Outsourcing Law & Business Journal™: December 2009

December 23, 2009 by

OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events.

Insights by Bierce & Kenerson, P.C., Editors.   www.biercekenerson.com

Season’s Readings (and Greetings) from Bierce & Kenerson, PC, Outsourcing-Law.com and our E-newsletter.
Holiday Greetings and welcome to this first edition of an exciting re-launched Outsourcing-Law.com™ website and e-newsletter!  We want your feedback on the new Beta site as well as your contributions of content on international jurisdictions or legal issues in governance, risk management and compliance.  Please contact us.  See you in the New Year!

Vol. 9, No. 12 (December, 2009)

___________________________


1.  E-Discovery and Legal Process Outsourcing: EDRM Process Design and Choices between Outsourcing vs. Insourcing

2.  When is a Contractual Limitation of Liability Invalid and Unenforceable?  American Public Policy Exceptions to Exculpatory Clauses in Telecommunications.

3.  Humor.

4.  Conferences.

_______________________________

1.  E-Discovery and Legal Process Outsourcing: EDRM Process Design and Choices between Outsourcing vs. Insourcing. State and federal rules of civil procedure and emerging common law of the discovery process impose significant costs on businesses that are engaged in litigation. Pre-trial “discovery” serves to narrow the issues in dispute by forcing the disclosure of records, including electronically stored information (“ESI”) for judicial economy, to narrow the scope of disputed issues for adjudication (such as through motions for partial summary judgment, admissions and prior inconsistent statements), and to speed the actual trial process. E-discovery has become a daily challenge for the General Counsel, the CIO, the COO and the Risk Management Department. They face a choice of policies, procedures and technologies for insourcing (such as by using forensic software and employed staff) or outsourcing for electronic records discovery management (“EDRM”) in e-discovery. This article explores some of the differences between insourcing and outsourcing in terms of records management / EDRM, legal requirements for protection and production of electronic records, project management in forensic record examination, litigation readiness, knowledge management, risk management, ethics and legal compliance.  To see the complete article, please click here.

2. When is a Contractual Limitation of Liability Invalid and Unenforceable?  American Public Policy Exceptions to Exculpatory Clauses in Telecommunications. An essential element of risk management in any commercial contract for the sale of services or goods is the clause limiting the vendor’s liability.  In the sale of goods, the policy limitations are set forth in the Uniform Commercial Code, which invalidates clauses that deprive the customer of an “essential remedy” or the clause is part of an abuse of a consumer under a contract of adhesion, and under the federal Magnuson-Moss Warranty Act and similar state laws. In the sale of services, the policy limitations reflect common law, which may include a judicial analysis of regulations and the fundamental nature of the relationship between the service provider and the enterprise customer.

A decision by a New York State Supreme Court judge in November 2009 highlights the limits on exculpatory clauses under American jurisprudence under principles of gross negligence, willful misconduct, “special duty,” breach of the implied covenants of good faith and fair dealing and prima facie tort. In addition, other legal theories – such as fraud, intentional interference with business relationship, negligent misrepresentation, breach of the implied duty of good faith and fair dealing and prima facie tort – might not be available to enterprise customers for a simple failure by the service provider to deliver proper accounting information relating to its services.  Click here for the complete article.

3. Humor.

Legal Process Outsourcing, n. (1) everything legal but not done by a lawyer; (2) everything done by a lawyer but not legal in your jurisdiction; (3) everything non-legal but legal because it’s paralegal.

Contract, n. (1) an enforceable expression of the meeting of the minds; (2) a meeting of the wallets

4.  Conferences.


January, 24-26, 2010, IQPC Business Process Outsourcing and Shared Services Exchange 2010, San Diego, California. This is an invitation-only gathering for VP and C-Level senior Shared Services and Outsourcing executives made up of highly crafted, executive level conference sessions, interactive “Brain Weave” discussions, engaging networking opportunities and strategic one-on-one advisory meetings between solution providers and delegates. With a distinguished speaking faculty from McGraw-Hill, Ingram Micro and Pfizer, amongst others, the seats at the 2010 Exchange are limited and filling up quickly. We have limited complimentary invitations available for qualified delegates for a limited time. Please give us your reference ‘Outsourcing Law’ when inquiring. There are solution provider opportunities also available for companies who want to be represented. You can request your invitation at exchange@iqpc.com, call at 1866-296-4580 or visit their website.

January 28-29, 2010, Global Services Conference, Jersey City, New Jersey. Through the entire episode of the global economic meltdown, the global outsourcing services industry has seen the rise of a group of suppliers who are redefining many traditional management practices; changing the long-standing model for contracting offshore services; collaborating with clients in new ways; and gaining more control over outsourcing strategies. This conference focuses on these changes in the global services model and the learning from this period.  For more information, visit their website

February 22-24, 2010, SSON and IQPC 8th Procure-to-Pay Summit, Miami, Florida focuses on “Fostering Smart Partnerships to Optimize Cash Flow and Deliver Positive Business Outcomes from End to End.”  This Summit is all about making the most of your smart partnerships to increase cash flow and improve business outcomes as companies move away from a reactionary mode toward sustainable practices.  While we may not yet be out of the woods, so to speak, it is clear that the economic landscape in 2009 has created opportunities for companies to create new synergies with their P2P partners to help promote growth for 2010 and beyond.  For more information, click here.

February 24-25, 2010, IQPC’s 3rd E-Discovery for Financial Services Conference, New York, New York. Learn the Best Review, Retention and Destruction Procedures to Cut Costs and Response Time During a Financially Troubled Economy. This event examines, from the unique perspective of high-level financial executives, how the challenges of each financial sector intersect with e-discovery proceedings and processes. View the complete program agenda at www.ediscoveryevent.com/finance.


March 22-26, 2010, SSON presents the
14th Annual North American Shared Services & Outsourcing Week, Orlando , FL. Here’s a sneak peek of new and enhanced features, which include:

  • Speakers from Top Companies:Aramark, Arbys/Wendy’s, AstraZeneca, Chevron, Coca-Cola, Conagra Foods, General Motors, Kellogg, Kraft, Microsoft, Monster, NASA, Northrop Grumman, Oakley, Perdue Farms, Schering Plough, Warner Brothers and more
  • G8: Global Sourcing Think Tank Eliminating the White Noise:  The first ever neutral platform to help shape a common industry agenda in the US
  • Under the C-Suite Spotlight with Rene Carayol, An Exclusive Onstage CXO Interview : Board-room revelations regarding shared service & sourcing model strategy
  • New, Strong, Business Outcome-Focused Content : 8 content-intense tracks, from Planning & Launching and BPO Evolution to IACCM’s Contracting to Collaboration
  • Enhanced Annual Features: Quick Wins Energizers, Speed Networking, Blue Sky Innovation Room for Mature SSO’s, and more.

