Consent for processing medical records data

Lima, Dartel Ferrari de; Ferreto, Lirane Elize Defante; Buzanello, Márcia Rosângela

doi:10.1590/1983-803420233589EN

Abstract

Processing medical record data involves ethical and legal challenges. This study proposes a processing description for using personal data obtained from medical records, as well as offers a general view of the current legislation on handling this type of data, contributing to further our understanding regarding consent when using medical records for research purposes. The Brazilian agency responsible for the ethical standards on research with humans issued a specific guideline on the subject to its local committees; however, such guidelines require a review based on the new meanings and senses established by the more recent legislation, according to which scientific research presents an exception to data processing without express consent by its titulary.

Human rights; Bioethics; Public health

Resumo

O manuseio de dados de pesquisa de prontuários médicos é uma preocupação que envolve questões éticas e legais. O objetivo deste artigo é fornecer uma descrição do processamento para a utilização de dados pessoais contidos em prontuários médicos, além de oferecer uma visão geral da legislação vigente sobre o manuseio desses dados, contribuindo para ampliar o entendimento da obrigatoriedade do consentimento para o manuseio prontuários médicos com finalidade de pesquisa. A agência brasileira que normatiza a análise ética em pesquisa com humanos despachou correspondência específica aos seus comitês locais tratando do assunto. No entanto, tal correspondência carece de revisão em virtude dos novos sentidos e significados estabelecidos na legislação mais recente, segundo a qual a finalidade de pesquisa científica é condição de exceção para o tratamento de dados pessoais sem o fornecimento de consentimento do titular.

Direitos humanos; Bioética; Saúde pública

Resumen

El manejo de datos de investigación provenientes de registros médicos es una preocupación que implica cuestiones éticas y legales. El objetivo de este artículo es brindar una descripción del procesamiento para el uso de datos personales contenidos en los registros médicos, además de ofrecer una visión general de la legislación vigente sobre el manejo de estos datos y así contribuir a ampliar la comprensión del consentimiento obligatorio para el manejo de registros médicos con fines de investigación. La agencia brasileña que regula el análisis ético en investigaciones con humanos envió una correspondencia específica a sus comités locales abordando el tema. Sin embargo, dicha correspondencia requiere una revisión debido a los nuevos sentidos y significados establecidos en la más reciente legislación, según la cual la finalidad de la investigación científica es una condición de excepción para el tratamiento de datos personales sin el suministro del consentimiento del titular.

Derechos humanos; Bioética; Salud publica

Attention to ethics in modern scientific research is essential, as experimentation with humans without their free and informed consent may violate the participants’ fundamental human rights. Absence of consent infringes on the personal right to the protection of one’s own body, property and privacy ¹1. Thakur S, Lahiry S. Research ethics in the modern era. Indian J Dermatol Venereol Leprol [Internet]. 2019 [acesso 3 ago 2023];85(4):351-4. DOI: 10.4103/ijdvl.IJDVL_499_18
https://doi.org/10.4103/ijdvl.IJDVL_499_... .

In response to violations of the rights of research participants that have occurred over time, in 1964, the World Medical Association promulgated the Declaration of Helsinki ²2. World Medical Association. Declaration of Helsinki: recommendations guiding physicians in biomedical research involving human subjects. JAMA [Internet]. 1997 [acesso 3 ago 2023];277(11):925-26. DOI: 10.1001/jama.1997.03540350075038
https://doi.org/10.1001/jama.1997.035403... . The document provides that the benefits sought from research cannot compensate for risks to the individual dignity of the participants. Although it was addressed to physicians, the declaration recommends that all involved in medical research, that is, everyone who researches in the health area, adopt the same declared principles ³3. Lima DF, Lima LA, Malacarne V, Cristofoletti JF. O lugar do representante do controle social nos comitês de ética em pesquisa brasileiros. Rev Bioét Derecho [Internet]. 2021 [acesso 19 set 2023];(52):253-64. DOI: 10.1344/rbd2021.52.32048
https://doi.org/10.1344/rbd2021.52.32048... .

