Already an IBA member? Sign in for a better website experience
Electronic medical records in Brazil: the pursuit of balance between healthcare improvement and patient data protection
Renata Fialho de Oliveira
Veirano Advogados, São Paulo
Veirano Advogados, São Paulo, Brazil
A medical record is a report of a patient’s clinical history documenting professional treatment they have been subject to. Whether in the private or in the public health system, it is a physician’s duty to prepare it for each treated patient. Medical records support clinical decision-making, coordination of services, evaluation of the quality and efficacy of care, research, legal protection and education.
Until recently, medical records were paper-based, updated manually and available to only one user at a time. The first step into the modernisation of medical records in Brazil was the enactment of a resolution by the Federal Council of Medicine (CFM) authorising and fomenting the digitisation and use of computerised systems for the storage and handling of documents from patient records.
Electronic medical records (EMRs), an evolution of the mere digitalisation of the paper-based records, are the digital version of a patient's paper or digitalised chart. They facilitate everyday activities in healthcare institutions by making patient-related data access easier and more flexible. EMRs are a modern tool seeking to bring healthcare facilities and professionals closer to digital transformation and easier access to medical information. Further, EMRs may be advantageous for society in general, in that they provide readily available access to a unified and large amount of medical data, facilitating research and leading to a better healthcare.
While sharing health data could benefit the treatment, diagnosis and prevention of diseases, data security and privacy remain key concerns. Patients must have confidence that their health personal data will not be misused, will be stored correctly and that high cybersecurity standards will be applied.
In fact, trust has always been a pillar to doctor-patient relationships, and the protection of the patients’ privacy is a cornerstone of doctors’ conduct set forth in the Medical Code of Ethics. Indeed, as further detailed, Brazil has a legal framework for the protection of health-related personal information and patient privacy that must be applied within the healthcare ecosystem for handling the creation and use of EMRs.
General framework of protection of patient privacy and health data
The protection of privacy in Brazil is based on the Federal Constitution, which includes the privacy of individuals among its fundamental rights, in the provisions that deal with the protection of privacy (art 5, clause X) and the inviolability of correspondence, home and communications (art 5, clauses XI and XII).
At the infra-constitutional level, the Civil Code guarantees the protection of the individual's private life, the Consumer Protection Code regulates the maintenance of databases and consumer records, establishing a series of guarantees to the latter, the Criminal Code protects against the disclosure of information obtained in the exercise of professional activity. Most recently, the General Data Protection Act (LGPD) entered into force, providing for the regulatory framework for personal data protection.
In the healthcare sector, privacy and confidentiality of personal health information are further addressed by sectorial and ethical norms. The main normative body issued by the CFM in this respect is the Medical Code of Ethics. CFM Resolution No 1,605/2000 goes on to forbid physicians, as a general rule, to reveal the content of a medical record without the patient’s consent. Even in cases of compulsory notification of diseases, the physician’s duty is restricted exclusively to communicating this fact to the competent authority, and they are prohibited from sending the patient's medical record.
The Brazilian General Data Protection Act as applied to health data
The LGPD is largely aligned with the European General Data Protection Regulation (GDPR) and sets out general principles that must substantiate all processing of personal data, and then builds on those principles by identifying specific legal bases that can be relied on to support particular acts of data processing.
As a rule, any type of data processing must be done in good faith and must respect the principles set forth in the LGPD. Basically, those principles require that a processing agent (a controller or processor) establish that the processing is necessary, done for a legitimate, specific and non-discriminatory purpose, that the data subject is informed of such purpose in a clear, precise and easily accessible manner, adequate to the context of the processing and that the data processing is limited to the minimum necessary to achieve the established purpose, all the while certifying that the data is accurate and secure.
The LGPD sets forth higher standards of protection for certain types of data deemed ‘sensitive data’ because of its discriminatory potential. Among others, health data falls under the category of sensitive personal data under the LGPD.
In view of its discriminatory potential, healthcare personal data shall be processed with additional security layers and, as a general rule, can only be processed if framed under the data subjects’ (or their legal guardian’s) specific and explicit consent (art 11, item I). Processing is only allowed, without consent, when essential for:
- compliance with a statutory or regulatory obligation by the controller;
- performance of public policies by the public administration;
- conducting studies by research bodies, guaranteeing, whenever possible, the anonymisation of personal data;
- regular exercise of rights including in agreements and in lawsuits, administrative or arbitration proceedings;
- protection of the life or of the physical safety of the data subject or of third parties;
- protection of health, within the context of a procedure carried out by healthcare professionals or by sanitary authorities; or
- ensuring the prevention of fraud and the security of the data subject, in identification and authentication processes in electronic systems, provided that the fundamental rights and freedoms of the data subject that require personal data protection are not overridden.
In this sense, under the LGPD, a hospital, clinic or healthcare professional is not obliged to have consent in all data processing situations. The exception of consent is particularly useful and coherent when collecting and storing healthcare data from patients within a healthcare facility.
It is also relevant to point out that a data subject’s rights, sensitive or not, are foreseen by article 18 of the LGPD and guarantee to every natural person full ownership of the data to which they are related. Along with ownership, the following rights ensue:
- confirmation of the existence of the processing;
- access to data;
- information on sharing;
- data correction;
- data elimination;
- data portability;
- possibility of non-consent; and
- withdrawal of consent.
