13 Apr BILL OF LAW FROM THE STATE OF SÃO PAULO PROPOSES THAT PATIENTS HAVE ACCESS TO THEIR ELECTRONIC MEDICAL RECORDS
On April 7, 2020, the lieutenant Coimbra proposed the Bill of Law No. 225/2020 of the state of São Paulo (“PL”) that proposes to ensure patients from public and private hospitals electronic access to their medical records.
For the public health and private health systems partners of the State Public Authority, the access to the medical records shall be granted through a website. For Private Health system that has not partnered with the State Public Authority, the access shall be granted through the website and by e-mail.
The PL intends to implement one of the patient’s rights that for long has been stated in the ethical rules issued by Federal Medicine Board: the guarantee of access to their medical record.
However, medical records contain the patient’s health related data, including disease history and the clinical treatments chosen. In this sense, this data is considered as sensitive personal data, by the Brazilian General Data Protection Regulation (“LGDP”), whose entering into force is getting closer. Therefore, one must consider the possibility and the risks of disclosing medical records under the LGPD.
Regarding the processing of sensitive personal data set forth in PL, it seems possible to argue that data subject has consented to the processing, based some of the situation provided in article 11 of the LGPD, such as the data subject’s consent, depending on the access mechanism adopted.
Even in the absence of the data subject’s consent, depending on the context, the processing of sensitive personal data processing may be justified as based on the fulfillment of a legal or regulatory obligation by the controller and protection of health situations.
Law No. 13,787/2020 has already expressly regulated medical records digitalization, even requesting the compliance with the LGPD, which falls under the fulfillment of legal or regulatory obligation.
As for the protection of health, the PL’s justification points out for speed and quality gains over health services attendance since patient records are electronically available. As it is, health protection aim justifies sensitive personal data processing.
Notwithstanding the possibility to encompass sensitive personal data processing in more than one situation provided in article 11 of the LGPD, such processing must always consider the purpose, adequacy and minimization principles. For instance, article 4 of the PL, bounds the patient record disclosure to the patient’s authorization and article 7 prevents disclosure to third parties without such consent.
Since sensitive data processing may also be carried out by the public health system, the LGPD provides specific rules for this processing.
Article 23 of the LGPD, section I, requires that the public health network, when sharing electronic patient records, limits the processing to what is necessary to meet its purpose. In other words, this processing must be exclusively for the fulfillment of the legal obligation and protection of health set forth in Law No. 13,787/2020. Additionally, section III of the same article requires that a data protection officer be appointed to follow-up on the processing of sensitive personal data. In the future, ANPD may impose other request for the public health network.
Moreover, article 25 of the LGPD provides that, if the rendering of public health services relies on any level on the sharing of sensitive personal data, this data must be kept “in an interoperable format and structured for shared use”, making it possible to perform the necessary processing to fulfill the intended purpose.
At last, a fundamental issue to be debated refers to security measures for incident prevention (including breaches) and non-authorized access involving sensitive personal data.
The PL requires the implementation of some security measures, in summary, (i) login and password to access the website which contains the patient records; (ii) the patient records may only be disclosure by healthcare professionals upon their signature (handwritten or electronic); and (iii) the disclose patient information to third parties is forbidden and subject to administrative and legal sanctions in case of violation. At this time, it is unclear if such measures shall be enough to meet the LGPD security demands.
Even though the LGPD has provisions regarding data security and best practices when processing personal and sensitive personal data, these provisions are very generic. In summary, LGPD requires the adoption of technical and administrative security measures capable to protect personal and sensitive personal data – in this case, health data – from non‑authorized access and destruction, loss, change, communication or any such form of inadequate or illicit processing situation, whether due to an incident or illegality. It is worth reminding that technical measures come at a financial cost, which may or may not represent a barrier for public health system to adopt these best practices. The LGPD also provides that any platform used for health data processing – in such case, the website – must be structured in order to meet security requirements, best practices and governance standards and LGPD principles, in addition to any other specific applicable rules. Once more, it is expected that, once properly formed, the ANPD will issue more detailed guidelines for public health.
Supposing that PL will be approved, time and experience will show whether the PL’s security measures are enough to protect patient’s sensitive personal data and, if they are not enough, how much will the necessary investments to fulfill the LGPD standards impact on PL’s effectiveness.
In conclusion, the PL represents an achievement for the population, mainly the individuals, as they will have easy access to the information regarding their health. Also, the PL might improve the quality and speed of medical assistance. However, when protecting one right, one may not ignore the existence of another. Therefore, privacy and the protection of the patients’ intimacy must walk side-by-side. That shall be the mission for Private and Public Health institutions when the PL receives its approval and LGPD enters into force.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KGV Advogados in relation to the matters herein addressed. Copyrights are reserved to Kestener, Granja & Vieira Advogados.
No Comments