There Are More Challenges in Managing Discovery in Healthcare Than You Probably Realize

Written by Doug Austin, Editor of eDiscovery Today

A few months ago on this blog, I wrote about using Artificial Intelligence (AI) to keep up with the “alphabet soup” of compliance. An important area to address from a compliance standpoint is health data and at least two of the “alphabet soup” of organizations and regulations addressing compliance – the Health Insurance Portability and Accountability Act (HIPAA) and Protected Health Information (PHI) – specifically address the protection of personal health data.

But another challenge with regard to healthcare is discovery itself and there are many eDiscovery challenges associated with healthcare today–probably even more than you realize. There are certainly more challenges than I realized.

eDiscovery Challenges in Healthcare

The article titled eDiscovery Challenges in Healthcare, written by Sundar Krishnan and Narasimha Shashidhar from Sam Houston State University in Huntsville, Texas (in 2019, even before the pandemic added more challenges) discusses several considerations for eDiscovery in healthcare, including the types of litigations related to healthcare and the types of data for corporate IT healthcare. 

It also lists 15 eDiscovery related challenges for healthcare, including:

  • Big Data: From an estimate of clinical data generation viewpoint alone, data storage needs can be upwards of 19 Terabytes per year, so the ability to leverage technology such as AI and index-in-place technologies is very important here.
  • EHR and Automation: The transition to Electronic Health Record (EHR) systems have led to a comprehensive set of patient information, but deployment challenges have led to security concerns as EHR systems are not always compatible with each other, and they can become obsolete over time leading to litigation relating to the EHR systems themselves.
  • Logging and Retention: Medical records retention periods (for things like Electronic Records, system logs and database backups) vary from state to state in the US depending on the category of data, patient condition and provider. Retention is often overlooked until there are storage cost concerns, leading to considerable amounts of Redundant, Obsolete and Trivial (ROT) data within providers.
  • Digital Forensics, Security, and Privacy: The need for digital forensics services extends across data sources to include wearable and medical IoT devices. And I already told you about the consequences that data breaches can have – hundreds of millions of dollars or even loss of patient lives.
  • Medical Internet of Things (IoT): These can include portable hand-held ultrasound machines, personal patient monitors, even things like pacemakers. I covered a case a few years ago where a person was arrested for arson of his own house, in part because his pacemaker showed considerable activity throwing belongings out the window at a time before the fire when he said he was sleeping. Devices are often disposed of without regard to the data that’s still on them.
  • Wearable Devices: These devices are becoming more discoverable in litigation, even civil litigation as this case illustrates.
  • Communications and Telemedicine: Text messages and data from collaboration apps and telemedicine services – all for which usage boomed during the pandemic – are increasingly discoverable.
  • Cloud Integration: About 91% of healthcare practices use cloud-based services, yet 47% are not confident in their security posture due to manual workflow processes. And because more of this data is in the hands of third parties, subpoenas may be needed to obtain that data.
  • Legacy Technology and Heterogeneous Systems: There are still providers using antiquated technologies such as fax machines, private automatic branch exchange (PABX), mainframes, and legacy EHR systems.  Collection can be a challenge from these older systems.
  • Mobility and Asset Management: Mobile devices and Bring Your Own Device policies are becoming paramount in healthcare organizations. Here are some best practices for BYOD policies.
  • Cross-Border: Not just international, but state-to-state, which can impact the ability to conduct services cross-border, potentially requiring data collection to be handled locally instead of remotely.
  • Patient(s) and The Public: Litigants who are mentally impaired or situations involving public outrage can impact the ability for the litigant to be in a competent state to assist their legal counsel.
  • Government Involvement: Healthcare organizations may be involved in state or federal government investigations that include very broad government requests, adding considerable scope to discovery efforts.
  • Frequency of Litigation: No surprise, but healthcare litigation is on the rise considerably and is one of the most active areas of litigation today.
  • Medical Jargon, Transcription, and Billing: Complicated medical jargon often requires assistance from subject matter experts (SMEs), driving up discovery costs and transcription and billing services are also more cloud-based today adding yet more potentially discoverable resources.


The 15-page article is available here and also includes a Heat Map of healthcare challenges in relation to EDRM stages. Combined, these challenges impact every phase of the EDRM process, so the combination of sound Information Governance policies (such as evergreen data maps and clear BYOD policies) and leveraging technology throughout the EDRM lifecycle is necessary to address these challenges.

Technology got us into this mess and technology (with help from IG and eDiscovery best practices) will help us get out!

Be sure to attend the IPRO webinar next week with the American Healthcare Lawyers Association where we’ll be talking about Dealing with your Shadow Information Problem with healthcare data.

And for more educational topics from me related to eDiscovery, cybersecurity and data privacy, feel free to follow my blog, eDiscovery Today!