What data does your organization collect or generate?

First, inventory all known data sources in your organization to learn about your data. Start with your electronic health record systems, databases, communication platforms, and any other applications your employees use to capture or store healthcare information. Document the variety and formats of data created or captured by each data source, distinguishing between structured data (organized in databases and the like) and unstructured data (“freeform” data in clinical notes, emails, and so on).

Work with the data owners in different departments to further understand your data. Ask what applications they use, why they collect each type of data, and how they store and interact with the data they create or collect. Engage the IT department to understand the technical infrastructure, databases, and systems used. Be on the lookout for shadow IT—unsanctioned applications that individuals or teams may use to create data without IT’s knowledge. Also, ask how departments share data with third parties, including cloud service providers, software vendors, and any other partners involved in handling healthcare data.

Together, this knowledge forms the foundation you’ll use to prepare your organization for potential legal challenges—but knowing what data you have is only the first part of a data inventory.

Where is your data stored?

As you learn about the types of data your organization generates, you’ll also want to ask where that data is stored. Work with data owners and IT teams to understand your organization’s technical infrastructure. For example, what servers, databases, and storage solutions do you use? Is that storage on premises or in the cloud?

Take an inventory of all devices in use, including computers, tablets, and smartphones. Determine whether users store sensitive data locally on these devices or in cloud platforms. If data is stored in the cloud, ask what service providers you’re working with and what security measures are in place to protect each type of data. Inquire about collaboration tools, file-sharing platforms, and other systems where healthcare data may be exchanged. Then, review your contracts and service-level agreements with each service provider to determine your access and ownership rights to cloud-based data and where that data is stored to ensure compliance with data privacy regulations.

Take these same steps with other third-party vendors and service providers. If your organization uses external data storage or processing services, learn where these third parties store and manage data. Ascertaining the location of your data is essential for compliance with data protection and privacy regulations.

Next, evaluate backup and archiving practices to identify where historical or redundant data is stored. And don’t forget about hard-copy data that may be tucked away in file cabinets or warehouses. Understanding storage and backup practices is crucial for data recovery and ensuring that all relevant information is readily accessible during legal proceedings or compliance audits.

You may need to work back and forth across these initial questions several times as you identify additional data sources and build a comprehensive inventory of your organization’s data. Once you have that inventory, you can begin classifying that data according to its risk level and overall value or potential relevance to litigation or compliance matters.

Do you have an efficient way to sort your data into functional categories?

Given the proliferation of healthcare data, you likely won’t be able to pore over every bit and byte manually. That’s especially true when data is generated and managed across a series of disparate systems, many of which store data in different formats that don’t integrate with each other. Fortunately, technology offers ways to efficiently assess data and sort it according to its sensitivity and importance.

Some eDiscovery software platforms offer real-time access to data in a centralized repository, providing a comprehensive view of all data assets. Advanced software platforms powered by AI can give you the additional “set of eyes” you need to understand documents quickly without engaging in a screen-by-screen or page-by-page manual review. These tools can connect with a variety of data sources through third-party application programming interfaces that enable you to download your data. The ingested data then undergoes a series of processes, including these:

• Optical character recognition: Transforms images of text documents into machine-readable text

• Language detection: Determines the languages used in each document

• Entity extraction: Identifies and sorts entities based on their names or other identifiers, including individuals, companies, and locations, and recognizes unique identifiers such as email addresses, dates of birth, mailing addresses, and Social Security numbers

• Object detection: Detects identification cards and passports within images

• Summarization: Creates a brief paragraph summarizing the content for each result on the search results page

• Classification: Classifies documents according to their risk profile and substance

Once data has gone through this tech-enabled assessment, you’ll have a better handle on the sensitivity and criticality of each type of data. You can then sort data into different buckets based on whether it includes public information, confidential information, and/or sensitive for internal use only. This classification can help you prioritize which data you secure and manage first based on its significance and the potential risks associated with its exposure.

What measures do you employ to ensure data security and privacy?

Now that you know what types of data you have, check to see whether you are protecting it adequately.

For example, within the sensitive data bucket, you’ll need to monitor for potential data privacy and protection concerns. Under HIPAA, you must ensure that third-party vendors—including eDiscovery vendors—follow strict protocols to safeguard any shared data. Although HIPAA regulations permit organizations to share information for litigation as part of their healthcare operations, they must take reasonable steps to limit disclosures to the minimum necessary scope to accomplish the intended purpose.

Similarly, if you collect or store the personal data of EU or California residents, you may be subject to the General Data Protection Regulation or the California Consumer Privacy Act. For each, you will need to assess what relevant identifying information you possess so you can be prepared to respond to individual requests for access to personal data. You will also want to ensure that you keep this data only so long as necessary to serve a business purpose.

You will likely benefit from conducting a risk-benefit analysis. Consider the potential impact of each type of data on the organization. What are the legal implications of having that data? What are the risks, including reputational? What are the benefits of having that information available?