Currently, ethical analysis of human research is signed by a collegial body in the institutions that carry out the research and involves the inspection of the research proposals submitted by researchers. In Brazil, this process is managed by the National Research Ethics Committee (Conep), created through Resolution 196/1996 ⁴4. Brasil. Ministério da Saúde. Conselho Nacional de Saúde. Resolução nº 196, de 10 de outubro de 1996. Diretrizes e normas reguladoras para pesquisas envolvendo seres humanos. Diário Oficial da União [Internet]. Brasília, 16 out 1996 [acesso 19 set 2023]. Disponível: https://bit.ly/48AtU5g
https://bit.ly/48AtU5g... and subordinate to the National Health Council (CNS).

This committee coordinates a decentralized network of interdisciplinary and independent collegial bodies present in places where research projects involving humans are done. These local committees are called ethics committees (CEP). The integration of these two levels is called the CEP/Conep system ⁵5. Lima DF, Lima LA, Christofoletti JF, Malacarne V. Ética y control social en la investigación científica en Brasil. Rev Colomb Bioét [Internet]. 2021 [acesso 3 ago 2023];16(1):1-13. DOI: 10.18270/rcb.v16i1.3039
https://doi.org/10.18270/rcb.v16i1.3039... .

The goal of CEPs is to provide favorable conditions for scientific research, simultaneously ensuring protection for participants and guaranteeing free and informed consent to such participation ⁴4. Brasil. Ministério da Saúde. Conselho Nacional de Saúde. Resolução nº 196, de 10 de outubro de 1996. Diretrizes e normas reguladoras para pesquisas envolvendo seres humanos. Diário Oficial da União [Internet]. Brasília, 16 out 1996 [acesso 19 set 2023]. Disponível: https://bit.ly/48AtU5g
https://bit.ly/48AtU5g... . Consent to access and handle sensitive personal data makes it possible to control risks to individuals’ privacy. The lack of confidentiality of personal health data, in turn, may compromise the right to individuality, personal relationship management and autonomy over health-related decisions ⁶6. Lima DF, Lima, LA. Perspectivas da ética em pesquisa: o repensar para o futuro do sistema normatizador brasileiro. Cadernos UniFOA [Internet]. 2021 [acesso 3 ago 2023];16(45):89-95. DOI: 10.47385/cadunifoa.v16.n45.3335
https://doi.org/10.47385/cadunifoa.v16.n... .

Therefore, the handling of medical records involves ethical and legal issues, especially considering that the use of information from medical records is still an impasse in CEPs. Furthermore, there are uncertainties regarding the evaluation of research protocols, particularly on the obligation of consent when handling personal data contained in medical records. Different criteria are often used by different ethics committees or by different members of the same committee with regards to the obligations of the researcher in handling such data. Thus, there is a need to shed light on this hazy point in the understanding of the actors involved with research ⁵5. Lima DF, Lima LA, Christofoletti JF, Malacarne V. Ética y control social en la investigación científica en Brasil. Rev Colomb Bioét [Internet]. 2021 [acesso 3 ago 2023];16(1):1-13. DOI: 10.18270/rcb.v16i1.3039
https://doi.org/10.18270/rcb.v16i1.3039... .

The goal of this article is to describe the legal processes for handling personal data contained in medical records. In addition, it aims to provide an overview of current legislation on the handling of medical record data. Thus, it is expected that it will contribute to enhancing comprehension of the role of free and informed consent to access sensitive health data for research purposes.

Handling information from medical records

In this context, consent is legally supported insofar as it is understood as a free and informed agreement regarding the handling of the personal data of the individual involved. In this article, personal health data from medical records is defined as a set of information, signs and images documented by healthcare providers concerning a person’s physical-functional state and/or mental health condition. Consent, therefore, is the act of authorizing the handling of private information contained in medical records for a pre-defined purpose, being a fundamental part of the ethical review to be done before the beginning of the research ⁷7. Lima DF. Dilemas éticos relacionados às pesquisas qualitativas nas ciências humanas e sociais. Revista Pesquisa Qualitativa [Internet]. 2021 [acesso 3 ago 2023];9(22):582-92. DOI: 10.33361/RPQ.2021.v.9.n.22.510
https://doi.org/10.33361/RPQ.2021.v.9.n.... .