Please contact Kim Vigilia directly at 1-212-885-2753 or at kim.vigilia@iqpc.com with your special code IUS_OSL_#1 to get a 20% discount off the all-access pass. You can also visit the website at www.sharedservicesweek.com.

March, 25-26, 2010, American Conference Institute’s 4th National Forum on Reducing Legal Costs, Dallas, Texas. This essential cross-industry benchmarking forum gathers together more than 30 senior corporate counsel and legal sourcing managers responsible for cost-reduction success stories, as well as leaders from law firms who are pioneers in the alternative fee world, to guide those in attendance on the complexities of keeping legal department costs in check. Now in its fourth installment, this event also offers unique networking opportunities with senior practitioners in the field, includingin-house counsel across a wide spectrum of companies and industries.  For more information, visit their website.

******************************************

FEEDBACK: This newsletter addresses legal issues in sourcing of IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at: webmaster@outsourcing-law.com The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: publisher@outsourcing-law.com . Edited by Bierce & Kenerson, P.C. Copyright (c) 2009, Outsourcing Law Global LLC. All rights reserved.  Editor in Chief: William Bierce of Bierce & Kenerson, P.C. located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080.

E-Discovery and Legal Process Outsourcing: ESIM Process Design and Choices between Outsourcing vs. Insourcing

December 21, 2009 by

State and federal rules of civil procedure and emerging common law of the discovery process impose significant costs on businesses that are engaged in litigation. Pre-trial “discovery” serves to narrow the issues in dispute by forcing the disclosure of records, including electronically stored information (“ESI”) for judicial economy, to narrow the scope of disputed issues for adjudication (such as through motions for partial summary judgment, admissions and prior inconsistent statements), and to speed the actual trial process. E-discovery has become a daily challenge for the General Counsel, the CIO, the COO and the Risk Management Department.  They face a choice of policies, procedures and technologies for insourcing (such as by using forensic software and employed staff) or outsourcing for electronic records discovery management.  This article explores some of the differences between insourcing and outsourcing in terms of ESI records management,  legal requirements for protection and production of electronic records, project management in forensic record examination, litigation readiness, knowledge management, risk management, ethics and legal compliance.

I. E-DISCOVERY AS A SUB-PROCESS OF RECORDS MANAGEMENT.

Record and Information Management (“RIM”) Policies and ESI Management (“ESIM”). The demands of e-discovery highlight the challenges of developing and managing effective governance policies and procedures for information of all kinds, including ESI, and the challenge of adopting and updating an ESI management (“ESIM”) plan for “business as usual.”  The International Standards Organization has developed a records management standard (ISO 15489-1, at www.iso.org). ARMA International (www.arma.org) has identified eight standards for records and information management (“RIM”), namely, accountability, integrity, protection, policy compliance, retrievability/ availability, retention, disposition and transparency.

Memory-storage devices have proliferated, challenging the company’s records custodian. In addition to computers, there are cell phones, cameras (stand-alone or in cell phones), scanners, facsimile machines, USB “key” drives, backup hard drives and other storage devices. All pose a challenge for a fully compliant response to an e-discovery request.

Legal Requirements for Protection and Production of E-Records. Federal and state rules of civil procedure have evolved to include electronic records. See F.R.Civ. P. 26(b), 34 and 45 (subpoenas) and F. R. Evid. 901(a) (authenticity). State procedural rules have been adopted to implement the Uniform Rules Relating to Discovery of Electronically Stored Information issued by the National Conference of Commissioners on Uniform State Laws. [Copy available at http://www.law.upenn.edu/bll/archives/ulc/udoera/2007_final.htm]. Basic common law, statutory and civil procedure rules in e-discovery start with similar requirements:

  • Protection: preservation of ESI through a “litigation hold” to prevent inadvertent loss when a third party demand has been made, or it has become reasonably foreseeable that such a demand will be made, and ensuring that the in-house attorney’s instruction is actually implemented (for example, avoiding the inadvertent over-writing of storage and backup tapes).
  • Accountability: identifying the scope and “proportionality” of the e-discovery requirements in relation to the overall scope of the dispute.
  • Cost allocation: allocating costs that are reasonable to the producing party and costs that are unreasonable to the requesting party.
  • Cost management: using search terms and other cost-effective automated search technologies to get the reasonable or “agreed” coverage for the initial triage, fulfilling the approach that information technology can solve the problem of searching massive records databases using search technologies. See, e.g., Zubulake v. UBS Warburg, LLC, 2004 WL 1620866 (SDNY July 20, 2004, Judge Scheindlin) and other rulings in the same case, at 217 F.R.D. 309 (SDNY 2003), 216 FRD 280 (SDNY 2003) and 2003 WS 22410619 (SDNY Oct. 22, 2003).
  • Integrity (authenticity and identification of the e-record): identifying appropriate methods and procedures for ESI production, including the appropriate level and nature of legal supervision of forensic inspections, to ensure authentication under F.R.Evid. 901(b) by using circumstantial information such as the file access permissions, file ownership, dates when the file was created and when it was modified, other metadata and hash values for the record when copied to a forensic computer for analysis.
  • Accessibility: under the rules of evidence: identifying and managing risks of loss of evidentiary privileges by the mere use of electronic e-discovery tools and procedures.
  • Accountability for Non-Compliance: identifying the sanctions for culpable conduct, mainly, “spoliation” (intentional or negligent destruction of evidence) or negligent collection done by the record custodian rather than by an automated process, such as:
  • judicial issuance of an instruction to the jury that the jury may validly draw a “negative inference” (or “adverse inference”) from the fact that the offending party could not produce the normally available documents in support of its legal arguments, resulting in a conclusion that, if the “lost” or “destroyed” records had been introduced into evidence, they would have supported a negative conclusion as to disputed factual matters; and
  • judicial sanctions including an order to pay the reasonable expenses, including attorney’s fees, caused by the violation of discovery rules, where, for example, the adverse party incurred expenses to overcome the inability to access the “lost” or “destroyed” (spoliated) records.
  • Project Management in Forensic Record Examination. Within a holistic approach to ESIM, e-discovery tools and techniques can be identified along the continuum of “cradle-to-grave” (or more appropriately, “cradle to judge and jury”) progress.   As a sub-process of electronic records management, an e-discovery process model can be used to identify the particular role or function of third-party software, in-house resources and an outsourcer’s resources.  By looking holistically at the end-to-end chain of processes leading to satisfactory e-discovery compliance, under such a paradigm, the end-result, production and presentation of ESI, can be managed by effectively adopting either a total control at the “information management” level (when records are initially created and stored).   The following is our own view of electronic discovery records management (“EDRM”) as a subset of an enterprise-wide holistic ESIM resource management paradigm for governance, risk management and compliance in e-discovery:

