Stephen S. Wu is a partner in the Los Angeles-based law firm Cooke Kobrick & Wu, LLP, where he focuses on information privacy, security, and records management. During 2010-2011, Wu served as chair of the American Bar Association’s Section of Science and Technology Law. He has written a book, A Legal Guide to Enterprise Mobile Device Management: Managing Bring Your Own Device (BYOD) and Employer-Issued Device Programs, published by the American Bar Association this summer, and is currently revising A Guide to HIPAA Security and the Law, published by the ABA in 2007, with the revised volume set for publication this year. Wu spoke recently with HCI Editor-in-Chief Mark Hagland regarding this perspectives on the legal exposure issues facing healthcare providers around mobile devices and mobility in healthcare. Below are excerpts from that interview.
What happens when there’s a lawsuit of some kind involving a provider organization?
Over time, a hospital or medical care facility needs to think about records management as a business process; and that starts with managing useful records. And then it needs to establish a records retention policy and subordinate documentation to effectively manage the records management policy. Think about a life cycle of documentation: there’s the creation, the usage, the storage of it over time, and then its eventual destruction. Every business is going to have records that go through that life cycle. So they should have a policy for records management. If they needed a dispute resolution, they could put before a judge or arbitrator authentic documentation.
Stephen S. Wu
When litigation actually takes place, what kinds of internal processes are required?
So if an organization can reasonably anticipate litigation, then it has an obligation to preserve evidence relevant to the dispute. If a patient or patient’s attorney communicates with a hospital or medical practice in such a way that it could reasonably anticipate malpractice litigation, it is now on notice and has an obligation to preserve records. And the way that that may work out practically is that there may be some information-purging systems in place that make records inaccessible over time; and hospital or medical group managers need to suspend any time-based types of documentation destruction processes.
And in the mobile area, when a hospital or medical facility or doctor’s practice can anticipate litigation, it has an obligation to preserve, and then when a lawsuit occurs, the other side can be expected to ask for the patient care organization for information. And then the hospital or medical practice has to do a reasonable search to respond to the request. Then the hospital may need to look into mobile devices to reasonably respond to the request. So if a doctor just dumps information into his computer and doesn’t pay reasonable attention to these kinds of recordkeeping processes, under litigation, the hospital may be asked to get information from the doctor—the hospital could be sanctioned for not producing that information, whether it be a text, an e-mail, or EKG readings, for example. In a malpractice case against a cardiologist, those EKG results could be relevant. I’m guessing that most hospitals and medical practices realize this and are finding ways to keep the information in recordkeeping systems, so that the EKG results are retained and managed. But the point is that they need to think intentionally and realize that we now have these mobile devices out there, and they need to incorporate processes for records retention in their recordkeeping systems.
And now, there are HIPAA [Health Insurance Portability and Accountability Act of 1996] privacy and security issues, and state laws that could be used in breach cases to assert claims in some legal cases.
How do mobile devices fit into the intensified HIPAA requirements?
Back in 2003 when the HIPAA security requirements came out, there were already implications around mobile devices. So when I wrote my book on HIPAA security and the law, I talked about mobile devices, even though the law didn’t specifically address the topic, since there was no exception for mobile devices, just because they weren’t explicitly mentioned by the HIPAA security rule. And therefore, when the business associates requirement under HITECH [the Health Information Technology for Economic and Clinical Health act] and some interim rules, and now the final rule, came in—what is new is that in the HIPAA final omnibus rule, they made some clarifications, including that subcontractors are business associates under the rule.
And service providers are storing information for you, and the service provider is providing a service to a business associate or to a hospital, if there is protected health information involved, those service providers are vulnerable under the law. That really broadens the requirements. And as a result, we have a lot of general technology vendors who are now being swept up by the HIPAA privacy rules, and who are now coming to terms with this new compliance overlay.