Even before the LGPD, CFM’s Resolution No 1,821/2007 already guaranteed that all medical information on an EMR belongs to the patient. Thus, under both the regulation issued by the CFM as well as the LGPD, healthcare institutions and professionals are merely custodians of such information.
Pursuant to the LGPD’s ‘principle of transparency’, one of the controller’s duties towards the data subject is to inform, in the beginning of the processing of personal data and regardless of the latter’s request, at least:
- what types of personal data are processed;
- the purpose of the processing;
- the rights of data subjects;
- the retention period;
- the legal basis for processing;
- identification of the controller, with its contact information; and
- information about any sharing of personal data with other processing agents (controllers or processors of personal data), who will also need to have data protection and privacy notices available to data subjects.
A challenge to the success of EMR as a tool for the medical community and the healthcare industry to have quick access to a unified and large amount of medical data relates to the restrictions applicable to sharing of identifiable personal information between controllers. The LGPD expressly forbids communication or shared use of sensitive personal data between controllers (to obtain an economic advantage or not). Thus, any shared use requires the patient’s explicit consent.
Unless anonymised, healthcare providers cannot share patient information in EMRs with a pharmaceutical company or health plan operator, for example, to enable them to develop advertising strategies. Such sharing of information will only be possible when the holder requests portability, consents to such shared use, or in cases where the exchange of information is necessary for the protection of health, within the context of a procedure carried out by healthcare professionals and sanitary authorities.
Despite being easily obtained in an electronic context not only before the processing but along the years of storage of the EMR, several aspects established by the LGPD must be considered when collecting consent from a patient. Consent shall always be obtained: by means that evidence the patient’s will; before the processing; based on the patient’s freedom of choice; after the patient has received clear information regarding the processing; and through a positive act by the patient, indicating acceptance. Further, the patient is entitled to revoke his consent at any time, and the controller is obliged to keep track of such consent.
Considering the nature of EMR and the limitations on applicable legal basis for sharing healthcare personal data among controllers, guaranteeing data subjects’ rights and guidelines surrounding data security are particularly challenging and demand privacy by design strategies.
Since healthcare providers are not always interested in individual personal health data, but rather in unidentified or aggregated health data, anonymisation is an important tool for healthcare enhancement and innovation. The LGPD defines anonymisation as the use of reasonable technical means available at the time of processing, whereby data loses the possibility of association, either directly or indirectly, to an individual. The LGPD does not apply to anonymous data. However, in case of possibility of identifying the individual with a combination of information, the data will not be deemed anonymised since identifiable data is also considered personal data bearing protection under the LGPD.
As controllers of patient data, healthcare institutions and professionals have a duty to: maintain the patient’s intimacy and privacy through ethical principles; protect their information through information security mechanisms; inform patients of processing activities with their data including sharing (who will have access and how, by means of a privacy notice directed at patients); ensure that medical records are kept on a need-to-know basis; are not used for a secondary purpose other than providing healthcare services; and that patients are able to exercise their rights concerning their data.
The same rules that govern the collection, storage, sharing and access to paper-based health records apply to the EMRs and must be respected. Due to the convenience of electronically available data and the potential for abuses and breaches of confidentiality and data either accidentally or intentionally that can lead to damages at the individual level, the legal framework applicable to data protection, confidentiality and intimacy and information security mechanisms should be very well observed when creating and handling EMRs.
Having a legal basis for processing health data within an EMR in Brazil is not a challenge in itself, as healthcare institutions are either covered by the protection of health or by consent of the patient. The challenge is complying to the LGPD while respecting patient privacy and data security and successfully exploiting the full potential of EMRs as a tool for the medical community and the healthcare industry to share personally identifiable information and reinforce research and development activities. Anonymisation may be an answer once anonymised data is excluded from the scope of application of the LGPD, as long as the method applied does not permit re-identification of the patient.
Increasing awareness to data protection laws and principles in Brazil entail the medical community and the healthcare industry that are in charge of collecting, sharing or in any other way accessing healthcare personal data (whether in a position of controller or processor) to:
- inform patients of processing activities with their data (who will have access and how, by means of a privacy notice directed at patients);
- ensure that EMRs are kept on a need-to-know basis;
- keep EMRs with a reasonable level of security from data breaches and other incidents in a manner to guarantee the confidentiality of personal information contained in said records (through privacy by design and data management and governance techniques on both information technology and a human level by extensively training healthcare professionals involved in the processing of healthcare data contained on EMRs on privacy practices);
- never use healthcare data in a discriminatory manner;
- ensure patients are able to exercise their rights concerning their data (which encompasses rights to access EMRs, correction of data, eliminate and confirm the existence of data processing as well as rights of portability and management of consent.); and
- prevent health data from being used to secondary purposes other than providing healthcare services.
 Resolution No 1,821/2007 from the Federal Council of Medicine and most recently, Federal Law No 13,787/2018.
 Article 11, paragraph 4, LGPD, after altering by Federal Law No 13,853/2018. Such circumstance must be complied with by controllers, also taking into account paragraph 5 of the same article, which states: ‘operators of private health care plans are prohibited from processing health data for the practice of risk evaluation in any modality of hiring, as well as the hiring and exclusion of beneficiaries’.
 When data is related to a child, the processing agent must make every reasonable effort to confirm that consent was provided by the child’s legal guardian, considering the available technology.