Data protection legal and regulatory concerns for health insurance carriers in Brazil

Thursday 2 November 2023

Renata Fialho de Oliveira
Veirano Advogados, São Paulo
renata.oliveira@veirano.com.br

Cecília Coutinho
Veirano Advogados, São Paulo
cecilia.silva@veirano.com.br

Introduction

In recent years, the healthcare sector has witnessed a significant transformation in how patient data is managed and used. With the advent of digital technologies and the increasing reliance on data-driven insights, the management of health-related documents has become a critical concern.

At the same time, because of rapid technological advancements, the healthcare sector finds itself at a crossroads of innovation and regulation. This is especially true for health insurance carriers in Brazil, who are tasked with managing a vast array of sensitive patient data while navigating a complicated landscape of data protection laws. This is in addition to complying with the rules and obligations already set by Law No 9,656/1998, which regulates the private legal entities which operate healthcare plans (ie, the legal entity constituted as a civil or commercial society, cooperative, or self-management entity, which operates a product, service or contract of private healthcare plan).

The convergence of health data, insurance practices, and digital infrastructure has given rise to a myriad of challenges and opportunities, prompting the need for a comprehensive understanding of data protection and document management practices. With that in mind, this article delves into the main aspects of data protection and document management in health insurance in Brazil, exploring the implications of relevant regulations and emerging trends.

The Brazilian General Data Protection Law and its implications

A pivotal development in the field of data protection in Brazil has been the enactment of the Brazilian General Data Protection Law (LGPD). Introduced in 2018, the LGPD ushered in a new era of data privacy and security, with far-reaching implications for health insurance carriers and their interactions with patient data. The LGPD, that came into force on 18 September 2020, except for the administrative sanctions, which are enforceable since 1 August 2021. It introduced a series of obligations for data controllers and data processors, which, in a healthcare context, are the private legal entities that operate health care plans themselves (eg, health insurance administrators, medical cooperatives etc.).

For the purposes of the LGPD, patients/plan beneficiaries are considered data subjects, which guarantees them explicit rights over the processing of their personal and sensitive data. Health data in particular is classified as sensitive data under the LGPD, which means that it is given special protection, necessitating stringent conformity measures by health insurers.

In other words, the processing of health data and other types of sensitive data (eg, biometric information) is only permitted if one of the legal grounds for processing outlined in Article 11 of the LGPD is complied with. In context of healthcare, the main legal basis applicable are: (1) compliance with legal or regulatory obligations; (2) regular exercise of rights, including in contracts and in judicial, administrative, and arbitration proceedings; (3) protection of life and physical wellbeing of the data subject or a third party; and (4) protection of health, exclusively, in procedures carried out by healthcare professionals, health services, or health authorities.

A notable prohibition enforced by the LGPD is the practice of selection of risk by private health insurance carriers. The LGPD, in its Article 11, section 5, bans private health insurance carriers from processing health data for risk selection purposes in any form of contract, as well as for the inclusion or exclusion of beneficiaries. However, while this restriction may appear as a fresh development, it is not a new provision for the supplementary health sector in Brazil.

The Normative Resolution No 557/2022 (former Normative Resolution No. 195/2009)[1] issued by Brazil’s regulatory authority for supplementary health insurance (Agência Nacional de Saúde Suplementar or ANS) restricts the above mentioned practice in its Article 22. It states that ‘for the connection of beneficiaries to collective health plans by adherence or corporate, no other requirements will be allowed other than those necessary to join the contracting legal entity’.

This does not mean a complete ban on operators conducting population studies, evaluating portfolio behaviour to apply fair and appropriate pricing for each group, considered collectively. It means only that health insurance carriers shall not process personal data to accept or exclude individuals from their portfolio, as is already provided for in the sector legislation. Consequently, once the eligibility rules for entry into a collective plan are met, the health insurer cannot establish any other criteria, for example, the insurer should not analyse pharmacy consumption histories to refuse a contract or to increase the price of the plan.

A final note regarding the impact of the LGPD on the health insurance market in Brazil is the recent Technical Note No 6/2023/CGTP/ANPD,[2] published the National Data Protection Authority (Autoridade Nacional de Proteção de Dados or ANPD) in May 2023. This Note addresses the processing of personal data in the pharmaceutical retail sector. The ANPD has monitored of the processing of personal and sensitive data by the pharmaceutical sector, including representative entities, with the aim of monitoring the market, studying current practices, encouraging good practices, and verifying compliance with the LGPD.

According to the studies conducted by the ANPD, particularly those relating to the Pharmaceutical Benefits Programmes (PBMs), the ANPD found that the format practiced in Brazil is different from that originally developed in the United States, where the PBM is: (1) used as a way to mitigate patient dropouts in medium- and long-term treatments, including chronic diseases; and (2) largely sponsored by health insurers, as subsidising medications was advantageous in reducing more costly hospitalisations and procedures.

The model practiced in Brazil is based on a direct relationship between the industry/laboratory and medication customers, without the involvement of health insurers, and the lists of participating medications in discounts are quite extensive, with no concern for insurance risk but rather for reducing prices. Consequently, health insurance carriers are usually not involved in the data processing required under the PBM setting in Brazil, since the collection of personal data (eg, name, signature and individual taxpayers’ registry – CPF) is usually linked solely to the need for customer identity confirmation.

Health analytics and data monetisation

The advent of health analytics – that is, the appropriation of health data and data traces of an individual for the purpose of predicting and monetising their health status – has heralded a new frontier in data use within health insurance. This innovative approach, on one hand, holds immense promise in identifying potential chronic illnesses, understanding population trends, and optimising healthcare resource allocation, yet, on the other, implies the processing of significant amounts of sensitive data protected by the LGPD.

