Cautions and risks in data protection in the health area

Talking about health involves discussing all of us because no individual does not need medical care. For the sake of survival, any human being needs to seek to stay healthy and avoid diseases. In general, to achieve these goals, it is important to have the support of health professionals and hospitals, clinics, and laboratories.

So far, there is nothing new, except that we are immersed in an algorithmic culture. This culture involves using technologies such as artificial intelligence for classification, prediction, and decision-making, including in the healthcare sector.

Using data analytics based on laboratory and clinical indicators, exams, health condition records, etc., laboratories, clinics, and hospitals can better help their patients take care of their health, reduce risks, and avoid diseases.

Health establishments increasingly engage with their patients through patient-directed care programs, whether for follow-up or prevention. This interaction occurs through therapeutic projects and applicable clinical protocols.

These preventive programs are supported by health sector regulation and the General Data Protection Law (LGPD). The National Agency for Supplementary Health (ANS), through its publication Booklet for Modeling Programs for Health Promotion and Prevention of Risks and Diseases, encourages the adoption of this practice:

"The growing cost of health care and technological incorporation, population aging, the epidemiological transition with the increase in the incidence and prevalence of chronic diseases, the potential impacts of actions for health promotion and prevention of risks and diseases, and the need to stimulate quality life throughout its course are some of the motivating factors, among others, the search for strategies to face the challenges posed. In this context, the National Agency for Supplementary Health (ANS) has conducted its work in order to create mechanisms that encourage operators to develop programs for Health Promotion and Prevention of Risks and Diseases, and to encourage the adherence of beneficiaries to such programs, taking into account the specificities of the sector and, at the same time, in line with the policies undertaken by the Ministry of Health (MS) and the World Health Organization (WHO)."

ANS Normative Instruction 15/22 provides guidelines for private healthcare plan operators who develop programs to promote health and prevent risks and diseases and want to register them with the agency.

Only programs approved by the ANS will benefit from the rule, which reduces the monthly solvency margin requirement for the current year – limited to ten percent. The reduction is calculated based on the total expenses with programs for health promotion and prevention of risks and diseases, which need to be approved and recorded in the accounts in the previous year.

Expenses related to data protection and cybersecurity investments fall within the scope of these programs for health promotion and prevention of risks and diseases. Among these investments are:

training and qualification in data protection, privacy, and cybersecurity of professionals who provide specific services for the program;
specific information systems for monitoring the program, including the control of the minimum and necessary use of personal data;
preparation of educational materials on the protection of personal data within the scope of the program; and
development of advertising and marketing material specific to the program to demonstrate the seriousness of the operator with the care of personal data, aiming to gain the patient's trust and show that their data will be used per the legislation.

The National Data Protection Authority (ANPD) and the ANS signed an important technical cooperation agreement (ACT) on December 20, 2024. The agreement aims to establish a cooperation channel for developing joint actions that promote information security and awareness of good practices in the sector.

This ACT is especially relevant given the increased processing of sensitive personal data in health. This type of operation requires even greater care to ensure the privacy and security of data subjects, especially children, adolescents, older people, and people with disabilities.

This becomes more relevant when we consider the ethical challenges involved in applying AI to disease risk prevention programs. Establishing governance for these programs based on ethical AI and explainable AI (XAI) can become a major differentiator in gaining patient trust.

Data Security, Ethics, and Trust

Data subjects are increasingly informed and aware. Complying with data protection legislation is no longer enough. Consistent processes must be built to ensure data protection. The watchword is transparency, providing a safer patient experience based on ethics and trust.

It is worth mentioning that the regulatory agenda published by the ANPD for the 2025–2026 biennium highlights, among other topics, the exercise of rights of data subjects.

To balance the asymmetric power relationship, it is necessary to demonstrate that all care and mechanisms are adopted to protect and empower the patient. Everyone wins with this. However, care must be taken not to reduce these mechanisms to collecting consent, a resource that has proven inefficient in the algorithm culture. The literature does not use the terms "consent fatigue" or "consent hypocrisy" by chance.

In view of these findings, the concepts of privacy by design and privacy by default are gaining ground. These concepts make data privacy a presupposition and provide the user with greater control over their data. Based on law, these solutions empower the holder and give him more confidence.

Data protection is a strategic resource for competitiveness and economic sustainability in a data-driven healthcare market. It favors and empowers the holder/patient and contributes to the success of projects involving personal data in the health field, such as programs for health promotion and prevention of risks and diseases.

LGPD restriction on the processing of health data

The LGPD establishes the legal hypotheses that can support health data processing and recognizes its legitimacy and necessity for protecting health itself. Regarding the protection of health, the LGPD restricts the processing of data to procedures performed exclusively by:

health professionals;
health services; or
health authority.

Limiting the processing of health data is not a Brazilian innovation. This approach finds partial correspondence in the European Union's EU regulation 2016/679 – the General Data Protection Regulation (GDPR).

The European strategy prohibits the processing of health data except in specific circumstances, such as:

preventive medicine;
medical diagnosis and care;
health treatments;
social action;
management of health systems and services; or
by virtue of a contract with a health professional.

The exception contained in the European standard requires that the data be processed by (or are under the responsibility of) a professional subject to the obligation of professional secrecy or by another person also subject to the duty of legal confidentiality.

As mentioned, health data processing can only be carried out by health professionals, health services, or health authorities in Brazil. However, the law does not directly address the issue of confidentiality, unlike the GDPR. Thus, the LGPD adopts an even more restrictive position regarding health data processing than the GDPR.

On a superficial analysis of this requirement, it may seem (erroneously) that placing a health professional in the data area would meet the legal requirement. However, this is not a simple formal requirement. Among its central values, the data protection ecosystem has transparency in the relationship with the data subject and respect for informed and aligned objectives. The legislator intends to ensure that the data will be treated transparently, with attention to the health priorities of the holder and for practical care purposes.

In practice, the processing of health data may also be based on other legal hypotheses, such as in the case of the collection of patient consent for medical care– which should not be confused with the consent of a regulatory nature required, for example, to carry out specific medical exams and procedures.

Conclusion

Therefore, despite the potential of data-based initiatives and business models in the health area, their construction involves a holistic and highly complex analysis.

By incorporating data protection practices, which transcend the simple adaptation to the LGPD, supplementary health agents add fundamental values to their brand, especially in the current digital context, capable of attracting and retaining more customers: reliability in providing services and commitment to ethics.

Cautions and risks in data protection in the health area

Programs for health promotion and prevention of risks and diseases can be used to strengthen the security of patients' personal data

Authors

Who we are

CAREER

CAREER

LEGAL INTELLIGENCE CENTER

Privacy

Information Security

Integrity

Cautions and risks in data protection in the health area

Programs for health promotion and prevention of risks and diseases can be used to strengthen the security of patients' personal data

Authors

Related Content

ANPD'S 2025-2026 REGULATORY AGENDA HIGHLIGHTS 16 TOPICS

ANPD regulates international data transfer

Data protection officer gets a new regulation in Brazil

New rules for operating fixed-odds bets

ANPD publishes data breach reporting regulation

Ebook: Artificial Intelligence In Brazil

Ebook: Digital transformation on the path to innovation

Games, betting and esports law series: what do you need to know?

Who we are

CAREER

CAREER

LEGAL INTELLIGENCE CENTER

Privacy

Information Security

Integrity