    2010-01-03-Holistic GRC E-discovery v3

    Litigation-Readiness: Converting “Business as Usual” IT into Information Management Operations for E-discovery. Information technology plays a strategic role in the enterprise’s ability to comply with e-discovery mandates. The enterprise’s legal department should team up with the IT department, the records management department and the line-of-business management to participate in the design – or re-design – of the enterprise’s information management operations and records management. E-discovery compliance features are now available through software that can troll the enterprise’s entire ESI, search for information according to a myriad of legal and business terms, technical parameters. In conjunction with the CIO and the records management department, the legal department can:

    • Gap Analysis: Conduct a “gap analysis” to identify which features are missing from those that are recommended or required under the applicable rules of civil procedure and common law, particularly those policies and procedures that involve data collection, classification, accessibility, storage, retention and destruction.
    • Strategic Access Plan: Develop a strategic access plan for the full life-cycle of “business as usual” and custody and control, including audit, of the company’s information and litigation-relevant information.
    • Process Design using an ESIM Paradigm: Apply the e-discovery records management sub-process of the enterprise’s holistic ESIM model to identify and segregate functions that will be performed by in-house or captive resources and those for outside legal counsel and outsourcing service providers.
    • Cross-Border Considerations: Integrate multinational and cross-border legal mandates into the design of the information technology and information management systems, at an early stage in the e-discovery process, to avoid breaches of foreign data protection and privacy laws when complying with U.S. judicial rules of procedure.
    • Integration of Internal and External Resources: Develop policies and procedures for use of outside litigation support services providers and an array of personnel and technology resources both domestically and internationally to fulfill e-discovery compliance mandates, without adversely impacting the ongoing business operations.

    Litigation-readiness must be added to the selection criteria for new IT initiatives such as “cloud computing” (here, the “software as a service” model, not the “variable IT computing-power as a service” model), internal and external social networks, Twitter and internal and external collaboration platforms such as wikis, e-rooms and Google Wave.

    Knowledge-Management Readiness: Managing and Protecting Corporate Knowledge. “Knowledge management” refers to policies, procedures and technology that enable an enterprise to capture, organize, identify, re-use and protect the confidentiality of its trade secrets. Knowledge management (“KM”) procedures must also enable the enterprise to distinguish among sources of confidential information that may be trade secrets, copyrights or patents of third parties (including “freeware” and “open source” software) as well. Accordingly, CIO’s must adopt KM planning strategies that, in conjunction with legal and compliance departments, also serve regulatory and legal requirements. The IT infrastructure needs to identify all such trade secrets during the e-discovery process so that, if disclosable, they are subject to non-disclosure and non-use under appropriate protective orders.

    II. RISK MANAGEMENT

    Risk of Spoliation by Employees and Contractors. According to one e-discovery service provider, a large majority of all corporate litigation is employment-related. If employees have access to change ESI, disgruntled or negligent employees pose a major risk of spoliation. Employees can unknowingly or intentionally destroy ESI evidence. Such actions can range from concealment (through downloading pirated software that deletes files on the employee’s web surfing history) to sabotage (actually deleting documents).

    As a result, the legal department and the CIO need to develop IT-enabled solutions to prevent such acts. This article does not address this particular issue, but it highlights the need for appropriate design of the overall information management architecture as a preventive measure.

    Risk Management. From the risk-management perspective, a proper defensive strategy will require an alliance between the company’s Legal Department, its Risk Management department and its IT department.

    • IT Role. The IT department needs to work with the Legal Department to ensure a proper chain of custody and proofs of authenticity.
    • Insurance. The Risk Management Department needs to help design and review the e-discovery process. Sanctions for spoliation have implications for coverages for directors and officers, employment practices, errors and omissions and general liability. The records manager needs to understand how the company’s Records Management (destruction) Policy meets e-discovery requirements.
    • Legal Department. The in-house Legal Department must not only manage the e-discovery process. It must design and manage effective records management policies, educate all employees about the e-discovery process and its role in management of risks, knowledge and records.

    III. BUSINESS MODELS: INSOURCING, CAPTIVES AND OUTSOURCING

    Business Models for Insourcing. Before comparing outsourcing and insourcing, it is helpful to consider the different business models in which an internal e-discovery operation can be financed. These models can be summarized:

    • Infrastructure Investment in a Complete e-discovery Toolkit. At the “high end,” the enterprise can make a capital investment in the essential tools of a fully “in-sourced” e-discovery operation. Such an investment will have significant payback for enterprises having a high volume of litigation with predictable volumes of e-discovery demands. Such enterprises will need to invest in all the people, process and technology necessary for the operation. If the operation is highly automated, it can be effectively managed onshore. If it requires substantial human review, part of the operation may be handled in offshore locations with remote access, security controls and other measures to prevent loss of confidentiality, competitive advantage and effectiveness. This leads to consider a captive e-discovery service delivery center. In this case, outsourcing can be a viable solution for that portion of the e-discovery process that requires supervised human review and analysis.
    • Pay-Per-Use Pricing. Where litigation is more volatile in terms of volume and timing, a “pay-per-use” pricing for insourced use of third-party technologies can prove cost-effective. This pricing model provides some benefits to enterprises that have very few litigations, but a large volume of ESI for assembly, analysis, protection and disclosure.
    • Consumption-Based Pricing. Consumption-based pricing reflects the volume of ESI being sorted and analyzed. This pricing model provides benefits for enterprises that want to allocate litigation costs to individual lines of business or affiliated companies, as a charge-back accounting principle that effectively rewards litigation-free business managers for staying away from the judicial system.

    Relative Advantages of Insourcing.