An intriguing example of this trend is the use of artificial intelligence (AI) by medical institutions. Recently, the Heart Institute of the Clinical Hospital of the University of São Paulo (Incor) announced the use of AI to anonymise patient data in tests, allowing the use of results for academic research without infringing on legal provisions or the rights of data subjects.[3]

The Incor case represents a good example of balance between data use and legal compliance, particularly in line with Article 2(V), of the LGPD, according to which: ‘The discipline of personal data protection is based on the following principles: [...] economic and technological development and innovation’. Beyond that, it proves the relevance of privacy by design, that is, to support innovative projects for the healthcare sector which consider data science and privacy from the outset: organisations need a well-planned data mapping capable of identifying current vulnerabilities and necessary remediation plans, as well as using technology sustainably to ensure data subjects’ rights and use technology for health development and improvement.

Data protection policies and regulatory compliance

In tandem with the LGPD, health insurers are guided by specific data protection policies to ensure compliance with legal requirements and ethical considerations. In particular, the ANS Administrative Resolution No 80/2022 established a Data Protection Policy to provide a framework for safeguarding personal data.[4] This further extends its purview to employees, contractors, suppliers, and all stakeholders involved in data processing activities within the ANS.

Key tenets of this Policy underline the importance of minimising data processing, prioritising security measures, the role of transparency, adhering to lawful data sharing practices and robust privacy policies in facilitating data access and compliance with the LGPD. The Policy also emphasises the necessity of data retention and disposal, outlining scenarios under which data can be retained or eliminated.

Digitalisation of medical records

The transition from paper-based medical records to digital systems has been a transformative shift within the healthcare sector. Regulations such as the Brazilian Electronic Medical Records Law (Law No 13,787/2018),[5] and Resolution No 1,821/2007 of the Brazilian Federal Medicine Council (Conselho Federal de Medicina or CFM)[6] provide a legal framework for the digitisation and use of electronic medical records. Working in conjunction with the LGPD, those regulations establish guidelines for the secure storage, retrieval, and management of patient health information.

The Brazilian Electronic Medical Records Law introduces a minimum retention period for medical records of 20 years and delineates the conditions under which physical records can be digitised or eliminated. This intersection of legal provisions highlights the importance of integrating data protection principles into the digitisation process, ensuring that patient privacy remains paramount. This is also reflected in Resolution-RDC No 63/2011,
[7] issued by Brazil’s National Health Surveillance Agency (Agência Nacional de Vigilância Sanitária or ANVISA), which establishes good operating practice requirements for health services.

Ethical considerations and responsible data management

Among the intricacies of data protection regulations and technological innovations, ethical considerations remain central to the discourse surrounding health data management. The CFM Code of Medical Ethics places a strong emphasis on patient consent, confidentiality, and responsible data handling. The Code mandates that medical professionals obtain informed consent from patients before disclosing their health information and strictly prohibits the disclosure of confidential patient data without legal justification. The Code also highlights the importance of data access for retrospective studies, emphasising the role of research ethics committees in ensuring the responsible use of patient data.

Emerging trends and future directions

The landscape of health data management and document retention continues to evolve, driven by technological advancements and regulatory imperatives. Several trends and points of attention are shaping the trajectory of data protection within health insurance, among which it is worth highlighting the following.

Profiled health insurance plans

The emergence of profiled health insurance plans, driven by data analytics, raises questions about fairness, accessibility, and potential discrimination. As health insurers leverage data to assign risk scores to individuals, there is a need for transparency and accountability to ensure equitable access to healthcare.

Interoperability and data sharing

The pursuit of interoperability in healthcare data systems holds the promise of improved communication, streamlined workflows, and enhanced patient care. However, achieving interoperability requires careful consideration of data protection measures to prevent unauthorised access and breaches.

Public health data utilisation

The potential use of public health data by private health insurance companies highlights the delicate balance between public health initiatives and commercial interests. Striking an equilibrium between data access and patient rights remains a critical challenge.

Conclusion

In the ever-evolving landscape of health insurance and data management, the intersection between technology, regulation, and ethics is of paramount importance within the context of Brazil’s data protection. Health insurers must be able to navigate a complicated web of data protection laws while harnessing the potential of data-driven insights. By embracing robust data protection policies, prioritising patient privacy, and fostering responsible data management practices, health insurers can operate in this dynamic landscape with integrity and innovation. As Brazil’s healthcare sector continues to redefine its stance on data practice, the search for a balance between data use and patient protection remains a cornerstone of progress and ethical practice.


[3] ‘Incor uses artificial intelligence to protect personal data in exams’ Available at: https://link.estadao.com.br/noticias/gadget,incor-usa-inteligencia-artificial-para-proteger-dados-pessoais-em-exames,70003036072 accessed 10 August 2023.

[4] Brazilian Ministry of Health National Agency for Supplementary Health, ANS Administrative Resolution No 80, 28 June 2022 https://bvsms.saude.gov.br/bvs/saudelegis/ans/2022/res0080_30_06_2022.html accessed 10 August 2023.

[5] Brazilian General Secretariat, Deputy Chief for Legal Affairs, Law No 13,787, 27 December 2018 https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13787.htm accessed 10 August 2023.

[7] Brazilian Ministry of Health of the National Health Surveillance Agency Resolution-RDC No 63, 25 November 2011 https://bvsms.saude.gov.br/bvs/saudelegis/anvisa/2011/rdc0063_25_11_2011.html accessed 10 August 2023.