 further highlighted this fact, by incorporating specific factors the parties must consider in developing a proportional discovery plan that is tailored to the reasonable needs of the case.  Rule 26 was also amended to require the parties to discuss the discovery of ESI, including preservation and agreements to address the inadvertent disclosure of privileged ESI.  The parties must meet and confer at least 21 days before the Rule 16 pretrial conference.  The time for holding the Rule 16 pretrial conference was also shortened from 90 to 60 days.[4] 

In sum, the FRCP currently demand that parties be prepared to quickly develop a reasonable and proportional plan for the discovery of ESI.  This task should not be underestimated.  In most cases, the parties will have a mere 45 days to identify all potential sources of relevant ESI.  For health care providers, depending on the nature of the action, relevant ESI may be present and replicated in many repositories.  Common examples include company servers, laptops, electronic health records, e-mail databases, cell phones, and even monitoring equipment such as EKG machines. 

The FRCP further require parties to differentiate between sources of ESI that are reasonably accessible, will be preserved, and will be reviewed for production.  The parties should also agree on the manner in which ESI will be reviewed, the phases in which it will be produced, the form in which it will be produced, and how to deal with privileged materials that are inadvertently produced.  Either party may be sanctioned for failure to cooperate or otherwise act in a prompt and reasonable manner.

III.     Information Governance in Preparation for Litigation

Information governance is defined as the comprehensive, inter-disciplinary framework of policies, procedures, and controls used by mature organizations to maximize the value of an organization's information while minimizing associated risks.[5]  In developing an information governance framework, health care providers must account for a number of factors, including the business, tax, regulatory, and infrastructure needs of the organization.  Document retention policies that account for these factors are an especially important component of information governance.

Depending on the type of services provided, health care providers may be subject to various document retention requirements.  Retention policies should specifically set forth what types of ESI must be retained, where, in what format, and for how long.  Such policies should also specify how ESI should be destroyed and designate employees tasked with following through with the destruction of documents, ensuring ESI is neither destroyed prematurely nor retained longer than necessary.[6]  In the event of litigation, an effective document retention policy will enable health care providers to quickly identify and preserve relevant and reasonably accessible ESI.  Providers will also be able to identify sources of ESI that are not reasonably accessible as well as data that has legitimately been destroyed by following reasonable and objective standards.  Even if relevant evidence is subsequently destroyed, the existence of reasonable ESI retention policies, applied in good faith, will be considered in determining whether a health care provider’s conduct is defensible.

Anecdotal evidence shows the management of smart phone data (e.g., iPhones) is an area that requires significantly more attention.  Electronic communications are effectively supplanting the telephone, postal service, and even face-to-face meetings.  Indeed, more than ninety percent of all information is created electronically.[7]  Smart phones have the ability to store hundreds of thousands of electronic communications.  While the discovery of electronic communications often focuses on email databases, it is important to understand that smart phones may contain numerous other forms of discoverable ESI, including voicemails, Multimedia Messaging Service (MMS) messages, Short Message Service (“SMS”) messages, text messages, notes, documents, videos, and images.[8]  The voluminous data generated by the use of smart phones is not easy to control or destroy, in part, because it is replicated and backed up on hard drives and cloud storage devices in multiple physical locations.  The replication process often occurs without any user-initiated actions.  The management of smart phone data is a complicated task that should be addressed as part of a health care provider’s information governance framework.  Health care providers are advised to seriously consider whether the overlapping use of personal cell phones for business activities or company-issued cell phones for personal activities should be permitted at all.  

Establishing an electronic information governance framework in advance of litigation can greatly ease the burdens of complying with initial disclosures and meet and confer requirements of the FRCP.  The benefits of information governance, however, transcend federal civil litigation.  Such preparations will assist providers in securing the privacy of ePHI and responding to other matters that require the disclosure of ESI, including third-party subpoenas, audits, and government investigations.  Considering the Office of Civil Rights (OCR) is ramping up audits concerning the security of ePHI, and the Centers for Medicare and Medicaid Services (CMS) is actively auditing meaningful use of qualified electronic health record (EHR) systems, health care providers have many incentives for developing or revamping electronic information governance practices. 

Hooper, Lundy & Bookman has substantial experience assisting health care organizations in establishing information governance systems and responding to demands for the discovery of ESI.  If your organization requires assistance, please contact Stanton Stock or Joseph LaMagna in San Diego, at (619) 744-7300; Eric Chan in Los Angeles, at (310) 551-8111; and Stephen Phillips or Jordan Kearney in San Francisco, at (415) 875-8500. 

[1]See Kenneth J. Withers, Electronically Stored Information: The December 2006 Amendments to the Federal Rules of Civil Procedure, 7 Sedona Conf. J. 1, 17 (2006). 

[2] See id. at 18-29 (discussing and summarizing 2006 FRCP amendments). 

[3] See Fed. R. Civ. P. 26 (Advisory Committee notes discussing the FRCP 2015 amendments).

[4] See id.

[5] The Sedona Conference: Glossary E-Discovery and Digital Information Management, April 2014 Fourth Edition (defining “Information Governance”).

[6] The Sedona Principles, Second Edition: Best Practices, Recommendations & Principles for Addressing Electronic Document Production,12 (The Sedona Conference Working Group Series, 2007).

[7] Id. at 1.

[8] MMS is a protocol of messaging that allows for the transmission of multimedia content such as pictures, video or sound over mobile networks.  SMS is the most common data application for text messaging communication, allows users to send text messages to phones and other mobile communication devices.  Text messages (i.e., written message typically restricted to 160 characters in length) may be sent by way of MMS, SMS, and possibly other multimedia.  See The Sedona Conference: Glossary E-Discovery and Digital Information Management, April 2014 Fourth Edition (defining “MMS,” “SMS,” and “Text Message”). 

For media assistance, please contact Maura Fisher at 202-580-7714.