Bernadete de Figueiredo Dias
CGM Advogados, São Paulo
bernadete.dias@cgmlaw.com.br

The Brazilian Data Protection Law (Law No 13,709/2018 or 'LGPD') is the most comprehensive data protection law enacted in Brazil^[1] and it applies to: (1) data processing activities in Brazil; (2) processing of data collected in Brazil or concerning individuals located in Brazil; and (3) data processing activities with the purpose to offer goods/services to individuals in Brazil.^[2]

From a data protection point of view, LGPD distinguishes personal data, that is, information related to an identified or identifiable natural person, from sensitive data, which means personal data on racial or ethnic origin, religious conviction, political opinion or membership of a trade union or organisation of a religious, philosophical or political nature; data relating to health or sexual life; and genetic or biometric data, when linked to a natural person, including with regard to the legal bases applicable to the processing of such data.

With respect to medical records, the Brazilian Board of Physicians (Conselho Federal de Medicina or 'CFM') supervises, regulates and disciplines the medical profession in Brazil, with the purpose of preserving the ethical exercise of the profession. Among other regulations, CFM issued a Code of Medical Ethics ('CME') and special resolutions regarding the secrecy of medical records, such as CFM Resolution No 1,638/2002. CFM is represented in each Brazilian state by a State Board of Physicians (Conselho Regional de Medicina or 'CRM').

CFM Resolution No 1,638/2002 defines medical records as a single document consisting of a set of recorded information, signs and images, generated from facts, events and situations about the patient's health and the assistance provided to him/her, of a legal, confidential and scientific nature, which enables communication between members of the multidisciplinary team and the continuity of assistance provided to the patient (Article 1).

Further, several guidelines have been issued on the matter since 2020, such as Agência Nacional de Vigilância Sanitária's ('ANVISA's') guide with cybersecurity principles and practices concerning medical devices,^[3] the guidelines issued by the pharmaceutical industry^[4] and the Code of Good Data Protection Practices for Private Health Providers prepared by the National Health Confederation (the 'CNSaúde Code').^[5]

Given the above, we found that the treatment and sharing of such data are subject to various laws and regulations, depending on the type of data collected.

Personal data and sensitive data

According to LGPD, the bases for processing personal data are listed in Article 7. LGPD establishes stricter parameters for the processing of sensitive data in Article 11 and the acceptable bases for the treatment of sensitive data, including health data, are as follows:

• The data subject's consent, freely given, specific, informed and unambiguous, either in writing or by a clear affirmative action. Although, from a practical point of view, this legal basis presents greater difficulties, for example, in the definition of the means and form of obtaining data and the possibility of revocation by the data subject), obtaining consent from patients is the most conservative legal basis for data processing.
• Data is processed for compliance with a legal or regulatory obligation by a controller, such as the need to comply with technological vigilance obligations before sanitary surveillance authorities.
• The processing of data required for the implementation, by the public administration, of public policies provided for in other laws or regulations is shared.
• Data is processed for studies by research organisations, ensuring, when possible, data anonymisation.
• Data is processed for the regular exercise of rights, including contracts and in judicial, administrative or arbitration proceedings.
• Data is processed for the protection of life or for the personal safety of the data subject or a third party.
• Data is processed for safeguarding health in procedures performed by health practitioners, services or agencies. In accordance with the CNSaúde Code, the use of the legal basis for health protection deserves attention because, although the entire health sector acts indirectly for the benefit of the patient's health, this legal basis is only applicable to 'procedures carried out by health professionals, health services or health authorities', and cannot, therefore, be applicable without distinction to any data processing in the sector of health.
• Data is processed to guarantee the prevention of fraud or guarantee the safety of the data subject in identification and authentication activities in electronic systems, safeguarding easy access to information, except where overridden by the fundamental rights and freedoms of the data subject that require the protection of personal data.

Note that the legal bases of legitimate interest and contract performance cannot be applied to the processing of sensitive data, and the bases of credit protection only apply if they refer to the prevention of fraud or safety of the data subject and provided that this is not overridden by the fundamental rights and freedoms of the data subject that require the protection of personal data.

