Cross-border Data Transfer

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

The LGPD provides cross-border transfer of personal data is allowed only in the following cases:

  1. to countries or international organisations that provide an adequate degree of protection of personal data as specified in law (such level of data protection shall be assessed by the ANPD, considering the legislation in force in the country, the nature of the data to be transferred, compliance with the general principles of personal data protection and the data subject’s rights provided in LGPD, the security measures adopted, the existence of judicial and institutional guarantees for the respect to the rights of protection of personal data and other specific circumstances related to the transfer);
  2. when the data controller provides and proves it has guarantees of compliance with the principles, the data subject’s rights and data protection regime outlined in LGPD (in the form of specific and standard contractual clauses, global corporate norms, seals, certificates and codes of conduct regularly issued, the analysis of which will be carried out by ANPD);
  3. for protection of the life of physical integrity of the data subject or a third party;
  4. when the national authority authorises the transfer;
  5. when results in a commitment assumed in an international cooperation agreement;
  6. when it is necessary for public policy implementation or legal responsibility of public service, being made public under Article 23, item I of LGPD;
  7. with the specific consent of the data subject (i.e., highlighted consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing it from the other purposes);
  8. to satisfy a legal or regulatory obligation, when necessary to perform contracts or preliminary contractual procedures, or for regular exercise of rights in a judicial, administrative or arbitral proceedings; and
  9. when the transfer is necessary for international judicial cooperation between public intelligence, prosecution, and investigative agencies, according to the instruments of international law.

Please note that most of the content of such legal basis will be defined and further regulated by the ANPD.

Last modified 3 Apr 2023

Brazil

Brazil

Is the use of telehealth permitted?

It is now expressly and extensively regulated.

Last modified 3 Apr 2023

Brazil

Brazil

How is telehealth regulated?

The COVID-19 pandemic brought acceleration to the process of implementing digital routines in healthcare.

The fact is that significant steps have been taken in the last few months to define clearer criteria for the still early-stage idea of Digital Health in the country – and most of those are already strongly accepted by most of the market players. All of them have the primary objective of facilitating the continuity and development of the entire supply chain of products and services associated with digital therapeutics, as well as the ability to enter and expand upon the domestic market. This growth inevitably drives healthcare consumerism, so the pursuit of disruptive and revenue-generating opportunities should be – and, for some, has already been – a point of great attention.

The Federal Law n. 14,510/2022 came into force in December 2022, incorporating telehealth into the Brazilian healthcare system. It now authorizes and regulates the practice of telehealth throughout the domestic market, both in the public and private health systems, covering the provision of services related to all regulated health professions in the country. It also encompasses offsite care in nursing, physiotherapy and psychology. It also authorizes and describes the practice of telehealth, defined as the modality of providing health services remotely through the use of technology in its lato sensu.

The modality is now also supported, from an ethical perspective, by regulations from many of the respective Professional Boards, such as the Medicine, the Pharmacy, the Dentistry, and the Nursing ones. For example, The Brazilian Federal Council of Medicine (in Portuguese, “Conselho Federal de Medicina” or “CFM”), through its Resolution n. 2,134/2022, which is into force since last May, regulates the practice of telemedicine and, in general, disciplines and safeguards (i) the confidentiality, privacy and protection of the data and image of patients appearing on physical or electronic medical record (i.e., which shall meet all the representation, terminology and interoperability standards); (ii) the professional’s autonomy regarding the decision to use the telemedicine, as well as on when using it (i.e., including the first consultation, the medical assistance or the respective procedure), except concerning the medical treatment for chronic diseases and/or diseases which require a long-term monitoring, related to which the personal presence is required; (iii) the patient’s and/or legal representative’s informed consent; (iv) the possibility of telehealth’s exercising in the modalities of teleconsultation, teleinterconsultation, telediagnosis, telesurgery, telemonitoring or telesurveillance, teletriage and teleconsultancy; (v) the patient’s and doctor’s full right to discontinue the telemedicine consultation/treatment and/or opt for the face-to-face modality; and (vi) the several mandatory information to be included in the medical reports, certificates and/or electronic medical prescriptions. When it comes to telepharmacy, the Federal Council of Pharmacy (in Portuguese, “Conselho Federal de Farmácia” or simply “CFF”) approved a resolution allowing pharmacists to use technology to deliver services to their patients, covering the provision of offsite pharmaceutical care and other healthcare services through video calls, telephone or chat, so that patients can get answers to their questions about pharmacotherapy and adverse drug reactions easily. In addition, given the content of this CFF’s resolution, several new activities will be enabled in an easy, quick and safe way, such as (i) the issuance of clinical reports, (ii) expert assessments based on tests carried out in the pharmacy, in addition to, consequently, (iii) greater interaction between patients, doctors and pharmacists.

Additionally, considering the Brazilian public health system ("SUS") exclusively, the Brazilian Ministry of Health’s Ordinance n. 1,348/2022 sets forth the terms for provision of telehealth services at the public health system level.