    • Industries Affected by Persistent Litigation. Several software tools exist that allow in-house counsel and the CIO to conduct the full forensic discovery using staff employees. Internalization of the discovery process makes economic sense where the company is constantly involved in litigation. Such companies typically include insurance companies, banks, consumer products manufacturers, and can include food service chains and franchisees. Other companies that are subject to class action claims for torts or securities law violations can fall into this category as well, impacting virtually any publicly traded company that has a volatile stock price.
    • Control of Records Management; Cost Management. Software and IT services companies argue that insourcing can significantly reduce the costs of e-discovery. They argue that, by taking control of the forensic search, collection, analysis and processing of a company’s electronic records, companies have more flexibility and control over the manner in which these critical discovery processes are conducted. This control can translate into cost savings by enabling a closer supervision on-site by the internal lawyers.Cost savings must be compared to comparable external services.Cost savings that might arise from an easier ability to make small changes in the search criteria, for example, may result in a loss of the hard-wired “e-discovery plan” that serves as the basis of justifying to the court that the discovery disclosures comply with civil procedure to locate and disclose all relevant records.
    • Protection of Trade Secrets and Intellectual Property. Insourcing, or using captives, can provide a significant level of additional protection for knowledge management, trade secrets and intellectual capital. Such protection comes at the cost of maintaining internally controlled resources. Outsourcers will claim that their security levels are higher than those in many global enterprises. Outsourcers offer personal non-disclosure covenants by individual employees. But there is always a risk, whether through insourcing or outsourcing, that the personnel having access to trade secrets, for example, might abuse their positions of trust through tipping a securities investor, selling the ideas to a competitor of the enterprise or other tortious conduct. Even a non-disclosure agreement does not constitute a valid non-competition covenant, and even non-competition covenants are unenforceable as a matter of public policy unless strictly limited in time, territory and scope, and (in California and some other jurisdictions) they may require additional payments of consideration. In short, neither insourcing nor outsourcing appears to have a clear advantage in this field, except that e-discovery managers who are employed by the enterprise might offer an advantage by having ongoing knowledge of what is (and is not) a trade secret for faster, better, “cheaper” claims to a protective order.
    • Effectiveness of Coordination and Collection of ESI. The use of skilled internal people who know the company’s operations may be able to provide better collection and coordination of ESI. However, “professional” e-discovery service providers may have the advantage in skills at the beginning as the company’s internal personnel become familiar with the processes and technology of e-discovery. Hence, insourcing might follow outsourcing until the processes can be internalized.
    • Reduction of Risks of Noncompliance with e-discovery Rules. Well-trained, well-supported internal personnel might be able to reduce risks of non-compliance in the typical e-discovery process.

    Relative Advantages of Outsourcing e-discovery. Outsourcing of e-discovery processes may be costly, but it may be the best solution for several reasons. This requires an analysis of the relative merits. This “gating analysis” should include appropriate considerations of staffing, quality, ethical risks and speed.

    • Staffing. One of the key benefits of outsourcing, and one of the key parameters in selecting the right outsourcing service provider, is the service provider’s staff. The best outsourcers have developed a methodology for human capital management in the specialized field of e-discovery and related disciplines. The outsourcer designs a service delivery platform, recruits, trains and tests its staff in generic functions (including project management, information technology and security) and then offers this staff for custom-training on the litigating company’s particular process and e-discovery requirements.Using a business company to provide litigation support can run afoul of ethics and disciplinary rules applicable to the litigating company’s (or its law firm’s) lawyers. Law society rule in England will be changed if and when a pending draft law is modified to permit competent non-lawyers to perform tasks that might be considered the practice of law. Under applicable ethics opinions of the American Bar Association and various city and state bar associations, the in-house lawyer or outside law firm cannot escape certain core ethical duties:
    • to supervise the work of the outside service provider;
    • to avoid assisting in the unauthorized practice of law (“UPL”)
    • to ensure the protection of client confidences;
    • to avoid waiving any rule permitting a claim of legal privilege (and to rectify innocent or mistaken disclosures, see e.g., Fed. R. Evid. 502);
    • to avoid conflicts of interest;
    • to protect against data loss, theft or other act or omission that might constitute sanctionable spoliation;
    • to comply with the rules of court relating to e-discovery and management of ESI at all stages.
      Vendor selection involves finding the right fit for the particular litigating company’s legal, regulatory, compliance, privacy, legal ethics and security requirements.
    • Service Level Metrics and Quality Considerations. Few internal employees want to live by performance metrics. Outsourcers live by “guaranteeing” service metrics and other quality parameters.

    Offshoring Issues. In considering an offshore captive or an offshore LPO outsourcing, the company’s lawyers must evaluate special cross-border legal issues.

    • Export Controls. By transferring any U.S. data abroad, the company may require a license from one or more branches of the U.S. government. While commercial information may be subject to a general export license that does not require any notification, filing or administration, some information (such as software or design information that may have dual civilian and military uses) may require a specific license. Similar issues arise where the company’s ESI includes trade secrets, pending patent applications and other information that is subject to a required export license.
    • Data Protection. Data protection rules under HIPAA and other legislation may apply to the data being processed. Foreign LPO service providers must ensure compliance.
    • Privacy. Privacy rights arise from many legal sources and different jurisdictions. Depending on the source of any personally identifiable information (“PII”), any transfer of company records to a foreign LPO service provider may violate applicable rules. This issue suggests a proactive approach in the design and implementation of the company’s overall information management systems.
    • Third-Party Consent. The information in a company’s database may include information that is licensed under restrictive disclosure conditions or where a third-party’s consent is required by an applicable law. Third-party consent may be required.
    • Client Consent. The information in a company’s data base may also require the client’s consent
    • Political Risk. Foreign service providers come with a suite of political risks that could impair service quality, timeliness of service, confidentiality and other custody and control issues for the ESI and the foreign nationals accessing such ESI.

    IV. PROJECT MANAGEMENT

    Most effective e-discovery procedures will require effective integration of internal and external resources. The design, planning, implementation, performance, intermediate re-balancing and supervision of all resources remain, of course, in the hands of the company, and, in particular, in-house attorneys. The Legal Department (which is ultimately responsible) may wish to consult with “outsourcing lawyers” not merely with litigation counsel on achieving a flexible, cost-effective, efficient design, vendor selection and supervision, review of compliance with ethics rules and project management.

    Evaluation Process. Companies evaluating an LPO solution for e-discovery (or any other LPO) should therefore carefully explore all relevant implications, design the program for compliance and quality of service, address special issues involving any cross-border data flows and other commercial, judicial rules, legal and ethical requirements.

    Project Management Roles. Each LPO project requires thoughtful and careful attention to ensuring that all responsibilities of the different parties are aligned with their roles. Within the outsourcing model, there is room for designing and allocating roles and responsibilities to give in-house attorneys control of the process so that they can manage the ethical responsibilities. The introduction of the LPO service provider raises new questions whether the cost-controlling measures will impair (or improve) the quality of the outcome. External lawyers could also manage the service providers.

    V. BUSINESS MODELS

    • Business Models. Currently, most LPO e-discovery services are conducted under business models of insourcing (including contract attorneys), captives and outsourcing.
    • New Models. Over time, companies and their legal counsel will become more familiar with the tools, alternatives and strategies for effective LPO, including identifying and assessing risks and evaluating a risk-benefit matrix.  With greater maturity in capabilities, new business models for identifying and managing e-discovery processes, tools and personnel may evolve.   The impact of cloud computing, platform-as-a-service, software-as-a-service, virtualization of both servers and client computing and mobile computing will challenge enterprises and their technology and legal service providers to integrate a holistic and global ESIM process to incorporate the EDRM subset as “business as usual.”

    Outsourcing Law & Business Journal™: October 2009

    October 29, 2009 by

    OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events. Insights by Bierce & Kenerson, P.C. www.biercekenerson.com […]

    Shared Services in Lieu of Outsourcing: Offshore Captive Internal Bank

    October 16, 2009 by

    Summary.

