By Joe Ponder and Henry Leventis

Your day started like so many others: trying to run a healthcare company in an increasingly competitive and ever-changing environment. Managing through a pandemic. Protecting employees and patients. There are seemingly a million things to do, and you are ready to rise to each challenge. And then one of your employees walks into your office with a grim look on their face and drops a letter on your desk from the United States Department of Justice.

It is a civil investigative demand (CID) concerning “allegations” that your company submitted false claims to Medicare and demanding that you provide over 50 categories and subcategories of documents covering the past seven years. The government is also demanding substantive responses to multiple questions that will require even broader document identification and review. If this were not bad enough, your response must be formatted according to their specifications for electronically stored information (ESI) and digitized images and produced within 30 days.

This will not be just another day in the life of your company; it will be a pivotal one. What have you done up to this moment to respond in a cost-efficient and comprehensive manner? For too many small and mid-size healthcare companies, the answer may be: nothing. Yet hundreds of healthcare companies find themselves scrambling to respond to CIDs each year, and False Claims Act enforcement trends indicate that the government is focusing more than ever on small and mid-size healthcare providers.

While responding to a CID can be a daunting task under the best of circumstances, it is even more so from a reactionary position. At the drop of a hat, you must start to engage stakeholders across IT, legal, and compliance. While the conversation may initially flow from legal through the office of the chief information officer, for most organizations, the title CIO doesn’t stand for chief information “owner” for a reason. As healthcare organizations have embraced new clinical solutions via the American Recovery and Reinvestment Act of 2009 (ARRA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, the role of the CIO has been more focused on technology enablement and less on managing data and records within the technology. Instead, the role of data owner has, defaulted to the business unit or individual employee(s) with the greatest dependency on the underlying data. However, this is rarely a formally acknowledged role. This disparate approach to data ownership creates yet another layer of complexity in formulating your response.

Before you can properly respond to the CID, you must know from how many systems the responsive data will need to be sourced. You also need to know how you can perform the data extraction in a way that preserves the integrity of the record and minimizes disruption. Seven years’ worth of data is a considerable range and one that quite often will require companies to piece a complete record together from multiple systems. This brings us to another unique challenge healthcare companies face: determining what constitutes the totality of “the record.”

Let’s face it, responding to a CID (or administrative or grand jury subpoena) without proper data governance can be like trying to build and fly the plane simultaneously. Yet, at the same time, many healthcare companies are operating without an effective data governance plan; the global data footprint continues to grow at a rate of 50 percent annually. These dual phenomena of increased government enforcements and explosive data growth makes it critical to be proactive in developing an information management program that governs your company’s data in a deliberate, effective, and compliant manner. So, where do you start? At a minimum, any data governance program should incorporate an effective data map, an actionable company retention schedule, and a plan for executing defensible disposition of data.

If you ask healthcare organizations what their crown jewels are from a data perspective, most will point to their primary clinical system and perhaps a data warehouse used for predictive analytics. However, there are myriad other systems that could be, and often times are, called into the scope of a CID response. For example, on average, a 200-bed hospital can use anywhere from 150-300 software applications to support everything from the back office to the bedside. Each application and system has its own unique data footprint, which must be understood, even if only at a surface level. Given the continued growth and increased complexity in healthcare data sizes and formats, building out a data map is critical to any sound data management program.

A data map allows the organization to identify, classify, and prioritize what the critical systems of record are throughout the enterprise and, when done properly, can be leveraged for everything from supporting strategic organizational decisions to responding to CIDs, subpoenas, or discovery in private litigation.

To build a successful data map, you must consider why you are building it and what the most important attributes of your map will be. From a privacy and regulatory perspective, identifying systems that contain protected health information (PHI), personally identifiable information (PII), and Payment Card Industry (PCI) data can be critical and is always a great place to start. In addition, though we do not recommend a one-to-one mapping, ensuring that you are associating some level of record codification with the system data to your retention schedule will pay significant dividends. Care should also be taken as to the level of detail collected and the way the map will be maintained. If the map is too cumbersome to update and manage, it will quickly become obsolete. If it does not contain enough relevant detail, it will be useless. Each organization must strike the appropriate balance to ensure its data map addresses key organizational objectives and updates can be operationalized.

