Brazil
Is the use of telehealth permitted?
It is now expressly and extensively regulated.
Brazil
Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?
The use of technology has brought new tools that seek to help the connective aspects between patients and Health professionals, limiting face-to-face interactions. As a result, this move has brought about a truthful seismic shift in the industry, especially in how Healthcare services are delivered and enabled through technology.
Telehealth has a broad scope of features in Brazil. It includes categories such as mobile health (mHealth), health information technology (IT), wearable devices, telemedicine, telenursing, telepsychology, and personalized medicine. From mobile medical apps and software that support clinical decisions that doctors make every day to artificial intelligence and machine learning, digital technology has been driving a revolution in healthcare in Brazil in the post-pandemic era.
According to the current Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/2022), telehealth has a broad definition as “the modality of providing health services at a distance by using information and communication technologies, which involves, among others, the secure transmission of data and health information through texts, sounds, images or other suitable ways”.
As for the appointments with doctors, for instance, it can be performed through general videoconferencing / teleconferencing apps like Skype, Zoom, and Microsoft Teams. The main point of concern when running an appointment digitally is with data privacy and security in relation to the patient data, including patients’ electronic health record as well as management of disease conditions outside of traditional care settings. That is why the Brazilian Telehealth regulation establishes the data privacy and the digital responsibility as principles for the provision of telehealth services, as well as the obligation to comply with the Brazilian General Data Protection Law (GDPL).
Also, considering the provision of telehealth services within the scope of the Brazilian public health system (SUS), the Brazilian Ministry of Health’s Ordinance n. 1,348/2022 establishes that the telehealth actions and services may be carried out in mobile and fixed health units (i.e., Basic Health Units or simply “UBS”) duly registered in the National Registry of Health Facilities (i.e., CNES).
It is important to highlight that all practices of healthcare provision may be encompassed by telehealth, but the feasibility of providing telehealth services to patients (i.e., if telehealth will suffice patients’ needs) depends on the health professional’s assessment. Thus, the health professional is assured the freedom and complete independence to decide on whether to use telehealth, including in relation to the first consultation, service or procedure, and may indicate the use of face-to-face care (or even opt for it) whenever deemed necessary.
Brazil
Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?
The Brazilian public health system ("SUS") provides telehealth services, in compliance with the Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/2022). The Brazilian Ministry of Health’s Ordinance n. 1,348/2022 sets forth the terms for provision of telehealth services at the public health system level. It basically encompasses the same settings that the private health system offers to the patients, the main difference being in relation to costs – when provided in the context of the Brazilian public health system, telehealth services are free of charge for the patients.
On the other hand, telehealth services in the private sector are not free of charge. Patients, or eventually their private health insurance, must pay for the services digitally offered – according from an ethical perspective to the guidelines of the Professional Boards as well, such as the Professional Board of Medicine.
Brazil
Do specific privacy and/or data protection laws apply to the provision of telehealth services?
The General Data Protection Law (Federal Law no. 13,709/18 or "LGPD"), highly inspired by the European General Data Protection Regulation ("GDPR"), provides a new privacy landscape for Brazil and applies to any processing of personal data: (i) which is carried out within the Brazilian territory; (ii) which has an objective to offer / supply goods or services, or process data of the individuals localised in Brazil; or (iii) if the personal data is collected from the Brazilian territory. Thus, the offering of telehealth services in Brazil will be subject to the LGPD provisions.
The Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/2022) also establishes that data privacy and the digital responsibility are fundamental principles for the provision of telehealth services, as well as the obligation to comply with the LGPD. All Brazilian self-regulatory bodies such as CFM and CFF positioned themselves in the same way.
It is important to stress that the LGPD has been in force since September 28, 2020. The penalties provided by the law, however, are only going to be enforceable in August 2021. Notwithstanding the foregoing, public authorities (such as consumer protection bodies and public prosecutors) and data subjects can enforce their rights based on the LGPD.
In addition to this, the Brazilian National Authority (i.e. the supervisory authority responsible to further regulate data protection in Brazil, also known as "ANPD") is now in operation. The LGPD has several provisions to be further regulated and interpreted by the ANPD, which may have an impact on businesses, and require further localisation and adjustments for compliance in the future. It is recommended that the actions of the ANPD in relation to such matters be monitored.
