D E F E N S E E T H I C S A N D P R O F E S S I O N A L I S MProtecting Personal InformationWhat You Don’t Know CouldHurt You and OthersBy Diane M. Saundersn Diane M. Saunders is a partner with Morgan, Brown & Joy, LLP, a Boston- basedboutique specializing in representing employers in labor and employment mattersin New England and across the United States. She is a member of <strong>DRI</strong>’s Lawyers’ • Install automatic encryption on all laptops and wire-Professionalism and Ethics and Employment Law Committees. Ethics, continued on page 9186 n <strong>For</strong> <strong>The</strong> <strong>Defense</strong> n <strong>July</strong> <strong>2010</strong>Massachusetts recently joined over 40 other stateswith comprehensive legislation requiring all entitiesthat store the personal information, such as Social Security,driver’s license, credit, and bank account numbers,of Massachusetts residents, to take appropriate steps toprotect that information, including the developing writtensecurity policies. <strong>The</strong> impetus behind this legislationhas been the large-scale data security breaches thathave captured headlines nationwide, involving companiessuch as Citibank, TJX, and Hannaford Supermarkets.While it may seem as if only large banks andretailers are prone to data security breach risks, attorneysare as well.Law firms and corporate legal departments store notonly the personal information of their employees, but oftenthat of their clients, witnesses, and others connectedto cases. In employment and tort cases, for example, legalfiles very often contain paper and electronic copies ofpersonnel, medical, payroll, and other records containingthe personal information not only of plaintiffs, but alsoof other individuals connected to cases. <strong>The</strong> personal informationstored in connection with class actions, particularlywage and hour class actions, is often voluminous.Indeed, because of the frequency with which legal pleadingscontain personal information, many courts have prohibitedits inclusion in court filings.Unfortunately, because of the wide and varied waysin which attorneys store personal information in theirpractices, they must do more than simply rely on their ITproviders to implement measures to avoid potential datasecurity breaches via their computer systems. Rather,attorneys need to take part in creating plans to ensurethat they inadvertently do not engage in data securitybreaches through their practices.Step One—Conduct an Audit of the PersonalInformation that Your Organization Stores<strong>The</strong> first step to creating a data security plan is to figureout what type of personal information your organizationstores and where it is stored. Among the questions youshould ask during an audit are:• Are paper files containing personal information everleft on the desks of attorneys, paralegals, or other staffmembers?• Does personal information leave the work site withattorneys or paralegals?• Do attorneys or paralegals copy all or portions of casefiles containing personal information onto thumbdrives or onto their home computers?• Do they access electronic case files containing personalinformation remotely via the internet or transmitthem to others through unencrypted e-mail?• Do they remove from the office all or portions of paperfiles containing unredacted documents with personalinformation?• What happens to extra copies of material containingpersonal information—are these documents shreddedor simply thrown in the trash?• Do any third-party vendors, payroll companies andexpert witnesses, for instance, receive and store personalinformation on your behalf?Step Two—Develop a Plan to Protect the PersonalInformation that Your Organization StoresOnce you know the “what” and “where” of the personalinformation that your organization stores, you shoulddevelop a plan to ensure that you are adequately protectingthat information from an inadvertent, data securitybreach. Your plan should take into account the variedways in which your company stores personal information—paper,electronic files, e-mail, third-party vendors—andshould include measures to protect each one.Some of the most important measures that you shouldconsider implementing include the following:• Institute a data destruction policy to limit the amountof personal information that your organization storesand require the appropriate destruction of documentscontaining personal information;• Ensure that all computers used by attorneys, paralegals,and staff members have up-to-date firewalls,virus, malware, and spyware protection;
Data Bank, from page 35ner’s negligence, settlement on behalf of theentity only may appear suspicious. Suspicionmay be further heightened if the partieshave formally denied that the corporatedefendant is vicariously liable for the individualpractitioner’s alleged malpractice.Expense Reimbursement<strong>The</strong> NPDB Guidebook identifies a categoryof payments as “loss adjustment expenses,”or LAEs, made for expenses incurred bythe claimant other than those in compensationof injuries, such as attorney’s fees,billable hours, expert witness fees, anddeposition costs. NPDB Guidebook, p. E-10.