Download this Article in PDF format

After two long years collecting hundreds of gigabytes of e-mail,data base reports, and social media posts from countries in Europe, Asia, and South America, such as France, South Korea, Argentina, Canada, Australia, and El Salvador, the day of trial has arrived.

The trial team has obtained the data at great cost, in dollars as well as person-hours, but is finally ready for trial. First-chair counsel, second-chair counsel, and four paralegals file into the courtroom, not with bankers boxes full of documents as in earlier times, but with laptops, tablet computers, and a data projector.

Complete the form to the right to download the entire article.

While the hackers in the Bloomberg article (available at http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html) have been linked to individuals in China and the law firms involved, to a great extent, were active in merger and acquisition matters, law firms representing healthcare entities should take notice because they have discrete obligations under HIPAA and HITECH to implement safeguards for Protected Health Information.

While any firm can be the victim of a cyber-attack, an attack that results in the unauthorized disclosure of patient-identifiable health information (such as “phishing” attacks or certain “worm” viruses) can subject the firm to investigation by the Office For Civil Rights of the U.S. Department of Health and Human Services. In such an investigation, one of the first questions will be the documentation of information security safeguard policies, and a current security assessment. Both are critical to defensibility of the firm’s information management practices and, to put a fine point on it, the firm’s continuing ability to retain healthcare business.

Policy preparation, workforce training and security assessments require the work of an inter-disciplinary team comprising firm risk management and IT resources, an outside technical security vendor and outside counsel to advise the firm on the information security obligations under federal and state laws, as well as the ethical obligations to maintain confidentiality in client electronic information,

The key questions are whether the company solicited the inquiry and whether it was conveyed through on a public non-public site. The Draft Guidance focuses on unsolicited requests, as requests solicited by the company may be considered as evidence of a firm’s intent that a product be used for promotion of off-label uses, a fertile ground for investigations and resulting large fines.

Responses to unsolicited requests regarding potential off-label use conveyed in a non-public electronic forum should narrowly tailored to the product that is the subject of the inquiry, and should include the FDA labeling (i.e., the package insert), any pertinent safety information (boxed warnings), and applicable scientific references, such as peer-reviewed journals.

Responses to non-solicited inquiries through pubic social media are significantly more restricted. Such inquires may not contain any off-label product use information and must indicate that the use in the inquiry has not been approved or cleared by the FDA. The response must refer the person making the inquiry to the appropriate medical or scientific personnel (not sales or detail personnel). On an additional cautionary note to those responsible for social media at pharmaceutical and biotech companies, the response may not be “promotional in nature or tone,” and may not contain links to promotional, product or company websites.

Download this Article in PDF format.

Electronic medical information is increasingly central to improving the quality of patient care and controlling costs. The electronic health record (EHR) brings together medical examination observations, medication records, prescription information, laboratory results, and even x-ray and CT images, into a device as agile and portable as a tablet PC. The EHR can vastly improve the coordination of medical care by allowing doctors involved in the patient’s treatment to review each other’s notes and gather similar information from other healthcare locations.

Complete the form to the right to download the entire article.

U.S. legal holds present a conundrum that confronts the bar and bench with increasing frequency. It is the result of a clash between broad U.S. preservation obligations mandated by existing case law and stringent privacy and data protection laws in other jurisdictions, including European Union member states.

The challenge requires a multinational litigant to decide in which country she would prefer to have sanctions imposed and for what reason: failing to prevent the deletion of data when litigation is reasonably anticipated, or illegally preserving it under these same circumstances.

Complete the form to the right to download the entire article.

Download this article in PDF format

The Resolution addresses concerns that have been increasing as the pace of global commerce accelerates. More companies, U.S. and non-U.S., create and store data in facilities in many countries, and in portable media of employees who may be based in several jurisdictions during a given year. Most countries have privacy and data protection laws that are significantly stricter than those in the U.S.

International e-Discovery, then, is complicated by the fact that disclosure of certain protected data may violate laws or regulations in the host country, and some of those laws carry criminal sanctions (France, Venezuela and Italy, for example). When a U.S. judge orders discovery of protected data without regard for the privacy and data protection laws of the host country of the data, a litigant may be faced with a Hobson’s Choice: whose law should I violate, and in which country should I choose to jail?

ABA Resolution 103 urges U.S. courts to consider this dilemma and, where appropriate, consider and respect such laws as they affect the e-Discovery obligations of the litigants. The Resolution and Report may be found at http://www.abanow.org/2012/01/2012mm103/

Forbes reported, on December 19, 2011, that Gwinnett Medical Center in Georgia experienced a “computer infection” on December 14, and was forced to send all non-emergency patients elsewhere. The hospital insisted that neither patient care nor confidentiality was threatened because the Patients’ “information was safe.” http://www.forbes.com/sites/mobiledia/2011/12/19/computer-virus-shuts-down-georgia-hospital/

Patient information may have been “safe” this time but computer viruses, particularly the “worm” variety suspected here, frequently obtain and send information to the malware creators. Some of the most well known viruses, for example, attack the users’ contact lists and transmit the contact information, which is then used I for phishing and other identity theft schemes.

The HIPAA Security Rule is quite explicit that Covered Entities, such as hospitals and physicians, must create, implement and document safeguards against losses of Protected Health Information (PHI). To meet these requirements, most CIO’S, Information Security personnel and Risk Managers have focused on implementation of such security measures as access control (passwords), unauthorized disclosures of PHI, and administrative safeguards against losses of portable media (most of the recently reported breaches have comprised losses of laptops, portable hard drives and USB’s). These precautions are critical but must reach beyond mere safekeeping of the devices to portable media information controls. Forbes reported that the Gwinnett virus may have been introduced by an employee’s USB drive.

The Office of Civil Rights of the U.S. Department of Health and Human Services has commenced a program of “spot audits” for compliance with the HIPAA Security Rule. In the wake of this and similar incidents, Covered Entities and counsel and consultants assisting them should focus on protection against malware that may result in mass disclosures of PHI. It should not come as a surprise if OCR asks for the documentation of such protection during its audits.