There is a known legal foundation for the handling of personal data from medical records which involves meeting a number of conditions, starting with the person’s consent to access and use information from their medical records. There should also be a clear purpose, and when there is more than one purpose, separate consent is required for each one. Also, to characterize informed consent, the person should receive relevant information about the objective of the consent ⁵5. Lima DF, Lima LA, Christofoletti JF, Malacarne V. Ética y control social en la investigación científica en Brasil. Rev Colomb Bioét [Internet]. 2021 [acesso 3 ago 2023];16(1):1-13. DOI: 10.18270/rcb.v16i1.3039
https://doi.org/10.18270/rcb.v16i1.3039... .

The legislation does not specify how consent should be documented or how long it is valid. Therefore, different ways of expressing it are accepted, as long as the chosen form is clearly documented in the patient’s medical record ⁸8. Manti S, Licari A. How to obtain informed consent for research. Breathe (Sheff) [Internet]. 2018 [acesso 3 ago 2023];14(2):145-52. DOI: 10.1183/20734735.001918
https://doi.org/10.1183/20734735.001918... ,⁹9. Gupta UC. Informed consent in clinical research: Revisiting few concepts and areas. Perspect Clin Res [Internet]. 2013 [acesso 3 ago 2023];4(1):26-32. DOI: 10.4103/2229-3485.106373
https://doi.org/10.4103/2229-3485.106373... .

The provisions on confidentiality and secrecy are contained in specific legislation, which regulates access to and disclosure of private documents. As a rule of thumb, patient consent is a privacy-enhancing measure; however, there are certain exceptions listed in legislation that exclude the obligation of consent. The legal basis for handling personal data for research purposes is mainly the public interest ¹⁰10. Pietrzykowski T, Smilowska K. The reality of informed consent: empirical studies on patient comprehension-systematic review. Trials [Internet]. 2021 [acesso 3 ago 2023];22(1):57-72. DOI: 10.1186/s13063-020-04969-w
https://doi.org/10.1186/s13063-020-04969... , as studies that use such data may have impacts on the health of the population, helping to clarify the causes, prevention, treatment and rehabilitation of diseases.

Therefore, the understanding of consent as a legal basis for handling personal data is somewhat limited, even if such handling is permitted by Brazilian law with a view to improving public health care, producing epidemiological statistics or other research purposes. Furthermore, there are cases where consent to handling sensitive personal data for research purposes is not possible. For such situations, there are standardized behaviors, although they are poorly consolidated in the understanding of different CEPs and some of their members.

A recurring discussion concerns the balance between privacy of individual health information and benefit to society. There are situations in which the condition of mandatory consent may make research unfeasible, such as when using data that is old, from people who have died or whose diseases affect cognition, or from patients who cannot be found. However, in Brazil, waiving consent to handle personal data for research purposes requires specific precautions to compensate for the exceptional circumstances, with the research approved by a CEP.

The right to privacy is supported by the Federal Constitution of Brazil ¹¹11. Brasil. Constituição da República Federativa do Brasil: texto constitucional promulgado em 5 de outubro de 1988, com as alterações determinadas pelas Emendas Constitucionais de Revisão nº 1 a 6/94, pelas Emendas Constitucionais nº 1/92 a 91/2016 e pelo Decreto Legislativo nº 186/2008. Senado Federal [Internet]. 2016 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/4fkxt5av
https://tinyurl.com/4fkxt5av... , which ensures the inviolability of intimacy, private life, honor and image of people, whether they are alive or not—the constitutional rights of the deceased are preserved. However, it is common for personal data handled for research purposes to have been originally collected for other purposes. The rule is that information from medical records should be collected for specific, explicit and legitimate purposes, and not be subsequently handled for a different purpose, although the legislation provides exceptions.

Consent and legislation

Confidentiality of personal information

Keeping medical records is a way of sharing patient data between healthcare providers, and the obligation to keep such records applies to all providers, in the public or private sector. Information sharing is achieved through the handling of the patients’ medical records, called direct access.

