Possession, Custody, or Control: When can a party be required to produce ESI held by someone else?

Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.


On a daily basis, we read about new apps or devices that may create, store, and transmit electronically stored information (ESI) relevant to the health of an individual. Healthcare providers may be required to reach out to those entities and produce ESI in response to a legal adversary’s discovery requests.

Let’s begin with the basics. Rule 26(b)(1) of the Federal Rules of Civil Procedure describes the scope of discovery as follows:

“Unless otherwise limited by court order, the scope of discovery is as follows: Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to relevant information, the parties’ resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit. Information within this scope of discovery need not be admissible in evidence to be discoverable.”

Suffice it to say that the scope of discovery as defined by this rule is broad.

Now, consider this broad scope of discovery in terms of another federal rule, Rule 34(a)(1). This rule provides that, “[a] party may serve o any other party a request within the scope of Rule 26(b) *** to produce and permit the requesting party or its representative to inspect, copy, test, or sample *** [various things] in the responding party’s possession, custody, or control ***.”

Basically, Rule 34(b)(1) means if your organization is a party and it is served with a request to produce certain ESI (or other things), your organization may be required to reach out to third-parties (defined here as other than a plaintiff or a defendant) and secure information from that third party to produce in response to the request. Why?

The easiest answer has to do with control of cost and undue delay. If I represent a party and I cannot secure discoverable ESI from an adversary party because that ESI is held by someone else, I must subpoena the ESI. The subpoena process can take time and money and result in delay. In the alternative, if I can simply demand that the adversary produce ESI held by third-parties, the onus falls on the adversary to reach out and “repatriate” the ESI. And that brings up the concept of “possession, custody, or control.”

The concept calls for an examination of the relationship between the adversary and the third party. Federal courts have developed various tests to determine when a party may be required to produce ESI held by a third party. Putting the specifics of those tests aside, the examination boils down to the relationship between the adversary and the third party. And that examination may come down to judicial review of a contract or other agreement by which the adversary depends on the third party to create, store, or transmit the ESI in issue. For example, does an agreement provide that ownership of the ESI in issue is owned by the adversary? Does the agreement give the adversary the right to be provided with the ESI on demand? These are the type of questions that courts might ask.

What does this mean for healthcare providers? Recall that apps and devices appear on a daily basis. Those apps and devices create, store, and maintain ESI that can be relevant or discoverable. If a dispute arises as to who might be responsible for production of that ESI, courts are likely to resort to contractual language to decide whether a party can be required to reach out to a third-party and secure ESI in response to a request to produce. In other words (and putting aside whether the relationship is that of a business associate under HIPAA), consider what rights the party might have to, among other things, access to information held by a third-party. This might lead to the development of a list of questions for any third party. Here are some areas of inquiry, taken from Opinion No. 16-06 0f the Illinois State Bar Association Professional Conduct Advisory Opinion No. 16-06 (Oct. 2016), which addresses whether an attorney might use cloud-based services:

“1. Reviewing cloud computing industry standards and familiarizing oneself with the appropriate safeguards that should be employed;

  1. Investigating whether the provider has implemented reasonable security precautions to protect client data from inadvertent disclosures, including but not limited to the use of firewalls, password protections, and encryption;

  2. Investigating the provider’s reputation and history;

  3. Inquiring as to whether the provider has experienced any breaches of security and if so, investigating those breaches;

  4. Requiring an agreement to reasonably ensure that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches or outside requests for client information;

  5. Requiring that all data is appropriately backed up completely under the lawyer’s control so that the lawyer will have a method for retrieval of the data;

  6. Requiring provisions for the reasonable retrieval of information if the agreement is terminated or if the provider goes out of business.”

Going beyond these inquiries directed to the third party, here are some questions to ask that are specific to access:

  1. Does the prospective third party impose fees for access to or downloading of the ESI that it has created, stored, or transmitted?
  2. What are the third party’s retention policies? Will the ESI still exist six months or a year from the present?
  3. Assuming you need the ESI, in what form or forms will it be made available? For example, might metadata be intact or might the metadata be altered by the third party when the metadata is accessed?

These and other questions are important for any one of a number of reasons, including production of ESI that is in the “possession, custody, or control” of a healthcare provider.

Acknowledgement

This article is written with thanks to Ken Withers of the Sedona Conference.

 

**Editor’s Note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as legal advice.

Ron Hedges, JD, is a former US Magistrate Judge in the District of New Jersey and is a writer, lecturer, and consultant on topics related to, among other things, electronic information. He is a Senior Counsel with Dentons US LLP.

1 Comment

  1. Thank you for publishing this cogent, practical explanation of the scope of responsibility for e-data.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!