top of page

Healthcare area needs to adapt to LGPD

By Associação Médica de Minas Gerais

With the entry into force of the General Law of Data Protection (LGPD), No. 13,709/2018, the healthcare industry will have to make adjustments to its platforms to ensure security and privacy. Non-compliance with the legislation may generate, as of August 2021, a daily fine of up to 2% of the company's revenues, limited to R$ 50 million. Facing still many doubts, the National Health Confederation (CNS) launched, on March 12, the first Code of Conduct for Health Service Providers to comply with the LGPD.

According to the General Legal Coordinator of CNS, Marcos Vinícius Barros Ottoni, the guide gathers important information on the subject and guides the private sector laboratories, clinics and hospitals. "The recommendations are also useful for the public system. If my patient comes to the hospital, how do I handle his data, with what kind of security, how do I share this information?" Ottoni tells that the guide took eight months to be finalized and brings together topics about the definition of the legal bases of the data, that is, how to treat it, how to share this information, what are the security protocols and the ways or platforms to manage this whole process.

For the director of Innovation and Marketing at MD2 Consultoria e Negócios, Márcio Guerra, in general, health institutions already have a special care with patients' information, and the Law formalizes that it is necessary to defend the data in the company's custody against leaks and inappropriate use. It is paramount to implement reasonable mechanisms so that these two main points are met. "When we talk about patients' information and their health, it is essential that the institutions in this area take care of physical and digital security, such as the medical record, for example, reviewing their processes so that only authorized people can access it, for the purposes of care or bureaucratic matters such as the approval of a procedure. It fits with the Law, the change of the obligation of such care and also the proof of due diligence so that at any time it can be audited by the National Agency for Personal Data Protection and therefore prove through impact reports, formalized processes, risk and incident management, policies and physical or digital data protection mechanisms that the organization cares about meeting the requirements of the Law."

Click on the pdf icon and read the full story. If you prefer, go to:

bottom of page