No confidentiality assessment is required when information is made available to the multidisciplinary team during the hospitalization period, as long as only authorized people have access to it. As a rule, access to medical records is controlled to protect the information contained therein, determining who can handle it and what can be shared ³3. Lima DF, Lima LA, Malacarne V, Cristofoletti JF. O lugar do representante do controle social nos comitês de ética em pesquisa brasileiros. Rev Bioét Derecho [Internet]. 2021 [acesso 19 set 2023];(52):253-64. DOI: 10.1344/rbd2021.52.32048
https://doi.org/10.1344/rbd2021.52.32048... .

Confidentiality in activities related to health information contained in medical records is supported by the Brazilian Penal Code (CP), in section IV, which addresses crimes against the inviolability of secrets. Art. 153 of the CP defines that it is a crime for someone to disclose, without just cause, the contents of a private document or confidential correspondence, of which they are the recipient or holder, and whose disclosure could cause harm to others ¹²12. Brasil. Decreto-Lei nº 2.848, de 7 de dezembro de 1940. Código Penal. Diário Oficial da União. Rio de Janeiro, 31 dez 1940 [acesso 23 mar 2023]. Seção 1. Disponível: https://tinyurl.com/2wep92jx
https://tinyurl.com/2wep92jx... .

Patients cannot object to the handling of information required by healthcare providers to do their duty of keeping records of procedures carried out on patients. Therefore, the main provision on confidentiality establishes that information about the patient’s health condition cannot be revealed unless there is a greater need. The data is protected by confidentiality and the patient should not be identified or suffer any harm—whether intellectual, moral, social, psychological, physical, etc.—which can only be questioned in court if there is representation from the injured party.

The confidentiality of medical record information can be breached without the patient’s consent in specific cases. For example, it is permitted for healthcare providers to share information required for the prevention, investigation or treatment of the patient, or in cases of medical emergency. There are situations in which the data is necessary to ensure the best treatment, whereby the guarantee of confidentiality also becomes the responsibility of the person who received the information.

There are clear provisions on the use of personal information in the ethical guidelines for human research and confidentiality does not constitute an impediment to the use of personal data in research, as long as the rules involving in obtaining consent are observed. When this is not possible, the confidentiality of the data subject’s identity must be absolute and the data can only be used when authorized by the information keeper. In this case, both persons, the one who handled the data and the one who authorized access to it, may be held legally accountable for leaking sensitive information.

Ethical guidelines for handling medical records

Several aspects affect a person’s ability to give full consent, even if they are aware of the facts, especially when the information provided by the researcher is difficult to understand. Currently, there is no convention on how to present the consent form. Furthermore, as countries have different legal systems, there are difficulties in adopting foreign templates in Brazil, as both the conditions and regulations are established in accordance with Brazilian laws.

In Finland, Law 552/2019 ¹³13. Finland. Sosiaali- ja terveysministeriö. Laki 552/2019. Lag om sekundär användning av personuppgifter inom social- och hälsovården [Internet]. 2019 [acesso 30 jan 2023]. Disponível em: https://bit.ly/48M5RRl
https://bit.ly/48M5RRl... addresses the secondary use of personal data in health and social care and provides that an authority must evaluate whether the use of the information is ethically legitimate. After obtaining consent, the researcher may collect, handle and disclose data. Separate consent for specific purposes is no longer required under this new legislation.

In Denmark, health data are collected in a centralized, computerized system in which patients, healthcare providers and physicians obtain different levels of access to the data through a registry. The system allows patients to object to the collection of specific and sensitive data. It is, therefore, a form of reverse consent ¹⁴14. Hemminki E, Virtanen JI, Regushevskaya E. Decisions by Finnish Medical Research Ethics Committees: a nationwide study of process and outcomes. J Empir Res Hum Res Ethics [Internet]. 2015 [acesso 3 ago 2023];10(4):404-13. DOI: 10.1177/1556264615599685
https://doi.org/10.1177/1556264615599685... .

In Norway, in 2017, a medical record data management system was proposed to facilitate the secondary use of patient information. Individuals monitor how their data are used outside the healthcare system when applied to research. In the Norwegian system, the researcher has access to data from different databanks, subject to approval by a national authority that is responsible for the ethical review ¹⁵15. Faxvaag A, Johansen TS, Heimly V, Melby L, Grimsmo A. Healthcare professionals’ experiences with EHR-system access control mechanisms. Stud Health Technol Inform. 2011;169:601-5. DOI:10.3233/978-1-60750-806-9-601
https://doi.org/10.3233/978-1-60750-806-... .

