top of page

LGPD in hospitals

By Marcio Guerra - Director of Marketing and Innovations at MD2 Consultoria

Data governance is not a new theme for the health area, several organizations have mechanisms in this regard, thinking in unified base of patients, physicians, contracts. However, some issues and additional care in relation to data protection regarding policies and technological infrastructure are necessary as well as the management of the data life cycle from the origin systems in transactional systems such as ERPS, (operational data entry and transactions), and other systems from which the data are derived as data warehouses, data lakes, CRM, marketing, sales, statistical analysis, and many others existing in the company.


According to the LGPD all the data set and each data record and operation needs to be framed in one of the legal assumptions provided for it to be carried out, based on a purpose and with a fixed term of validity. In other words, no data can be stored forever. And finally the issues of data protection itself, whether perimeter protection, policies, event monitoring and logs, encryption and user behavior or possible cracker attacks.


Business processes and sensitive data handling, most of the data handled in a healthcare provider, must be formalized and the management of existing data frameworks such as consent of the data subject, execution of contracts, compliance with legislation, legitimate interest, and formalization of data handling processes that perform and prove risk mitigation measures regarding leakage and proper use must be formalized. In a single process, several data processing operations will be found with purposes and legal bases that justify and authorize the operation. It is not possible to think that the protection of health or the protection of life will justify all the data processing.


Therefore, guided by the legislation, it is important that healthcare service providers structure a plan to adapt to the LGPD, considering and taking advantage of the survey and analysis of processes and risks carried out by the quality office. Certainly the quality area and the patient safety center have a lot to contribute in this LGPD journey. The model for managing processes, risks, action plans, incident management and reporting to a regulatory agency is very similar. The evolution of the work goes through the formalization of the data treatment processes, risks, action plans, tasks, evaluating the existing and available data process structures, formalization of the general policy for the protection of personal data, thus creating a management structure for compliance.


There are also new processes that need to be created, formalized and disseminated within the company to meet the rights of the data subjects (Confirmation of processing, access to data, portability, consent, revocation, oblivion, full reporting of data use) and to meet the requirements that the National Personal Data Protection Authority (ANPD) imposes such as the personal data protection impact report (RIPD) and proof mechanisms for risk mitigation and incident management.


Companies certainly already have investments in computing infrastructure and software components and applications that favor meeting the demand for data governance, some more evolved, others less so, such as the patient database unification (MDM) initiative, data security infrastructure and tools, and software for data investigation and integration to provide the required services to data subjects.


The challenge is to structure and get all these components in sync with the specific purpose of the law, as it requires a clear vision and review of processes, data use, adaptations, formalizations of new services for citizens' rights and regulatory agency.

bottom of page