If your business collects or maintains protected health information, you’re aware of your duty to shield that data to maintain compliance with the Health Insurance Portability and Accountability Act. But HIPAA’s protections are not absolute; PHI can be disclosed and used in legal proceedings. In fact, when PHI is relevant to a litigation matter, counsel must produce it to satisfy discovery mandates or risk fines and sanctions for violating court orders.

For corporate counsel to thread the needle between HIPAA compliance and discovery requirements, they must do three things:

1. Identify the PHI they collect, including PHI from emerging data sources like wearable devices.
2. Classify each type of data to ensure it’s adequately protected.
3. Shield any discoverable PHI from accidental or excessive disclosure.

Here are ideas on meeting those requirements while streamlining data identification and classification.

Inventory your data and identify PHI

To maintain HIPAA compliance, counsel must understand what PHI they have and where it is stored. That demands a full inventory of data sources and storage repositories.

Start by working with your IT, human resources, and benefits team to determine what PHI your organization collects or generates, including any health-related records and billing information. Find out whether any third parties, such as cloud service providers or software vendors, handle or store your employees’ healthcare data, and ensure they comply with HIPAA and other relevant privacy laws.

Next, determine where this data is stored, whether that's on local or cloud-based servers and networks or on individual computers or personal devices. If your organization handles third-party data or maintains a cloud data repository, review your contracts and service-level agreements to ensure you have appropriate access to and ownership of that data before you need to collect it for litigation.

If your organization creates or receives data from wearable devices, establish a policy that covers who owns the data, how it can be used, and how much control individuals can exercise over its disclosure. Consider developing comprehensive consent and authorization processes to ensure you have access to this PHI if it becomes relevant to litigation.

Current eDiscovery software platforms use third-party APIs to centralize data, regardless of its format or source, into a single repository that provides a bird’s eye view of all of the organization’s data assets.

Classify PHI to ensure adequate protection

Once you know what PHI you have, you can sort and classify it based on its sensitivity and risk so you can adopt appropriate security measures for each type of data.

With the volume of data organizations manage today, manually reviewing every piece of data to determine its sensitivity and risk profile is, quite frankly, impossible. Fortunately, technology is up to the task, quickly assessing data for keywords, concepts, and patterns that indicate it is PHI.

These systems use artificial intelligence and other techniques to understand your hard-copy and electronic data through:

• Optical character recognition: Transforms images of text documents into machine-readable text
• Language detection: Determines the language(s) used in each document
• Entity extraction: Identifies unique identifiers such as names, locations, email addresses, dates of birth, mailing addresses, and Social Security numbers
• Object detection: Detects standard formats like ID cards and passports
• Summarization: Drafts a short paragraph summarizing the content of each search result
• Classification: Sorts documents according to their risk profile and substance

These processes make it easier to classify data types based on their sensitivity and criticality so you can sort them into different buckets and apply appropriate security measures to each.

Minimize PHI before sharing data

While HIPAA regulations permit you to share PHI in the course of litigation, you must take reasonable steps to limit disclosure to the minimum necessary scope to accomplish the intended purpose.

First, narrow the scope of data collected to include only the personnel involved and only the relevant timeframe. Use discovery or data management technology, ideally during the early case assessment phase, to filter data by date range, category, and other identifiers. Watch for redundant, outdated, or trivial information; ensure that your tools flag old or duplicate data before collection. This approach not only mitigates risk by culling data sets and eliminating duplicate data but also leads to a faster and lower-cost review cycle.

Within that limited dataset, evaluate the potential impact and significance of each data point. Avoid extracting PHI that is unlikely to influence the outcome. Rather, prioritize data that directly supports or disproves claims, addresses disputed legal issues, or provides necessary context to the situation. Then apply the proportionality principle, assessing whether the effort and resources required to safely extract and disclose data are proportionate to the potential value of that data and the risks of its disclosure.

You may have to share a document that contains PHI, but that doesn’t necessarily mean you have to share the PHI itself. Look for ways to limit disclosure by taking these steps:

• Using redaction tools to excise — not merely cover — irrelevant PHI in an otherwise relevant document
• Anonymizing or de-identifying the information so it is no longer traceable to an individual
• Asking the court for a protective order to limit the number of people who may access your data

Finally, create and maintain a chain of custody for all disclosed PHI. Document every decision, including why you shared, redacted, or limited data for production. Also record every step of the collection and extraction processes, including who handled those processes, when they occurred, and whether any data or metadata was changed.

Technology is the key to managing PHI in litigation

Don’t wait until the clock is ticking after you receive a complaint from an opposing party. Take the time now to build a data governance and discovery plan that threads the needle between required legal discovery and HIPAA compliance. By using technology to inventory and classify your organization’s data and limit the disclosure of PHI, you’ll save money and time and reduce the risk of a HIPAA violation.