The new Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/2022) revoked the Law n. 13,989/2020, which temporarily and provisionally permitted telemedicine services while the fight against COVID-19 was ongoing – given that many methods of epidemiological surveillance were adopted at that time to control the spread of the disease in the country, such as social isolation, quarantine measures (i.e., lockdown), contact tracing etc., what contributed to the encouragement of telehealth as an effective form of remote care to help maintain social distancing.

It is also important to mention that before the pandemic, from a legislative and legal perspective, since 2007 there have been several ordinances issued by the Ministry of Health providing for telehealth services exclusively within the scope of the Brazilian public health system (SUS). However, there was no law specifically disciplining the matter – a fact that undoubtedly generated legal uncertainty, especially for the private sector. As for the Professional Board of Medicine’s Resolution n. 1,643/2002, the provisions on telemedicine were also extremely vague and not supportive of the development of telehealth business models in Brazil, a reason why nobody operating in the private sector previously considered telehealth services as an interesting way of doing business in Brazil.

This mindset changed in the country based on the strong evidence supporting the use of telehealth for the provision of remote clinical and non-clinical health services, and attention is finally being paid in Brazil to this type of healthcare assistance.

Last modified 3 Apr 2023

Brazil

Brazil

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

The use of technology has brought new tools that seek to help the connective aspects between patients and Health professionals, limiting face-to-face interactions. As a result, this move has brought about a truthful seismic shift in the industry, especially in how Healthcare services are delivered and enabled through technology.

Telehealth has a broad scope of features in Brazil. It includes categories such as mobile health (mHealth), health information technology (IT), wearable devices, telemedicine, telenursing, telepsychology, and personalized medicine. From mobile medical apps and software that support clinical decisions that doctors make every day to artificial intelligence and machine learning, digital technology has been driving a revolution in healthcare in Brazil in the post-pandemic era.

According to the current Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/2022), telehealth has a broad definition as “the modality of providing health services at a distance by using information and communication technologies, which involves, among others, the secure transmission of data and health information through texts, sounds, images or other suitable ways”.

As for the appointments with doctors, for instance, it can be performed through general videoconferencing / teleconferencing apps like Skype, Zoom, and Microsoft Teams. The main point of concern when running an appointment digitally is with data privacy and security in relation to the patient data, including patients’ electronic health record as well as management of disease conditions outside of traditional care settings. That is why the Brazilian Telehealth regulation establishes the data privacy and the digital responsibility as principles for the provision of telehealth services, as well as the obligation to comply with the Brazilian General Data Protection Law (GDPL).

Also, considering the provision of telehealth services within the scope of the Brazilian public health system (SUS), the Brazilian Ministry of Health’s Ordinance n. 1,348/2022 establishes that the telehealth actions and services may be carried out in mobile and fixed health units (i.e., Basic Health Units or simply “UBS”) duly registered in the National Registry of Health Facilities (i.e., CNES).

It is important to highlight that all practices of healthcare provision may be encompassed by telehealth, but the feasibility of providing telehealth services to patients (i.e., if telehealth will suffice patients’ needs) depends on the health professional’s assessment. Thus, the health professional is assured the freedom and complete independence to decide on whether to use telehealth, including in relation to the first consultation, service or procedure, and may indicate the use of face-to-face care (or even opt for it) whenever deemed necessary.

Last modified 3 Apr 2023

Brazil

Brazil

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

The Brazilian public health system ("SUS") provides telehealth services, in compliance with the Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/2022). The Brazilian Ministry of Health’s Ordinance n. 1,348/2022 sets forth the terms for provision of telehealth services at the public health system level. It basically encompasses the same settings that the private health system offers to the patients, the main difference being in relation to costs – when provided in the context of the Brazilian public health system, telehealth services are free of charge for the patients.

On the other hand, telehealth services in the private sector are not free of charge. Patients, or eventually their private health insurance, must pay for the services digitally offered – according from an ethical perspective to the guidelines of the Professional Boards as well, such as the Professional Board of Medicine.

Last modified 3 Apr 2023

Brazil

Brazil

Do specific privacy and/or data protection laws apply to the provision of telehealth services?

The General Data Protection Law (Federal Law no. 13,709/18 or "LGPD"), highly inspired by the European General Data Protection Regulation ("GDPR"), provides a new privacy landscape for Brazil and applies to any processing of personal data: (i) which is carried out within the Brazilian territory; (ii) which has an objective to offer / supply goods or services, or process data of the individuals localised in Brazil; or (iii) if the personal data is collected from the Brazilian territory. Thus, the offering of telehealth services in Brazil will be subject to the LGPD provisions.

The Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/2022) also establishes that data privacy and the digital responsibility are fundamental principles for the provision of telehealth services, as well as the obligation to comply with the LGPD. All Brazilian self-regulatory bodies such as CFM and CFF positioned themselves in the same way.