<strong>The</strong>se expenses should be reported to theNPDB only if they are included in a medicalmalpractice payment, and should beitemized in the description section of thereport form. Id. at E-12. If LAEs are notincluded in the medical malpractice paymentamount, they are not required to bereported to the NPDB. Id. If a payment ismade only for LAEs, then the payment isnot required to be reported at all. http://www.npdb-hipdb.hrsa.gov/faq-Reporting.html.As a practical matter, this means thatif a claim can be resolved by the reimbursementof some or all of a claimant’sclaim- related costs, and not merely in generalconsideration of the release of a medicalmalpractice claim, such payment isnot required to be reported to the NPDB.Claims where resolution along these linescan be accomplished will be rare, but thisprovides a legitimate avenue for resolutionof a truly “nuisance- value” claim withoutNPDB reporting.ConclusionEvery professional liability claim involvesan attack on the discharge of the defendant’sprofessional talents, skills and obligations.<strong>For</strong> the defendant, such claimsare not about “mere negligence,” but aboutwhether the defendant deserves to bedeemed a professional. In medical mal-practice actions, the impact of this attackis heightened by the prospect of NPDBreporting, and the reality that a settlementwill not provide full and final resolutionof the claim, but will hang an albatrossaround the practitioner’s neck for the restof his or her career.<strong>For</strong> those of us who seek to assist practitionersand liability carriers in making fullyinformed decisions about claim values, trialand settlement, an understanding of theNPDB is vital. Exploration of the impact ofNPDB reporting should be accomplished atthe outset of the litigation, so that opportunitiesfor strategically wise settlement willnot be squandered, and so that both thedefense attorney and the insurance carriercan adequately discharge their duties to thepractitioner. With this, as with every aspectof trial and litigation defense, assisting clientsand insurers in seeing around cornersand preparing for developments can onlyimprove the defense, and, accordingly, thequality of service.EHR Liability, from page 44Importantly, the rules have never containedan exception for the health care industry;they apply equally to all litigants.<strong>The</strong> case law has since demonstrated thatthe law will not treat health care institutionsany differently than any other litigant whendeciding e- discovery disputes. See Cason-Merenda v. Detroit Medical Center, No. 06-15601, 2008 WL 2714239 (E.D. Mich. 2008)(denying e- discovery cost- shifting motionon behalf of two health system subsidiariesin antitrust class action lawsuit resultingin burden placed solely on health system);see United Med. Supply Co. Inc. v. UnitedStates, No. 03-289C, 77 Fed. Cl. 257 (Fed.Cl. 2007) (sanctioning the government forfailure to have medical treatment facilitiespreserve e- discovery); Regan- Touhy v. WalgreenCo., 526 F.3d 641 (10th Cir. 2008) (upholdingthe district court’s determinationthe e- discovery obligations met by provider,without producing audit trail for who hadviewed electronic record as opposed to conductedtransactions). <strong>The</strong> amended ruleshave been applied to parties regardless of industryor whether or not they are preparedfor or have been accustomed to e- discovery.<strong>The</strong> rules have been applied to large businesses,small businesses, and even individuals.See Teague v. Target, No. 3:06CV191,WL 2007 1041191 (W.D.N.C. Apr. 4, 2007)(sanctioning an individual plaintiff with aspoliation charge for failure to preserve alaptop). Thus, health care institutions thatbasically have not prepared to respond toe- discovery requests remain increasinglyvulnerable to both monetary and discoverysanctions over time.Relative inexperience with e- discoveryis not health care’s only problem. ManyEHR systems, which generate an enormousamount of electronic data, wereimplemented before the e- discovery ruleswent into effect, probably without consideringimpending e- discovery obligations.As such, unlike many other industries,health care providers are probably uniquelyexposed because they may lack the expertiseand proper tools to meet the potentiallyimmense discovery obligations thattheir revolutionary systems create. At present,health care institutions are still especiallyvulnerable to e- discovery requestsdue to failures to identify, locate, and produceall relevant data, failures to retain orstore data, and failures to preserve data inits original form once a litigation hold hasbeen issued, particularly in actively usedor live EHR databases. It is relatively easyunder federal law to accidentally spoil electronicevidence, therefore, a medical institutionor practice that has never beforefaced electronic evidence may need to routinelyuse technology consultants.ConclusionAlthough EHRs have now achieved mainstream,clinical adoption, EHR- related liabilitytrends have not developed fully. Atthis early point, we can discern some potentialliability areas. In an early EHR implementationstage, source of truth issues andexpansion of liability issues may arise. Inusing EHR systems, the evolving standardsof care for clinical documentation andwork-arounds pose risks. Security as mandatedby data breach laws or retention andstorage issues involving e- discovery liabilityand data integrity have also emergedas important areas. Also, from a healthcare law and medical liability perspective,defense counsel must become extremelyattuned to the conceptual and practicaldifferences at play in most electronic heathdocumentation systems. When in doubt,seek technical assistance from within oreven outside an institution, otherwise youmay miss a great deal of information tohelp your client’s case.<strong>For</strong> <strong>The</strong> <strong>Defense</strong> n <strong>July</strong> <strong>2010</strong> n 87