    In making the classic “buy vs. build” decision in relation to services to manage sophisticated business processes, enterprises may elect to establish a captive enterprise to perform “shared services” for affiliates. The “shared services captive” is an alternative to buying outsourced services. But it is also an alternative to internal administration of a business process separately by individual departments, divisions or lines of business. Shared services captives can provide key advantages for diversified multinational enterprises, particularly as a cost-reduction technique when sales and sales margins might be eroding in a global economic downturn.

    Captive Internal Bank.

    Sony Corporation, the Japanese-based electronics and entertainment group, announced in June 2003 that it was planning a major expansion of intercompany banking services to help reduce financing charges and manage currency risks for all affiliates.

    Cost Savings.
    According to Sony’s managing director for Global Treasury Services, Mr. Hiro Kurihara (as quoted in an interview with the Financial Times), the London-based shared services operation will generate cost savings of approximately $30 to $40 million per year.

    Risk Reduction.
    In addition, Sony projected reduction of risks of changes in currency in connection with the settlement of intercompany transactions. Sony plans to offset foreign exchange risks with services — normally offered by money-center banks — of “automatic cashless settlements” and “automatic sweeping.” This requires investment in information technology and integration with others in financial services markets.

    Centralization, Specialization and Scale.
    Sony’s Global Treasury Services acts like a clearing bank for all affiliates. In this centralized function, the shared services affiliate can aggregate volumes of transactions that are generic, but whose handling requires specialized skills. As a result, economies of scale can reduce per-unit costs and increase focus on specialized transactions that internal financial executives in operating affiliates might not have, or might find difficult, time-consuming or costly to acquire. The Sony shared services affiliate reportedly manages 95% of the enterprise’s financial derivatives and exchange swap transactions.

    Transition and Transformation.
    The transition to an internal financial services captive is part of a global restructuring that will result in accounting charges of approximately $1.2 billion. Restructuring to include new, enhanced shared-services affiliates may help multinationals such as Sony to transform their services models by increased efficiency and cost management.

    Integration with Insourced Transactions.
    Establishment of a shared services affiliate requires careful attention to integration with other internal processes. The shared services affiliate must define its “services offerings” and enable managers in affiliated lines of business to use the services with minimal cost and delay. As a result, virtually all “shared services” are digitally integrated. The degree of integration may range from the use of telephones and e-mails to a web-enable Internet-accessible portal. As a result, shared service affiliates generally are purchasers of services and technology from third parties.

    Integration with Outsourced Transactions.
    Indeed, shared services providers may be the largest purchasers of outsourced transactions. For example, Proctor & Gamble was negotiating for a complete sale of its shared services affiliate to a global outsourcing services provider in 2002. When P&G was unable to obtain its desired sales price at for the services charges that it wanted, P&G chose instead to hire Hewlett-Packard to provide selective outsourced services to support its insourced “shared services” operation.

    Advantages in Shared Services.

    Shared services affiliates, or “captive” service companies, have many of the advantages of an outsourcing without any loss of ownership and control over business processes, technology, intellectual property and personnel. Shared services captives can develop and retain knowledge capital involving sophisticated business transactions that individual affiliates cannot acquire due to smaller volume of similar transactions. As the business process involved becomes more subjective and susceptible to business judgment, shared services captives retain an advantage over outsourcing because that very subjectivity might be a core competitive advantage and might not be scalable.

    Risk Management in Shared Services.

    Adoption of a “shared services captive” approach involves a number of risks that can be managed by treating the captive as an external service provider of outsourced services. Such techniques include:

    • adoption of “service level agreement” obligations, with financial incentives and consequences for failure, applicable to the management and employees of the shared services affiliates;
    • details concerning the integration of the captive’s services with those of the other operating companies or lines of business;
    • suitable insurance coverages;
    • suitable contracting procedures for outsourcing of certain perfunctory tasks of the shared services captive to independent outsourcing services providers;
    • human resources and intellectual capital management techniques for aggregation and accumulation of related processes and improvement in business processes, quality of service and optimal alignment with the key performance indicators of the core business’s mainstream operations.

    Shared Services on the Continuum of Insourcing and Outsourcing.

    In conclusion, shared services companies, or captives, perform roles that run along the continuum of fully vertically integrated insourced operations to a skeleton of core competencies supported by a network of outsourced operations. If a business process can be outsourced, it can also be insourced after the outsourcing. If it has been insourced, it could be structured more efficiently as a captive to look like an outsourcing. And once structured as an outsourcing, it could become a true outsourcing service provider to support non-affiliated customers, and could even be spun off to shareholders or sold to a strategic buyer. Thus, the captive shared services organization can mutate according to trends affecting customers, suppliers, corporate strategies, changing processes and changing marketplaces. In establishing internal captives, the lessons of outsourcing can improve performance and flexibility.

    Call Centers and Customer Relationship Management

    October 16, 2009 by

    Thanks to Customer Relationship Management (“CRM”) software and low-cost, high-speed international telecommunications, a call center can be located anywhere in the world. While the legal issues in offshoring of any outsourced service can be complicated, the business issues are generally the same.

    Who Should Outsource Call Center or CRM Functions?

    Call centers connect your enterprise, its goodwill and operations, to your prospects and customers and, if you wish, even influencers of consumer behavior. Any high-volume consumer industry can benefit by outsourcing call center functions. These might include, for example:

    • health care
    • automotive
    • retailing
    • services to the household, such as oil and gas deliveries, electrical utilities and telecom providers
    • consumer electronics
    • wireless communications
    • financial services, including banking and brokerage
    • insurance
    • travel and hospitality
    • media

    Scope of Services:

    Since a call center can deliver any type of services that are capable of being done by telephone, enterprise customers need to classify the possible scope of services. This classification will suggest the key parameters for defining and achieving the intended goals of the call center. The following list is only an indication of some basic classes of outsourced call center services.

    Customer Service and Support.
    This type of service can be as simple as advising your customer about the information he needs from your data base, such as account balance, unpaid amounts, deadlines and credit balances. Or customer service can involve a complex decision tree involving a script that you prepare to determine your customer’s needs, complete an application or request for change of information, and execute your customer’s orders.

    Technical Support / Warranty:
    In helping your customers solve problems relating to your products or services, you want to be able to resolve all problems in the first call. Achieving high first-call resolution rates with lower per-call handle times can make a significant cost difference. To some degree, you remain responsible for success because of the way in which you plan the interaction based on manuals, scripts and decision trees. Technical support (or “telephone help desk”) can provide invaluable in retaining customer loyalty and avoiding costly product returns or service cancellations.

