AI and digital health in Brazil: balancing innovation and regulation

Renata Fialho de Oliveira
Veirano Advogados, São Paulo
renata.oliveira@veirano.com.br

Isabel Hering
Veirano Advogados, São Paulo 
isabel.hering@veirano.com.br

Thais Cristina de Jesus
Veirano Advogados, São Paulo
thais.jesus@veirano.com.br

Introduction

Over the past five years, Brazil’s healthcare technology market has been rapidly transformed, accelerated by the global health crisis. This period catalysed public policies focused on digitising healthcare, enhancing patient autonomy and improving the patient journey.

A key milestone was the National Digital Health Strategy for Brazil 2020–2028 (Estratégia de Saúde Digital or ESD), which set out specific modernisation guidelines. In July 2025, Decree No. 12,560/2025 launched the National Health Data Network (Rede Nacional de Dados em Saúde or RNDS) as the Unified Health System’s (Sistema Único de Saúde or SUS) data integration platform, promoting interoperability and enabling technological innovation.

Artificial intelligence (AI) has become central to this transformation. The Brazilian Artificial Intelligence Plan 2024–2028 (Plano Brasileiro de Inteligência Artificial or PBIA) launched recently, with an estimated R$ 23bn to be invested by 2028, which aims to make Brazil a global leader in AI, especially within the healthcare sector. Of 31 planned projects, about one-third focus on health, aiming to improve medication procurement decisions, optimise SUS diagnostics, automate teleconsultation transcription and develop predictive devices for the early detection of complex diseases like cancer.

These investments reflect a strategic focus on digital transformation in public healthcare, emphasising efficiency, accuracy and personalised care.

However, the implementation of the AI Plan faces challenges, notably regarding data interoperability. Despite the progress made, Brazil still lacks a comprehensive legislative framework for AI. The most advanced AI Bill (No. 2,338/2023), approved by the Senate, remains under review by the Chamber of Deputies. Its absence creates legal gaps, especially regarding civil liability and intellectual property pertaining to AI-based solutions.

The LGPD and ANPD as guardrails for health-related AI

The regulatory landscape for AI in Brazil is shaped by the Brazilian General Personal Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) and the National Data Protection Authority (Agência Nacional de Proteção de Dados or ANPD). While Brazil lacks a standalone AI law, the LGPD governs AI that processes personal health data, applying strict principles to sensitive information. Three LGPD requirements impact digital therapeutics and software as a medical device (SaMD): (1) patients can request that a human review automated decisions, requiring human-in-the-loop processes; (2) providers must explain the logic of decisions in clear terms; and (3) the ANPD may require data protection impact assessments (DPIAs) to be conducted for high-risk health data processing, often recommended for AI due to the sensitivity of the data involved and the potential risks.

Recent ANPD enforcement underscores these expectations. The authority has required platforms to suspend or revise practices related to AI training based on personal data and to remove vague ‘any purpose’ clauses from privacy policies, with a special focus on protecting minors. For health-related AI providers, these actions signal that the relevant model training datasets, legal bases and transparency provisions must be carefully evidenced and narrowly framed.

The interaction with ANVISA’s SaMD regime

The Brazilian Health Regulatory Agency (Agência Nacional de Vigilância Sanitária or ANVISA) recognises SaMD, including devices that use AI-based solutions, requiring compliance with classification and registration rules, documented datasets for model training and lifecycle management, such as change control and post-market monitoring. This results in dual compliance obligations: the LGPD/ANPD for data and AI governance purposes, and the ANVISA for device safety and effectiveness, with overlaps in regard to data quality, bias mitigation and post-market surveillance.

As of 2023, Brazil has over 500 registered software products for diagnostic or therapeutic purposes, including dozens with AI features.^[1] These products are regulated by ANVISA Resolutions No. 657/2022, 751/2022 and 830/2023. SaMD includes software that uses intelligent systems for medical purposes, such as diagnosis, monitoring, prevention and treatment.

Manufacturers must comply with risk classification, registration, labelling and instructions for use requirements, and must submit a description and justification for the AI training databases utilised to the ANVISA.

Examples of registered products include HYPNOS^[2] (for sleep phase staging) and OXISTAR^[3] (for sleep apnoea monitoring), which illustrate the integration of AI innovation into Brazil’s regulatory system.

The forthcoming framework: Bill No. 2,338/2023 and the risk-based obligations

Brazil’s AI bill adopts a risk-based model similar to the European Union’s AI Act, with local nuances. For healthcare: (1) ‘excessive risk’ practices like social scoring are banned; (2) most health-related AI is considered high risk, requiring strict governance, transparency and conformity assessments; and (3) oversight will be coordinated by a National AI System, led by the ANPD, along with agencies like ANVISA, with responsibility for enforcing penalties, including fines and suspensions.

Although still pending its enactment, the AI Bill offers a practical roadmap for health-related AI providers, especially those already aligned with EU standards, to anticipate compliance and embed governance considerations early.

Final considerations

The convergence of digital health, AI and regulation in Brazil is still evolving. While the regulatory authorities, such as ANVISA and ANPD, are advancing certain initiatives, the absence of a dedicated AI legal framework creates uncertainty for innovators and slows market adoption.

To unlock the full potential of health-related AI, regulation must keep pace with technological progress, providing clear, agile rules that safeguard safety, effectiveness and patient rights without stifling innovation. A forward-looking regulatory ecosystem, built through collaboration among government, industry and civil society, is essential to ensure ethical, transparent development of the sector and robust data protection.

AI will inevitably reshape healthcare in Brazil. Leading this transformation responsibly requires strategic vision and a regulatory approach that enables innovation, while maintaining public trust and accountability.