Managing the compliance risks of ephemeral messaging to meet DOJ guidance in healthcare and pharmaceuticals

Healthcare organizations and the pharmaceutical industry must look to implement solutions to ephemeral messaging in their compliance strategies.

Blog
10 September 2024 6 mins read
By Aarti Agarwal

In brief:

  • The use of ephemeral messages is becoming more common in industries like healthcare, where sensitive or private information may now be communicated and deleted
  • In March 2023, the Department of Justice (DOJ) released amendments to its Evaluation of Corporate Compliance Programs (ECCP) setting out new retention guidelines around personal devices and ephemeral messaging
  • In January 2024, the DOJ and Federal Trade Commission (FTC) doubled-down on this messaging, noting that it will no longer accept a company’s failure to provide ephemeral communications in investigations

Business communication in healthcare is no longer limited to ‘traditional’ channels like email, fax, or telephone. Increasingly, organizations permit the use of myriad channels for business and sales relations, from Microsoft Teams or Slack, to WhatsApp or SMS. As long as these channels of communication are approved, captured, and preserved, there is relatively little at stake.

Problems arise, however, when healthcare organizations are not capturing and recording communications conducted within their organization. This is especially true in the event of regulatory or legal investigation. More recently, a new risk has come to the fore – disappearing or ‘ephemeral’ messages – and regulatory and governmental bodies are taking a hard-line approach, especially in the U.S.

What is ephemeral messaging?

Ephemeral messaging is the term used for communications that disappear. Increasingly, communication channels, including WhatsApp, Telegram, and even iMessage, have introduced features that allow messages to be deleted once opened by the recipient, or after a pre-set amount of time. WhatsApp, for example, allows users to set a disappearing message timer where messages will be automatically deleted within 24 hours, seven, or 90 days.

What risks do ephemeral messages pose to the healthcare industry?

Disappearing messages present multiple risks to organizations:

  • They may be used by bad actors as a means of concealing misconduct or unauthorized communications, such as off-label promotion or improper advice given during sales calls
  • They may cause organizations to fall outside of regulatory recordkeeping requirements that oblige firms to capture and retain communications for set periods of time
  • They break consistency in a healthcare organization’s audit trail, so in the event of regulatory or criminal investigation, the organization is unable to present investigators with a full picture of events

Disappearing messages present an easy and almost untraceable way for individuals to conceal valuable data – which may in time become valuable evidence. This was clearly seen in the U.K.’s COVID-19 inquiry, where critical evidence was unable to be assessed as the WhatsApp disappearing message function was used by multiple government officials and departments.

What does DOJ and FTC guidance say about ephemeral messages?

U.S. governmental bodies are increasingly aware of the risks of ephemeral messages, especially with regard to regulatory and criminal investigations. We’ve seen particular focus from the Department of Justice (DOJ), who have issued a series of messages around this topic.

Initially, in March 2023, the DOJ released amendments to its ECCP, in which it set out new data retention expectations for personal devices and, specifically, ephemeral messages. In a keynote related to the published amendments, Assistant Attorney General, Kenneth A. Polite, Jr., commented that:

“During an investigation, if a company has not produced communications from these third-party messaging applications [including ephemeral messages], our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws.”

In January 2024, the DOJ updated this guidance that “reinforces parties’ preservation obligations for collaboration tools and ephemeral messaging”. This guidance reviewed the language around the preservation of communication “to address the increased use of collaboration tools and ephemeral messaging platforms in the modern workplace.” 

Commenting on the update, the Federal Trade Commission’s (FTC) Bureau of Competition Director, Henry Liu, said:

“Companies and individuals have a legal responsibility to preserve documents when involved in government investigations or litigation in order to promote efficient and effective enforcement that protects the American public. Today’s update reinforces that this preservation responsibility applies to new methods of collaboration and information sharing tools, even including tools that allow for messages to disappear via ephemeral messaging capabilities.”

Deputy Assistant Attorney General of the Justice Department’s Antitrust Division, Manish Kumar, added:

“The Antitrust Division and the Federal Trade Commission expect that opposing counsel will preserve and produce any and all responsive documents, including data from ephemeral messaging applications.”

What does the DOJ and FTC guidance mean for organizations?

In short, the latest guidance from the DOJ and FTC obliges firms to have robust, clear policies around the use of ephemeral messaging channels, to capture communications made through such channels and – if firms have not been able to capture such communications – to have a good reason why. “A company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability,” said Polite.

How can organizations manage the risks of ephemeral messaging?

  • Develop clear, robust policies that directly tackle the use of ephemeral messaging

Although seemingly simplistic, the DOJ has made it clear that it will be looking to see that firms have robust policies in place that set out their expectations around disappearing messages. These policies should be clear, easy to follow, readily accessible, and proactively communicated to all affected staff.

  • Deliver engaging training that sets out the expectations and consequences of failure

Once policies have been established, training must be delivered to explain to employees what the policy means for them. Training should be engaging, offering real-life examples and context as to why the policy exists. Training should explain what the consequences may be in the event that an employee fails to adhere to the policies – in this instance, criminal liability is at stake. This should be clearly emphasized to employees to encourage adherence.

  • Implement technology solutions that limit access to ephemeral messaging options

Aside from manual policies and training, technological solutions exist that can aid in the mitigation of compliance risks. Mobile Device Management (MDM) solutions offer the ability to switch ephemeral messaging options on or off remotely, within in-app settings. Similarly, compliant communication apps, such as Global Relay App, allow employees to communicate via WhatsApp or text, but remove the option to use disappearing messages – so all communications are captured and archived by default, and available in the event of investigation.

  • Implement solutions that enable you to capture communications made through ephemeral messaging applications

Another technological consideration is data Connectors, which seamlessly connect communication data from any source and deliver that data into a compliant archive for comprehensive, complete data retention. Connectors capture data at source, so, depending on the communication channel you’re looking to retain, may facilitate the capture of ephemeral messages sent – before they disappear.

About Article

Published 10 September 2024

About Author

Share Article

SUPPORT 24 Hour