    Sales, Bookings (travel reservations) and Customer Retention:
    Your telesales department needs to convert inquiries into sales, and to retain customers upon expiration of subscriptions or upon other termination events in your customer relationship. Telesales are useful both at the beginning and the end of your customer relationship life cycle. As a tool for proactive outreach, customer retention programs can help sustain your bottom line.

    Marketing Surveys and Research:
    Outbound calling can identify potential customers, identify an existing customer’s interest in possible new products or services from your company and conduct inquiries about consumer preferences as to pricing and features of existing and new products. This can help your market positioning, promotional campaigns, product design, pricing and sales approaches. Outbound calling can also be used to clean up duplicates or stale information in your “old” data bases, validate existing information, for “data base scrubbing.”

    We would welcome any suggestions to make our list more complete, and to identify any special needs that are suggested in the following list.

    Ownership and Control Issues: Outsourcing vs. Captive (or “Shared Service Center”).

    Call centers come in various shapes and types. You can outsource, or you can create your own foreign call center. Outsourcing is probably cheaper and faster to get started, but establishment of captive call centers can be achieved using external service providers to create the infrastructure, train the employees according to your requirements and help you manage the entire operation.

    Criteria for Selecting a Call Center / CRM Service Provider.

    Enterprise customers shopping for a call center or CRM service provider should identify key performance indicators (“KPI”) relevant to their industry. On a generic basis, enterprise customers should consider whether prospective CRM service providers offer any unique strategic insights that streamline operations, the strength of any IT-enabled data-driven relationships to your customers and, over time, the degree of continuous process improvement.

    Countries.

    Effective call centers are in Philippines, India, Ireland, Brazil, Mexico and Canada, are the typical suspects. Many foreign call centers will be integrated with domestic call centers for backup, problem escalation and culture-sensitive situations.

    Legal Issues Affecting Enterprise Customers for Call Center Operations

    Outbound Calls (from the Call Center to the Customer):
    Outbound calls can be intrusive. For public policy reasons, such intrusions should be limited and targeted, as well as complying with applicable restrictions on calling. Legal issues in outbound calls include:

    • privacy of data and data protection
    • fair trade practices, including invasion of privacy, consumer protection and other local laws and regulations restricting access to the target customer or prospect
    • Force majeure, including terrorism, act of war and natural catastrophes
    • Currency exchange fluctuation
    • Termination conditions

    Inbound Calls (from the Customer to the Call Center):

    All Calls:
    Any contact with a customer could build or harm your goodwill. Call centers needs to comply with the rules of etiquette as well as laws relating to abusive relationships.

    International Outsourcing:
    Offshore outsourcing contains a suite of unique risks. International risk management needs to be planned into the outsourcing contract and the methods of service delivery.

    If you need any coaching, planning or legal advice, please let us know.

    Financial Planners Outsource Their Back Office Support Staff to Home-Based Workers

    October 16, 2009 by

    Summary.

    Suddenly, outsourcing benefits come to financial planners. But reports of the advantages may be too good to be true.

    What is Outsourced, and to Whom.

    In a lead article, The Wall Street Journal announced in April 2003 that a small number of financial planner are adopting an outsourcing model in their business, hiring “independent contractors” to manage tedious tasks. Such tasks might include:

    • credit checks and reference verifications for new clients;
    • data entry for investment statistics and record keeping;
    • cash flow analysis;
    • retirement planning strategy;
    • preparation of financial plans.

    Rationale.

    Financial planners who outsource such back-office business processes claim that it allows them to devote more time to their basic business of consulting and counseling. The independent contractors, most of whom work from their homes, need little training to perform the functions, yet the outsourced functions are the time-intensive components of financial planning.

    Legal Issues for Home-Based Workers.

    Many issues arise in outsourcing to home-based workers.

    Employment Relationship (vs. Consulting Relationship).
    The Internal Revenue Service has proposed a list of 20 questions used to determine whether an individual who is a service provider is an employee or an independent consultant. Properly structured, the relationship can be proven to be independent, thereby saving the customer (financial services planner, for example) in Social Security and Medicare taxes.

    Negligent Selection and Recruitment.
    In an employment relationship, the employer is potentially liable under the tort theories of:

    • respondeat superior (vicarious liability for the tortious acts of one’s employee) or,
    • for certain intentional misdeed by the employee, negligent selection and hiring without due diligence.

    In an outsourcing context, virtually the same principle applies because the financial planner is liable as “general contractor” for the mistakes of the subcontractor. But, unlike an employment relationship, the contractor (financial planner) is generally not liable for malfeasance or intentional conduct of the outsourcing service provider.

    Pension Plans and ERISA.
    If the financial planner is deemed to be an employer, then the outsourcing services provider might be deemed covered by the Employee Retirement Income Security Act of 1974. Any pension, medical or profit sharing plan of the financial planner might have to cover the services providers, under penalties for any failure to comply.

    Accidents on the Home Front.
    Financial planners or others hiring home-workers should identify the respective liabilities of the parties in case of any accident while the home-worker is engaged in performing services. This is potentially a greater risk for an employer than an outsourcing customer, but it poses risks to both.

    Confidentiality.
    Any outsourcing transaction should be governed by appropriate confidentiality commitments to protect the information of the financial planner. But this raises a question whether the financial planner’s client is willing to have such subcontractors see the relevant confidential financial information.

    Client Engagement Letter.
    Accordingly, if third parties are to receive and review confidential or proprietary information, the client must approve the process. This principle applies, as a statutory requirement, in case the financial planner is affiliated with a financial institution under the Graham-Leach-Bliley Act or if the information includes confidential medical information protected by the Healthcare Improvements Portability and Accountability Act of 1996.

    Management.
    The financial planner will still need to manage the service provider. The costs and time of such management can be high if the financial planner does not have a well-organized plan of his or her own to use appropriate collaboration tools and review the work done by the service providers.

    Best Practices.

    The best financial planners who outsource any function will follow the rules set forth above. In addition:

    Web-Enabled Collaboration.
    Outsourcing customers, having learned the uses of e-mail, now are learning the uses of Web-enabled collaboration tools that permit close collaboration. Such tools do not require any immediate presence of the service provider on site, or the use of the financial planner’s assets, inventory, rental space or other facilities.

    Centralized Security and Storage.
    Data security and storage must be managed effectively.

    Added Value.
    By outsourcing substantial portions of a business, the business manager risks losing the competitive advantage of controlling a niche specialty. This is a classic challenge for outsourcing customers generally. Like other risks, it requires a balancing of business, legal and commercial requirements with the perception that the business manager lacks the essential tools. So the marketing of such operations requires a continuous compelling reason for the clients to buy the services. Effective supervision and integration of outsourcing service providers adds value by providing teamwork and leverage.