According to the LGPD, the concept of personal data shall be understood as "any information regarding an identified or identifiable natural person". Based on that definition, any collected information which is able to identify a natural person will be understood as personal data and, therefore, subject to the LGPD principles, obligations and rights. The law also includes the definition of sensitive personal data, which encompasses health data along with any information of a natural personal regarding racial or ethnic origin, religious conviction, political opinion, union membership or to a religious, philosophical or political organisation, data related to sexual life, genetic or biometric data.
Brazil
How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?
The LGPD provides cross-border transfer of personal data is allowed only in the following cases:
- to countries or international organisations that provide an adequate degree of protection of personal data as specified in law (such level of data protection shall be assessed by the ANPD, considering the legislation in force in the country, the nature of the data to be transferred, compliance with the general principles of personal data protection and the data subject’s rights provided in LGPD, the security measures adopted, the existence of judicial and institutional guarantees for the respect to the rights of protection of personal data and other specific circumstances related to the transfer);
- when the data controller provides and proves it has guarantees of compliance with the principles, the data subject’s rights and data protection regime outlined in LGPD (in the form of specific and standard contractual clauses, global corporate norms, seals, certificates and codes of conduct regularly issued, the analysis of which will be carried out by ANPD);
- for protection of the life of physical integrity of the data subject or a third party;
- when the national authority authorises the transfer;
- when results in a commitment assumed in an international cooperation agreement;
- when it is necessary for public policy implementation or legal responsibility of public service, being made public under Article 23, item I of LGPD;
- with the specific consent of the data subject (i.e., highlighted consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing it from the other purposes);
- to satisfy a legal or regulatory obligation, when necessary to perform contracts or preliminary contractual procedures, or for regular exercise of rights in a judicial, administrative or arbitral proceedings; and
- when the transfer is necessary for international judicial cooperation between public intelligence, prosecution, and investigative agencies, according to the instruments of international law.
Please note that most of the content of such legal basis will be defined and further regulated by the ANPD.
Brazil
Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?
Not yet. As mentioned above, the ANPD is now in operation and it is important to monitor its activities in relation to such matter.
Brazil
Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?
Although we cannot anticipate any specifics, the expectation is that, with the new Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/22), other subjects related to Digital Health will be even more debated and encouraged – e.g., digital prescriptions and remote diagnostic tests (Point-of-Care Testings - PoCTs), as well as remote request for dispensation of medicines. Also, in order to prevent ideological aspects from jeopardizing the benefits that telehealth can undoubtedly provide to the Brazilian population, the Brazilian Telehealth regulation expressly required that any normative act that intends to restrict the provision of telehealth services shall demonstrate its “indispensability to avoid damages to the health of the patients”. This way, another expectation is the review of many norms already published by Professional Boards that restrict remote assistance in a broad way without any exception.
Indeed the myriad of legal issues that digital health faces in the region is wide ranging but the process of incorporating it into business practices is still in early days. We believe much more development is to come, but even today the use of IA and IoT open source, high-quality, and deidentified data, in addition to a sustainable approach to expanding access to health, shows how the strongest healthcare players operating across Brazil and Latin America are addressing procompetitive risks and distinguishing themselves from the less agile pack.
This matches our understanding that, considering the current and global backdrop, as well as the great expectation of greater expansion in the coming years – mainly with the advent of 5G and artificial intelligence -, this is the time for the stakeholders that make up the chain of healthcare services and systems worldwide to direct efforts in the development and strengthening of the digital health ecosystem in a timely, safe, and innovative way.
Besides, early indications already suggest that, given the inconstancy verified in this multifaceted market, sustainable strategies are needed for companies to effectively operate and thrive. This also rings a bell in the sense that the companies operating in this field through disruptive business models must protect and explore the opportunities that the technology offers behind their products and services. This is, by the way, a great investment hub, especially in this new era of informatization and data monetization – mainly in Latin America.
Brazil
Fabio Perrone Campos Mello
Managing Partner
Campos Mello Advogados
T: +55 21 3262 3027[email protected]