It is important to stress that the LGPD has been in force since September 28, 2020. The penalties provided by the law, however, are only going to be enforceable in August 2021. Notwithstanding the foregoing, public authorities (such as consumer protection bodies and public prosecutors) and data subjects can enforce their rights based on the LGPD.

In addition to this, the Brazilian National Authority (i.e. the supervisory authority responsible to further regulate data protection in Brazil, also known as "ANPD") is now in operation. The LGPD has several provisions to be further regulated and interpreted by the ANPD, which may have an impact on businesses, and require further localisation and adjustments for compliance in the future. It is recommended that the actions of the ANPD in relation to such matters be monitored.

According to the LGPD, the concept of personal data shall be understood as "any information regarding an identified or identifiable natural person". Based on that definition, any collected information which is able to identify a natural person will be understood as personal data and, therefore, subject to the LGPD principles, obligations and rights. The law also includes the definition of sensitive personal data, which encompasses health data along with any information of a natural personal regarding racial or ethnic origin, religious conviction, political opinion, union membership or to a religious, philosophical or political organisation, data related to sexual life, genetic or biometric data.

Last modified 3 Apr 2023

Brazil

Brazil

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

The LGPD provides cross-border transfer of personal data is allowed only in the following cases:

  1. to countries or international organisations that provide an adequate degree of protection of personal data as specified in law (such level of data protection shall be assessed by the ANPD, considering the legislation in force in the country, the nature of the data to be transferred, compliance with the general principles of personal data protection and the data subject’s rights provided in LGPD, the security measures adopted, the existence of judicial and institutional guarantees for the respect to the rights of protection of personal data and other specific circumstances related to the transfer);
  2. when the data controller provides and proves it has guarantees of compliance with the principles, the data subject’s rights and data protection regime outlined in LGPD (in the form of specific and standard contractual clauses, global corporate norms, seals, certificates and codes of conduct regularly issued, the analysis of which will be carried out by ANPD);
  3. for protection of the life of physical integrity of the data subject or a third party;
  4. when the national authority authorises the transfer;
  5. when results in a commitment assumed in an international cooperation agreement;
  6. when it is necessary for public policy implementation or legal responsibility of public service, being made public under Article 23, item I of LGPD;
  7. with the specific consent of the data subject (i.e., highlighted consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing it from the other purposes);
  8. to satisfy a legal or regulatory obligation, when necessary to perform contracts or preliminary contractual procedures, or for regular exercise of rights in a judicial, administrative or arbitral proceedings; and
  9. when the transfer is necessary for international judicial cooperation between public intelligence, prosecution, and investigative agencies, according to the instruments of international law.

Please note that most of the content of such legal basis will be defined and further regulated by the ANPD.

Last modified 3 Apr 2023

Brazil

Brazil

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

Not yet. As mentioned above, the ANPD is now in operation and it is important to monitor its activities in relation to such matter.

Last modified 3 Apr 2023

Brazil

Brazil

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

Although we cannot anticipate any specifics, the expectation is that, with the new Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/22), other subjects related to Digital Health will be even more debated and encouraged – e.g., digital prescriptions and remote diagnostic tests (Point-of-Care Testings - PoCTs), as well as remote request for dispensation of medicines. Also, in order to prevent ideological aspects from jeopardizing the benefits that telehealth can undoubtedly provide to the Brazilian population, the Brazilian Telehealth regulation expressly required that any normative act that intends to restrict the provision of telehealth services shall demonstrate its “indispensability to avoid damages to the health of the patients”. This way, another expectation is the review of many norms already published by Professional Boards that restrict remote assistance in a broad way without any exception.

Indeed the myriad of legal issues that digital health faces in the region is wide ranging but the process of incorporating it into business practices is still in early days. We believe much more development is to come, but even today the use of IA and IoT open source, high-quality, and deidentified data, in addition to a sustainable approach to expanding access to health, shows how the strongest healthcare players operating across Brazil and Latin America are addressing procompetitive risks and distinguishing themselves from the less agile pack.

This matches our understanding that, considering the current and global backdrop, as well as the great expectation of greater expansion in the coming years – mainly with the advent of 5G and artificial intelligence -, this is the time for the stakeholders that make up the chain of healthcare services and systems worldwide to direct efforts in the development and strengthening of the digital health ecosystem in a timely, safe, and innovative way.

Besides, early indications already suggest that, given the inconstancy verified in this multifaceted market, sustainable strategies are needed for companies to effectively operate and thrive. This also rings a bell in the sense that the companies operating in this field through disruptive business models must protect and explore the opportunities that the technology offers behind their products and services. This is, by the way, a great investment hub, especially in this new era of informatization and data monetization – mainly in Latin America.

Last modified 3 Apr 2023

Brazil

Brazil

Bruna Barbosa Rocha

Partner

Campos Mello Advogados

T: +55 11 3077 3525[email protected]