    International Trade Regulation of Outsourcing

    October 16, 2009 by

    The Trade Act of 2002, signed by President Bush on July 27, 2002 , H.R. 3009, authorizes the President to negotiate trade agreements that will be approved, or disapproved, by Congress without any changes. The law identifies the same old American public policy objectives. In relation to trade in services and trade in intellectual property, the objectives stated for the Doha (Qatar) Round are essentially the same as set forth in existing WTO agreements under the Uruguay Round.

    The principal negotiating objective of the United States regarding trade in services is to reduce or eliminate barriers to international trade in services, including regulatory and other barriers that deny national treatment and market access or unreasonably restrict the establishment or operations of service suppliers. [Section 2102(b)(2).]

    For international outsourcing, this legislation may allow the extension of U.S. IT-enabled business services into foreign countries that presently restrict such services. This could provide benefits to U.S. IT and business process outsourcers, if they can find ways to leverage their systems. More likely, offshore service providers could enter the U.S. markets, but might be subject to certain restrictions that relate to foreign ownership of U.S. regulated industries. Currently, regulated industries generally manage the regulatory problems by supervising their services providers, rather than by declaring foreign service providers ineligible to work.

    At that time, President Bush did not appears to contemplate any major changes in the existing Trade Agreement for Services, Trade Agreement on Intellectual Property or the Trade Agreement on Investment Measures. Neither of these agreements, which already grant substantial openness for trade in services and related intellectual property and direct investments, is as controversial as the Bush Administration’s use of anti-dumping rules against foreign steel.

    Insider Theft of Trade Secrets in India: Employee of Captive R&D Subsidiary Accused of Source Code Theft (and What You Need to Know About Protecting Your Trade Secrets Abroad)

    October 9, 2009 by

    In a global economy, which risks are greater: theft of trade secrets by a service provider or theft of trade secrets by an employee of a foreign subsidiary?  How can a global enterprise contain such risks in either case?  The story of theft of source code by an employee of an Indian research and development center highlights the need for proper strategies for risk mitigation in the face of the inherent risks of human nature.

    Indian R&D Center, Site of Source Code Theft.

    On August 4, 2004, Jolly Technologies, a division of U.S. business Jolly Inc., publicly reported that one of its employees at its Mumbai, India R&D center had misappropriated key ports of source code being developed along with confidential documents.   The trade secrets relate to one of its key products for the labeling and card software for the print publishing industry.

    Profile of a Thief and a Theft.

    Jolly Technologies was new to India.  Its center was established only three months prior to the trade secret theft.   The employee alleged to have stolen the trade secrets was a new hire.  The theft was done by simply uploading the source code to her Yahoo account.

    Consequences to the R&D Center.

    Jolly reportedly shut down its R&D center immediately to assess and contain the damage.  It also sought assistance from Indian police to deal with the matter as a criminal act.  The company’s investment may be a loss, and it may need to expend further resources to prevent the use by its competitors and other third parties of any stolen source code.

    Security Precautions.

    The theft shows how simple it is for any person with Internet access to misappropriate trade secrets.

    • Data Export Controls on Internet Access.
      Internet access may be essential to virtually all knowledge-economy employees, so management may consider that shutting off Internet access may be impossible.  The Affaire Jolly suggests that software development might need to occur in an environment that allows employees access to information but does not allow them to transfer certain types of information from a company computer to anyone via the Internet.   The advent of network administration software, XML metatags, html, virus sniffers and spam blockers may introduce technology that allows a company to prevent the transfer of source code to unauthorized Internet addresses.
    • Segregation of Function.
      Most software development projects start with modules and build into integrated suites of modules.  In the manufacturing sector, complex trade secrets may be protected by separating multiple manufacturing processes into separate functions and separating the component processes.  This can be done by either putting the component processes into different operations or by separating subassemblies from final assembly.  Software development could be structured similarly, though segregation of function reduces efficiency.
    • Background Checks.
      The new hire at Jolly Technologies might have been investigated for a possibly criminal background.  But background checks probably do not help with curious employees interested in studying stolen code or restructuring it for possible other purposes.

    Legal Precautions.

    The trade secret theft also highlights the weakness of national legal systems where, in the case of India, courts have historically taken a decade to decide civil disputes.  Whether establishing a foreign captive service subsidiary or hiring a foreign service provider, the legal environment and legal precautions are critical to risk management.

    • Statutory Protection for Trade Secrets.
      Most countries hosting R&D centers or outsourcing service centers are members of the basic international conventions on the protection of intellectual property.  Even China, by adhering to the World Trade Organization, now officially grants intellectual property rights under the WTO Agreement on Trade-Related Intellectual Property right (“TRIP’s”).  India has long been a member of the Paris Convention on Industrial Property and protects copyrights, patents and trade secrets.  As the Affaire Jolly demonstrates, it is not sufficient to have a legal right.  You need to have a credible forum for enforcing those rights.
    • Contractual Commitments.
      Well-advised enterprises require their employees by contract to abide by various policies and procedures, including respect for intellectual property rights and trade secrets of the employer and third parties doing business with the employer.  Contractual commitments are a basic requirement of any IPR protection.
    • Security Surveillance.
      Jolly’s security surveillance, by an internal audit, discovered the theft.  Pre-emptive security precautions cannot prevent fraud or theft, but surveillance can discover it.
    • Risk Mitigation after the Theft.
      After the horse has left the barn, how do you get it back into the barn?  In a global digital economy, the only solution might be to find some way to tag the digital works, just as ranchers did for their cows in the 1880’s.

      • Court Systems.
        Indian courts now have a commercial part that is intended to accelerate adjudication. It is not clear whether the Mumbai courts offer any real adequate forum, and even adjudication of civil liability does not automatically result in enforcement of a money judgment.  Access to court systems are so fundamental to investors and employers that the issue should become one of diplomatic entreaty (as the U.S. has done with China), investor due diligence, and recommendations by intermediaries such as trade associations (such as Nasscom and ITAA), venture capitalists, private equity funds and investors and multinational enterprises and their advisors such as international business lawyers and business process and sourcing consultants..  Ratings on access to judicial systems should be part of the due diligence in all international operations.

    Other Measures.

    Insurance may be available, but the consequential loss may be too high for a fair premium.

    Conclusion.

    In captives and outsourcing, IPR protection needs practical and legal protections.  Blatant misappropriation will continue as a matter of human nature, so risks can only be mitigated.   Effective methods of mitigation will continue to evolve.  Technology and IP lawyers should be consulted before international operations are launched.

    Privacy in Outsourcing of Health Information

    October 9, 2009 by

    The general Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires anyone to obtain a patient’s prior consent in order to use “individually identifiable health information” for non-medical purposes, such as employer evaluations.   For medical treatment and payment purposes, however, using or sharing medical information “for incidental use or disclosure” is permitted.   For marketing purposes, a pharmacist may use a patient’s medical information to make recommendations to the patient to switch medications.