Let’s now turn from general data management considerations to a few more specific questions you can use to streamline your eDiscovery processes.

Will your extraction processes damage the integrity of your overall data?

As you extract healthcare data for use in litigation, ensure that you maintain the integrity of the extracted data and the overall data set. This involves carefully selecting and implementing extraction methods that preserve your data’s authenticity and reliability.

You must maintain a chain of custody for the extracted data throughout the process. Document your decision-making processes as you go, detailing why you chose specific data for extraction and any legal or regulatory compliance considerations you weighed. Then, document every step of the extraction process, including who performed the extraction, when it occurred, and what, if any, changes were made to the data. A well-documented chain of custody enhances the credibility and admissibility of the extracted data in legal proceedings.

Remember that for each software vendor you work with, you must enter a HIPAA-compliant business associate agreement that outlines the parties’ rights and responsibilities with respect to the privacy and security of PHI.

Establishing a records retention policy and a retention schedule

Creating a records retention policy and implementing a retention schedule are critical aspects of information management for healthcare organizations. A well-defined policy helps ensure compliance with regulatory requirements, facilitates efficient recordkeeping, and mitigates legal and operational risks. A clear retention schedule defines exactly how that policy will be implemented for each type of data.

Together, your records retention program ensures that you keep only the information necessary for your organization’s operations. It eliminates redundant, obsolete, and trivial data that serves no business use, freeing up resources, lowering the cost of data storage, improving system performance, reducing security risks, and improving compliance with data protection regulations and privacy laws that require organizations to retain data only for specified periods and purposes.

Here are a few steps that will help you develop your records retention program:

• Collaborate with legal, compliance, IT, records management, and department heads to ensure the retention policy addresses the needs and concerns of all relevant departments.

• Build an inventory of the information your organization creates and stores, such as patient records, administrative documents, financial records, and HR documents.

• Work with your legal team to determine if the jurisdictions and healthcare sectors you operate in dictate how long you must retain certain types of records.

• Establish specific retention periods for each category of record. Consider factors such as regulatory requirements, business needs, and historical value when determining how long to keep each type of record.

• Determine appropriate methods for destructing or disposing of records at the end of their retention periods. Some records may need to be securely shredded or destroyed, while others may be permanently archived. Ensure that the methods you choose align with applicable privacy and security requirements. Maintain a comprehensive log of document destruction activities, documenting the method and details of each record disposal.

• Include details on the retention periods for each record category and the methods for destruction or archiving. Your retention program should clearly outline the purpose, scope, responsibilities, and procedures you’ll use to manage records retention and disposal.

• Offer training and awareness programs to ensure that all employees understand their roles in adhering to your policy and send out regular reminders to follow its terms.

• Assess the effectiveness of your records retention program periodically, ensuring that destruction processes are being followed. Address any discrepancies you find and adjust your policy and schedule as necessary to avoid further discrepancies and adapt to regulatory changes.

Creating a legal hold policy and implementing tools to streamline legal holds

If you’re involved in a legal proceeding, you’re expected to preserve information that may be relevant to resolving the dispute so it can be used at trial—and so is your opponent. A legal hold policy establishes a systematic and defensible approach to preserving data, preventing the unintentional deletion or alteration of data. That reduces the risk that you’ll face a claim of spoliation—an allegation that your organization intentionally destroyed, altered, or concealed evidence.

Compliance should work closely with the legal team to establish a robust legal hold policy, starting with at least the following steps:

• Define the events or circumstances that trigger the initiation of a legal hold. These events include but are not limited to receiving a complaint or demand letter or starting an investigation.

• Establish clear communication protocols for issuing and releasing legal holds. Define when and how the legal hold team will communicate with affected employees, including instructions for preserving data and responding to legal hold notices. Communication should be timely, clear, and well-documented.

• Work with your IT team to define processes for preserving different types of data, including electronic health records, emails, documents, and other relevant information. Ensure that IT understands that it must suspend all automatic deletion processes for data subject to a legal hold and that relevant personnel know how to suspend those processes.

• Develop procedures for documenting all aspects of the legal hold process to improve legal defensibility. Create a template for legal hold notices, maintain records of communications with data custodians, and record steps taken to preserve data at a minimum.

• Consider whether to implement a legal hold software solution to eliminate some of the manual and fragmented processes that contribute to errors and oversights. Depending on your organization’s size, data volume, and budget, software may be a worthwhile investment to streamline the process of notifying custodians of holds and releasing them from their preservation obligations. Software can also help you preserve data at its source to simplify data management and reduce risk.

• Communicate the legal hold policy to all relevant stakeholders and distribute it throughout the organization. Conduct training sessions to educate employees on their responsibilities during a legal hold. Ensure that employees understand what a legal hold notice is, why they must comply with it, and what actions they should take upon receiving one.

• Review and update your legal hold policy regularly to ensure it remains aligned with evolving legal and regulatory landscapes. Incorporate lessons learned from past legal hold experiences to enhance the effectiveness of the policy.