26 Aug The national policy of information and information on health and data protection
By Fabio Vieira e Gabriela Tchalian
On June 15, 2022, Resolution No. 659 of July 26, 2021, (“Resolution”), which establishes the National Health Information and Informatics Policy (“PNIIS”), was published in the Official Gazette.
The normative novelty is welcome, as the Covid-19 pandemic which started in 2020 has boosted digitization and use of technology in various sectors, including health. For example, teleconsultations among Brazilians and applications for monitoring agglomeration zones have multiplied.
PNIIS aims to define principles and guidelines for the effective integration of health information systems, both for the public and private sectors. In this way, it will promote innovation, support the digital transformation of health work processes, and improve governance in the use of information, information technology and digital health solutions, transparency, security, and access to health information by the population and improvement of citizen health.
To meet its aims, PNIIS shall guide actions of units of the Ministry of Health and related entities; municipal, state, and federal health managers; public and private health entities; public and private health and technology service providers; health professionals; health services’ users; and instances of social control.
The principles of PNIIS, listed in Article 2, are:
(i) Promotion of universality, integrality and equity in health care and protection, directed to the continuity of individual and collective care through the processes of collection, management, production and dissemination of health data and information;
(ii) Promotion of management and production of health data and information, as elements capable of generating knowledge, in all actions of care, management, audit, research, control and social participation, in order to support health surveillance actions and formulation of public policies;
(iii) Democratization of health data and information as a duty of entities within the scope of SUS;
(iv) Promotion of open access to health data and information as a citizen’s right;
(v) Decentralization of processes for the production and dissemination of health data and information to meet data sharing needs and regional and local specificities;
(vi) Preservation of authenticity, integrity, traceability, and quality of health information, in compliance with the provisions of the General Data Protection Law (“LGPD”);
(vii) Confidentiality, privacy, data protection and security of personal health information as a right of every individual;
(viii) User autonomy in the decision on the sharing of their health data with health professionals who act in their care, with research bodies or with public and private health agencies or entities, respecting the legal obligations of sharing for health surveillance and public health management;
(ix) Optimization of health work processes, based on the production and usage of health information as a structuring element for universality, integrality, and equity in health care, from the unique capture of information through the use of open and interoperable standards;
(x) Development of initiatives that have the citizen and their physical and mental well-being as a primary focus;
(xi) Recognition of the National Health Data Network (“RNDS”) as the national platform for the integration of health data in the country; and
(xii) Respect for the principles related to current legislation, with the standardization of rules and practices, to promote the protection, equally, within the country and in the world, to personal data of every citizen in Brazil.
The extensive list of principles, almost all referring to processing of data and information, indicates the importance of processing of personal data and sensitive personal data for the integration of information systems.
In fact, in order for citizens to enjoy all the benefits provided for by technology and its use in digital health, it will be necessary to share a large amount of personal data between controllers and operators.
In this scenario, PNIIS’ concern with privacy, information security and data protection of users is remarkable. These topics, despite being required by LGPD, fully in force since last year, are still in development in Brazil. Also, it can be seen that several companies have not yet adapted to LGPD or have not even started the adequacy process.
Throughout the Resolution, concern with data protection continues to be present. As an example:
(i) Article 4th, VIII, places as a PNISS general guideline of governance and management the establishment of mechanisms to control authorized access to personal data and sensitive personal data, by the user, health professionals, health care and surveillance managers, research agencies and legally authorized public agents, in accordance with the LGPD;
(ii) Article 5th, V, defines as a PNIIS guideline the strengthening of security mechanisms for access to health systems, data, and information, which ensure their availability, authenticity, and integrity, encouraging the use of electronic signature and biometric systems;
(iii) Article 7th, VII, also presents as a PNIIS guideline the promotion of data protection and information security culture among professionals, managers and users of the health system;
(iv) Finally, article 9th, VI, establishes as a PNIIS guideline the availability of data stored in the RNDS in an anonymized way for analysis and research, with confidentiality of personal health information being observed and protected, through the data protection and privacy rights, in line with the Open Data Plan of the Ministry of Health, LGPD and Access to Information Law.
While the general guidelines and principles established by PNIIS on privacy and data protection are a strong indication of compliance with the new regulatory demands, it is essential that at least one detailed privacy and data protection procedure or policy applicable to PNIIS is rapidly developed.
Such a procedure or policy would aim to define, in detail, the actions to be taken and those responsible for taking it for the protection of data subjects and mitigation of any security incidents.
It is worth remembering that the last few years have been marked not only by technological developments and greater digitization of everyday life, but also by a higher rate of cyber-attacks and incidents affecting both the public and private sectors across the globe.
It is also especially necessary for the RNDS system to have a data protection impact report. This is because personal health data, which make up most of the database, are considered sensitive personal by LGPD, whose improper disclosure or availability can have a strong impact on data subjects. Consequently, the National Data Protection Authority is authorized by Article 38 of the LGPD to require said report.
It is expected that PNIIS can effectively help the strengthening of warranties to data protection and privacy of holders by providing a secure and efficient integration system for patients.
Click here to read the Resolution containing PNIIS as published on the Union Official Gazette.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KGV Advogados in relation to the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.
No Comments