In Brazil, Conep published Circular Letter 39/2011/CONEP/CNS/GB/MS ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... , which addresses the use of medical record data in research. It clarifies to CEPs that the ethical evaluation of research of this type should consider the content of a wide range of documents. Conep lists these documents and informs that it is not up to the CEP/Conep system to legislate on access to and use of medical records.

Therefore, with regard to the handling of medical records for research purposes, Conep recommends compliance with the following legal provisions: Federal Constitution of Brazil, art. 5, items X and XIV ¹¹11. Brasil. Constituição da República Federativa do Brasil: texto constitucional promulgado em 5 de outubro de 1988, com as alterações determinadas pelas Emendas Constitucionais de Revisão nº 1 a 6/94, pelas Emendas Constitucionais nº 1/92 a 91/2016 e pelo Decreto Legislativo nº 186/2008. Senado Federal [Internet]. 2016 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/4fkxt5av
https://tinyurl.com/4fkxt5av... ; new Civil Code (CC), arts. 20 and 21 ¹⁷17. Brasil. Lei nº 10.406, de 10 de janeiro de 2002. Institui o Código Civil. Diário Oficial da União [Internet]. Brasília, p. 1, 11 jan 2002 [acesso 14 set 2022]. Seção 1. Disponível: https://tinyurl.com/35e8fjba
https://tinyurl.com/35e8fjba... ; Code of Civil Procedure (CPC), arts. 347, 363 and 406 ¹⁸18. Brasil. Código de Processo Civil: Lei nº 13.105, de 16 de março de 2015 [Internet]. 14ª ed. Brasília: Senado Federal; 2021 [acesso 12 jan 2022]. Disponível: https://tinyurl.com/4sdxd6vm
https://tinyurl.com/4sdxd6vm... ; Penal Code, arts. 153 and 154 ¹²12. Brasil. Decreto-Lei nº 2.848, de 7 de dezembro de 1940. Código Penal. Diário Oficial da União. Rio de Janeiro, 31 dez 1940 [acesso 23 mar 2023]. Seção 1. Disponível: https://tinyurl.com/2wep92jx
https://tinyurl.com/2wep92jx... ; Consumer Protection Code, arts. 43 and 44 ¹⁹19. Brasil. Código de proteção e defesa do consumidor e legislação correlata [Internet]. 5ª ed. Brasília: Senado Federal; 2012 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/5bdwjsf6
https://tinyurl.com/5bdwjsf6... ; Code of Medical Ethics of the Federal Council of Medicine (CFM), arts. 11, 70, 102, 103, 105, 106 and 108 ²⁰20. Conselho Federal de Medicina. Código de ética médica: Resolução CFM nº 1.931, de 17 de setembro de 2009 [Internet]. Brasília: Conselho Federal de Medicina, 2010 [acesso 29 jan 2023]. Disponível: https://tinyurl.com/ycns8yy8
https://tinyurl.com/ycns8yy8... ; Provisional Measure (MP) 2,200-2/2001 ²¹21. Brasil. Medida Provisória nº 2.200-2, de 24 de agosto de 2001. Institui a Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil, transforma o Instituto Nacional de Tecnologia da Informação em autarquia, e dá outras providências. Diário Oficial da União [Internet]. Brasília, p. 65, 24 ago 2001 [acesso 3 ago 2023]. Seção 1. Disponível: https://tinyurl.com/y69wn57y
https://tinyurl.com/y69wn57y... ; CFM standards regarding access to medical records: CFM Opinion 8/2005 ²²22. Conselho Federal de Medicina. Parecer CFM nº 8/2005. A inclusão de cláusulas de termo de consentimento que permitam o manuseio de prontuários por pessoas ou instituições alheias à pesquisa não tem respaldo no Código de Ética Médica ou em resolução do Conselho Federal de Medicina [Internet]. Conselho Federal de Medicina: Brasília; 2005 [acesso 20 fev 2023]. Disponível: https://tinyurl.com/yz7k7mmu
https://tinyurl.com/yz7k7mmu... and CFM Opinion 6/2010 ²³23. Conselho Federal de Medicina. Parecer CFM nº 6/2010. Liberação de prontuário médico a representante legal de paciente falecido [Internet]. Conselho Federal de Medicina: Brasília; 2010 [acesso 20 fev 2023]. Disponível: https://tinyurl.com/5fv4t7ce
https://tinyurl.com/5fv4t7ce... ; hospital accreditation standards from the Brazilian Accreditation Consortium (CBA), especially those concerning information management (Gl) 2: Gl 1.12 ²⁴24. Consórcio Brasileiro de Acreditação. O CBA [Internet]. 2023 [acesso 3 ago 2023]. Disponível: https://cbacred.org.br/site/o-cba/
https://cbacred.org.br/site/o-cba/... ; resolutions of the National Supplemental Health Insurance Agency (ANS), in particular RN 21/2002 ²⁵25. Agência Nacional de Saúde Suplementar. Coletânea Legislativa da Assessoria Regulamentar. 12ª ed. Curitiba: Unimed Paraná; 2015 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/3krzs5dc
https://tinyurl.com/3krzs5dc... and Law 9,961/2000, which creates the ANS; CFM resolutions 1,605/2000 ²⁶26. Conselho Federal de Medicina. Resolução nº 1605, de 15 de setembro de 2000. Diário Oficial da União [Internet]. Brasília, p. 30, 29 set 2000 [acesso 19 set 2023]. Seção I. Disponível: https://tinyurl.com/d25fvvy4
https://tinyurl.com/d25fvvy4... , 1,638/2002 ²⁷27. Conselho Federal de Medicina. Resolução nº 1638, de 10 de julho de 2002. Define prontuário médico e torna obrigatória a criação da Comissão de Revisão de Prontuários nas instituições de saúde. Diário Oficial da União [Internet]. Brasília, p. 184-5, 9 ago. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/5n8amcj8
https://tinyurl.com/5n8amcj8... 1,639/2002 ²⁸28. Conselho Federal de Medicina. Resolução nº 1639, de 10 de julho de 2002. Aprova as normas técnicas para o Uso de Sistemas Informatizados pra a Guarda e manuseio do prontuário médico, dispõe sobre tempo de guarda dos prontuários, estabelece critérios para certificação dos sistemas de informação e dá outras providências. Diário Oficial da União [Internet]. Brasília, p. 124-5, 12 ago 2002 [acesso 5 jan 2023]. Disponível: https://tinyurl.com/2pk6uhd2
https://tinyurl.com/2pk6uhd2... and 1,642/2002 ²⁹29. Conselho Federal de Medicina. Resolução nº 1642, de 7 de agosto de 2002. Empresas de assistência à saúde não podem interferir nas questões relativas à autonomia profissional dos médicos. Diário Oficial da União [Internet]. Brasília, p. 153, 9 set. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/ynk8t3h5
https://tinyurl.com/ynk8t3h5... .