When specifically dealing with sensitive data relating to health, the LGPD prohibits the communication or shared use between controllers of sensitive personal data relating to health with the aim of obtaining an economic advantage. Such communication or sharing is only possible for the provision of health services, pharmaceutical assistance and healthcare, including auxiliary diagnosis and therapy services; for the benefit of data subjects; or in cases of data portability when requested by the data subject, or financial and administrative transactions resulting from the use and provision of the services mentioned above, subject to the rules on medical record data below.

Medical record data

The medical professional, as determined by the CME, is subject to the obligation of confidentiality of information obtained during the performance of his/her duties and is prohibited from revealing facts that he/she became aware of due to the exercise of the profession, except for a fair reason, legal duty or written consent of the patient (Article 73, CME).

The CME determines that medical records must be under the custody of the doctor or the institution that assists the patient (Article 87, section 2), prohibiting doctors from allowing third parties not obliged by professional secrecy to handle and familiarise themselves with the medical records (Article 85), and from releasing copies of medical records under their custody (Article 89)

Medical records belong to the patient because they contain confidential and private information about his/her health condition, and are therefore documents protected by professional secrecy to preserve the patient's intimacy and enable professional practice, integrating a set of documents that serve to support the provision of medical services (CFM Opinion no 05/2020).

In this context, the CME only allows the release of copies of medical records and access to patient medical records: (1) to comply with a court order, with confidentiality, in this case, under the custody of the requesting court; (2) for the doctor's own defence; or (3) when authorised in writing by the patient (Article 89).

In the context of a legal entity, such as a hospital, only individuals who are obliged to maintain professional secrecy can have access to medical records, and as long as they are involved in the provision of health services to the patient and part of the same institution/company (CFM Resolution No 1,605/2000, CFM Opinion No 21 /2017, CFM Consultation No 3,299/2002 and CRM MG Opinion No 183/2018). In the case of healthcare professionals who wish to have access to medical records and are not part of the same institution/company, it is mandatory to obtain written consent from the patient (CFM Opinion No 21/2017).

When it comes to sharing medical records with health plans and insurers, the CFM considers it irregular conduct for health plans and insurers to require professionals to share patients' medical records without patients' knowledge and approval, both from the point of view of the LGPD and medical regulations, as such sharing would occur solely and exclusively to satisfy the interests of the health plan operator (COJUR CFM Order No 557/2021 and CRM-MG Consultation Opinion No 5351/2014 ).

Contract provisions authorising the sharing of medical records and other medical documents with the health plan or insurer shall be void because it is not possible for patients to discuss their clauses and conditions (CRM-PR 2059/2009), and generic authorisations embedded in texts or contracts are invalid because they are comprehensive and unilateral documents (CRM-SC Consultation No 2418/16). Furthermore, the sharing of diagnoses between health plan operators without the patient's authorisation offends the fundamental right to intimacy and privacy of patient users of health services (Appeal No 0021345-89.2007.4.03.6100 SP, Fourth Panel of the Federal Regional Court of the 3rd Region, Reporting Judge Mônica Nobre, judged on 20 June 2018).

The only case in which health plans may have access to medical records is for audit purposes, which must be carried out by a medical auditor who is obliged to maintain professional secrecy. The auditor may examine medical records on the premises of the institution responsible for their guard. To obtain copies of these records, prior authorisation from the patient is always required (Opinion-Consultation CRM-GO No 06/2015, Opinion CFM No 10/2019 and Opinion CRM-PR No 1044/1998 and Resolution CFM No 1.614/ 2001).

Given the above, if the data to be processed falls in the definition of a medical record, that is, recorded information, signs and images generated from facts, events and situations about the patient's health and the assistance provided to the individual of a legal, confidential and scientific nature that enables communication between members of the multidisciplinary team and the continuity of assistance provided to the individual, consent shall be the main bases for data processing.

For other health information not within the definition of a medical record, treatment may be justified by any of the bases listed in Article 11 of LGPD, not only by the data subject's consent.

Therefore, for instance, the sharing of sensitive data with the public prosecutors' office in the context of an investigation is acceptable based on Article 11 of LGPD (fulfilment of the legal or regulatory obligation of the controller or regular exercise of rights, including in administrative proceedings), but if the data to be shared falls into the definition of a medical record, it may not be allowed under the medical regulations, unless there is a court order determining data sharing.

Notes