    The final Privacy Rule, published August 14, 2002, preserves the role of outsourcers of medical information.  Certain prior draft provisions were softened.

    Prior Draft Regulations.

    Prior draft regulations, issued by the administration of former President Bill Clinton, would have prevented hospitals and clinics from  scheduling medical tests or surgery until the patient had read and signed a long, legalistic “privacy notice.”

    Impact of Regulations on Outsourcing of Medical Information Processing Services.

    The prior draft HIPAA Privacy Rule raised several concerns for those involved in outsourcing of medical information processing services.

    Continuation of Outsourcing Services.
    The prior draft targeted situations in which covered entities outsource their billing, claims, and reimbursement functions to accounts receivable management companies. These collectors often attempt to recover payments from a patient on behalf of multiple health care providers.  Affected covered entities and their services providers were concerned that the Privacy Rule would prevent these collectors, as business associates of multiple providers, from using a patient’s demographic information received from one provider to facilitate collection for another provider’s payment.  Under the final HIPAA Privacy Rule, outsourcing such services is permitted. .

    Continuation of Outsourcing of Records Management and Photocopying.
    The prior draft would have had a negative impact on outsourcing of records management and photocopying activities.   It could have effectively eliminated any economic benefits to outsourcing services providers of the cost-based copying fees allowed to be charged to individuals who request a copy of their medical record under the right of access provided by the Privacy Rule. See 45 CFR Section 164.524.  There was a risk of driving the outsourcers out of business.

    In acknowledging this, the Department of Health and Human Services made a special clarification to accommodate outsourcing.  Many hospitals and other covered entities currently outsource their records reproduction function for fees that often include administrative costs over and above the costs of copying. In some cases, the fees may be set in accordance with State law. The Privacy Rule, at Sec. 164.524(c)(4), however, permits only reasonable, cost-based copying fees to be charged to individuals seeking to obtain a copy of their medical record under their right of access.   In response to comments that persons seeking copies of all or part of the medical record, such as payers, attorneys, or entities that have the individual’s authorization, would try to claim the limited copying fees provided in Sec. 164.524(c)(4), the final Privacy Rule makes clear that the fee structure in Sec. 164.524(c)(4) applies only to individuals exercising their right of access.

    However, the Department of Health and Human Services acknowledged that even this accommodation could put a strain on covered medical-related entities, and that the regulation forced subsidized access to medical records by the individual patients.   HHS argued:

    To the extent hospitals and other entities outsource this function because it is less expensive than doing it themselves, the fee limitation for individuals seeking access under [45 CFR] Sec. 164.524 will affect only a portion of this business; and, in these cases, hospitals should still find it economical to outsource these activities, even if they can only pass on a portion of the costs to the individual.

    While perhaps onerous on covered entities, the rule does allow outsourcers and their customers to recover more than their costs on non-patients in order to subsidize patients’ access to medical records.

    Outsourcing Continues to Require Contracts.
    The Department of Health and Human Services final Privacy Rule requires that any relationship between a “covered entity” and a “business associate” (also known as an outsourcer or services provider) must be established and managed by contract.  Some service providers tried, unsuccessfully, to be authorized to “self-certify” their compliance, or have a neutral certification authority.  “With respect to certification by a third party, it is unclear whether such a process would allow for any meaningful enforcement (such as termination of a contract) for the actions of a business associate,” the HHS concluded.

    Minimum Standards, not Exclusive Standards.

    The final Privacy Rule does not supersede any more stringent privacy protections of any state laws.   The “best practices” approach, therefore, may be to obtain the patient’s consent for certain uses of the medical information, particularly for patients who are likely to change residences from one state to another and the new state of residence has stricter provisions.

    Outsourcing Contract Terms.

    The final Privacy Rule adopted in August 2002 sets forth specific requirements for contracts between “covered entities” and “business associates” (outsourcers).   For the minimum terms of such a contract, our subscribers can view the terms at hipaa privacy data use contract terms

    Definitions.
    Key definitions under the final Privacy Rule can be reviewed at hipaa_privacy_definitions

    To Bundle or Not to Bundle Goods and Services: NASA’s Desktop Contract

    October 9, 2009 by

    Some bundling of goods and services is intrinsic to all outsourcing.  The advantages of bundling to the service provider have been touted by Lou Gerstner, who, while Chairman of IBM, observed that services are the “wrapper” in delivering goods and related services as a package  This case study comments upon the practice of bundling.

    NASA’s Bundled Desktops.

    NASA’s Inspector General’s Office announced in late July 2003 that NASA has overpaid by an average of 24% for computer accessories and supplies purchased through a $1.3 billion 1998 desktop IT outsourcing deal with multiple vendors covering desktop, server and communications equipment and support services.  The overspending reportedly occurred on the “Outsourcing Desktop Initiative for NASA” (“ODIN”).  Under the program, participating service providers are required to maintain at each NASA site that they support an online catalog of supplemental computer supplies and accessories, such as keyboards, printer cartridges and PDAs.  The catalog purchases were at prices above market levels because they were bundled with related services.The NASA Inspector General criticized the contract structure because of “unnecessary” product bundling with services (such as installation and maintenance support) and a failure to permit the customers to negotiate volume purchase discounts on products whose prices had fallen in the marketplace.

    When is “Bundling” Necessary or Appropriate?

    The NASA Inspector General’s report raises the issue of unbundling in long-term services contracts  The report highlights how a long-term outsourcing transaction that bundles goods and services is susceptible to criticism for market-driven elements for pricing of underlying products, where the service provider has committed to deliver installation and maintenance as “necessary” corollaries to ensure compliance with dependent service levels.

    Necessary to Minimize Price. Bundling may be unnecessary if it inhibits the outsourcing customer from gaining access to the marketplace for underlying technology products that can be obtained in the marketplace. However, market access may need to be balanced against other considerations, such as the degree of retained control over the infrastructures that deliver the outsourced services.

    Necessary to Ensure Service Levels. If the service provider is solely responsible for service levels that depend on the quality or condition of underlying technology platforms, the service provider may reasonably insist upon the right to ensure that such platforms are properly maintained.  Accordingly, the bundling of goods and services is usually tied to the SLA.  If the customer wishes to perform services within the scope of the outsourcing, such as purchasing software or computers, and installing them by the use of in-house personnel, the service provider may reasonably request exculpation from a failure in the service levels.  The essential business issue is whether the service provider must show that the customer’s failure caused the SLA breach.

    The Balance.

    In conclusion, bundling may be aggregated in some cases. A properly crafted agreement can provide both flexibility and control for the customer, without unnecessarily jeopardizing the service provider’s ability to deliver agreed service levels.

    « Previous PageNext Page »