It seems plausible that Conep does not wish to legislate on the handling of medical record data for research purposes, as it has no legal support for that. However, one would expect the regulator to analyze the legislation and present a standard of conduct to be followed equally by all CEPs, considering that there is no such regulation to date. Furthermore, if the law must be guided by ethics, there should be concern in updating Circular Letter 39/2011/CONEP/CNS/GB/MS ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... , given the innovations that the legislation presents.

Standards for handling personal information

The Federal Constitution of Brazil of 1988 was drawn up by the Constituent Congress, composed of deputies and senators democratically elected in 1986, and constitutes the supreme law of Brazil, taking precedence over all other legislation, whether federal, state or municipal.

In item X of art. 5, it states: the privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages resulting from their violation is ensured. Item XIV provides: access to information is ensured to everyone and the confidentiality of the source shall be safeguarded, whenever necessary to the professional activity ¹¹11. Brasil. Constituição da República Federativa do Brasil: texto constitucional promulgado em 5 de outubro de 1988, com as alterações determinadas pelas Emendas Constitucionais de Revisão nº 1 a 6/94, pelas Emendas Constitucionais nº 1/92 a 91/2016 e pelo Decreto Legislativo nº 186/2008. Senado Federal [Internet]. 2016 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/4fkxt5av
https://tinyurl.com/4fkxt5av... . Both items, endorsed by Conep, aim to ensure to people the possession of information that concerns them.

