Through Ordinance No. 1,434, of May 28, 2020, the Ministry of Health instituted the Programa Conecte SUS (“Connect SUS Program”) and the National Health Data Network (“RNDS”), aiming at the computerization and promotion of health interoperability standards in Brazil.
The Connect SUS Program – concerning the Brazilian National Health System, or SUS – broadly seeks to computerize public and private health establishments, as well as health management bodies. More specifically, it provides for the computerization of establishments that make up the levels of health care, starting with Primary Care. In addition, it seeks to promote access by citizens, establishments, professionals, and health managers to relevant information through a mobile platform and digital services. RNDS, in turn, consists of a national platform aimed at the integration and interoperability between public and private health establishments, as well as health management bodies. Using blockchain techonoly, it is a data repository that will be responsible for storing all citizens’ health information, ensuring the privacy, integrity, accessibility, and auditability of this content.
The platform is intended to allow communication and sharing of several digital health applications, in particular Electronic Health Records (EHR), Hospital and Laboratory Management Systems, portals and mobile applications.
Within the scope of RNDS actions, through changes in Consolidation Ordinance No. 1/ GM/MS, of September 28, 2017, the interoperability in the Brazilian National Health System was distinguished between:
- Semantics: referring to the adoption, according to the context of use, of information modeling techniques, information models and use of standardized vocabularies, such as terminologies, classifications, taxonomies, and ontologies, which guarantee the human understanding of an information structure
- Syntactic: referring to the adoption computational models and techniques that guarantee the ability to exchange standardized information between different systems, networks, and information and communication platforms, ensuring computational understanding by all involved and the correct conversion to human language, without loss or change in meaning and context information.
Although it does not yet establish deadlines for meeting the established requirements, the Ordinance also discloses links with technical information on national standards for synthetic interoperability, semantic interoperability and governance, management and specific health interoperability policies.
Ordinance No. 1,434/2020 is another digital health initiative launched by the Ministry of Health during the pandemic. Earlier, the Coronavirus – SUS application was developed, which allows the sending of messages and epidemiological alerts to users in general or specific segments, as well as the remote evaluation of symptoms for effective patient guidance regarding the best location and/or format assistance. Two other initiatives involve the expansion of the Ministry of Health’s Telehealth program to develop tele-orientation, telemetry and telemedicine actions, as well as the creation of a consolidated image bank to assist health professionals in the diagnosis of Covid-19, through screening of x-ray imaging and chest computed tomography exams for suspected cases of SARS-COV-2.
It is also important to note that the General Data Protection Law (“LGPD” – Law No. 13,709 of August 14, 2018) regulates the processing of personal data by public and private entities, establishing general principles and obligations for the agents involved, as well asa number of rights to the data subject.
The LGPD dedicates a chapter to the processing of personal data by the public administration, including the hypotheses of sharing it with private entities. Thus, although supported by a normative instrument, the integration and interoperability of health information between public and private health entities are also subject to the application of the LGPD and must obey general principles such as public interest, purpose, necessity and the security of data.
It is noteworthy that the liability for damages caused due to the exercise of personal data processing activity is joint and several. Thus, in the event of an incident involving the personal data subjected to the integration, the data subject can take action against both the public administration and the private health establishment that made the relevant data available, except for the exclusions of liability provided for the LGPD. Therefore, when sharing health information, agents must take technical and organizational measures to protect the data.