The next step in formulating an information governance program is creating and enforcing a data retention management system. While most healthcare organizations have some type of record retention schedule, very few have taken that crucial step of enforcing that retention schedule on their electronic record systems. Often, clinical applications will house multiple types of data in a single back-end repository, each of which may have variable retention requirements. Rather than attempting to tackle this unique challenge, many organizations are opting to let their electronic records persist in perpetuity. This creates unnecessary data storage costs, security risks, and significant organizational compliance issues.

To effectively govern data in accordance with a retention schedule, companies must simplify what are typically complex record retention schedules containing hundreds or thousands of record types into basic classification categories that support enforcement activities. Broad categories such as regulatory records, patient health records, finance records, and so forth help create simplified and abstracted views of your company’s data estate, which promotes better data management. We often pose the following question to our clients, “If you are not planning to manage subsets of data differently and have no legal requirement to do so, then why create distinctly different categories to begin with?” The usual response is that the schedule was authored from a legal and records management perspective, with little thought given to enforcement.

Once you have simplified your retention schedule, enforcing it throughout your organization requires a blend of education, evangelism, and technology. Most organizations need to go through a paradigm shift from “retention schedule” to a “disposition schedule.” They must be educated and have confidence that the initiative is supported from the top down with proper legal and compliance support, and finally, they must understand that the risk to the organization is greater if the data is retained versus if the data is purged. From a technology perspective, there is no one-size-fits-all solution. Instead, there are increased solutions that are entering this market each month, and each with their own unique positioning. As you would suspect, it’s not a matter of identifying the technology that is best in class, but rather the technology that is best for you. You must understand that you are likely not going to cover 100 percent of your data estate with a single solution or service. Therefore, you must consider where your greatest organizational risks lie and start there.

With records properly classified, organizations can plan for executing defensible disposition activities. Arguably, this is the most critical component of the data management plan. To successfully execute a defensible disposition policy, you must make certain that all necessary stakeholders are on board and that due diligence has been performed on the records that are subject to removal. Often, these are complex projects that touch many parts of the organization, including risk, compliance, legal, and technology. Your stakeholders must clearly understand the process, the organizational benefit, and ensure that all business dependencies on legacy company records are understood.

Why all this talk on record classification and disposition? In the case of our CID example, failure to accurately classify and prune data in accordance with your company’s retention schedule (and state and federal requirements) can result in overproduction of nearly 50 percent and take significantly more effort to properly identify the records being called into question. This has a substantial price tag given that the average cost of producing a single medical record can exceed $250, and the average cost to produce an email often exceeds $5/message.

While hard-copy record retention programs have been mastered by many healthcare organizations, similar programs on the electronic side of the house often fall short.

Executing on effective information governance programs as described above is no small undertaking. In many cases, it requires a multiyear strategy and top-down executive alignment. These efforts must be interwoven into the fabric of your organization one project at a time. However, successful execution will pay significant dividends. Whether you are responding to a CID, subpoena, Medicare audit, or discovery in private litigation, your efforts will be streamlined, efficient, and provide a significant return on investment. This includes hard-dollar savings such as limiting the volume of data requiring review and production, reducing the hours spent on data collection by more than half, and eliminating the potential for follow-up requests due to incomplete responses. As with so many things in life, when it comes to how your company handles data management, an ounce of prevention is definitely worth a pound of cure.


Joe Ponder ( is a founding member and senior partner of InfoCycle LLC, an information governance boutique consulting firm based in Nashville, Tennessee.

Henry Leventis ( is a litigation partner at Bone McAllester Norton PLLC in Nashville, Tennessee.

Leave a comment

Send a Comment

Your email address will not be published. Required fields are marked *