In addition, it is also a constitutional right not to be obliged to do or not to do something, except by virtue of law. In this way, the data subject may consent to the access of his/her sensitive personal data in a free and informed manner, as an enshrined individual right.

Brazilian Civil Code: Law 10,406/2002

Law 10,406/2002 ¹⁷17. Brasil. Lei nº 10.406, de 10 de janeiro de 2002. Institui o Código Civil. Diário Oficial da União [Internet]. Brasília, p. 1, 11 jan 2002 [acesso 14 set 2022]. Seção 1. Disponível: https://tinyurl.com/35e8fjba
https://tinyurl.com/35e8fjba... establishes the new CC, a legislation that aims to standardize and discipline human activities, regulating relationships, obligations, duties and rights. Circular Letter 39/2011/CONEP/CNS/GB/MS ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... highlights Articles 20 and 21 of the CC, which reads:

Art. 20. Unless authorized, or if necessary for the administration of justice or the maintenance of public order, the disclosure of writings, the transmission of words or the publication, exhibition or use of a person’s image may be prohibited, at their request and without prejudice to any compensation applicable, if it affects their honor, good reputation or respectability, or if intended for commercial purposes. Paragraph: in the case of a deceased or absent person, the legitimate parties to request this protection are the spouse, ascendants or descendants.

Art. 21. The private life of a natural person is inviolable, and the judge, at the request of the interested party, shall adopt the necessary measures to prevent or cease acts contrary to this rule ¹⁷17. Brasil. Lei nº 10.406, de 10 de janeiro de 2002. Institui o Código Civil. Diário Oficial da União [Internet]. Brasília, p. 1, 11 jan 2002 [acesso 14 set 2022]. Seção 1. Disponível: https://tinyurl.com/35e8fjba
https://tinyurl.com/35e8fjba... .

The above allows us to conclude that consent removes consideration of misuse or exposure of a person. However, to ensure the honor, good reputation or respectability of the person who consents, it seems plausible to require, for the consent to be valid, that it be free, clear and specific for each purpose. Therefore, the broad, general and unrestricted application of consent seems incorrect; for the use of sensitive personal data, consent should be required for each research purpose. It should be noted that, in the absence or impossibility of the data subject’s consent to access their information, other authorized persons may do so, in accordance with the paragraph of art. 20 ¹⁷17. Brasil. Lei nº 10.406, de 10 de janeiro de 2002. Institui o Código Civil. Diário Oficial da União [Internet]. Brasília, p. 1, 11 jan 2002 [acesso 14 set 2022]. Seção 1. Disponível: https://tinyurl.com/35e8fjba
https://tinyurl.com/35e8fjba... .

A second condition for prohibiting the transmission of words or the publication, exhibition or use of a person’s image is maintenance of public order. The expression “public order” has many meanings, since, in civil law, it consists of the search for peace and social harmony, for which the interrelationship between different fields of knowledge may contribute.

The potential contribution of scientific research to the development of public order seems undeniable. However, according to the legislation, to constitute a violation, the use of sensitive personal information should affect the honor, good reputation or respectability of a person, or generate commercial advantages to the detriment of the violated party. To exercise this right, the interested party should also demand compensation and demonstrate the damage.

Code of Civil Procedure: Law 13,105/2015

Law 13,105/2015 ¹⁸18. Brasil. Código de Processo Civil: Lei nº 13.105, de 16 de março de 2015 [Internet]. 14ª ed. Brasília: Senado Federal; 2021 [acesso 12 jan 2022]. Disponível: https://tinyurl.com/4sdxd6vm
https://tinyurl.com/4sdxd6vm... establishes the CPC, which regulates the entire procedure of civil lawsuits. It establishes how legal action should be taken, the formalization of the parties and what is permitted or not. Circular Letter 39/2011/CONEP/CNS/GB/MS ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... highlights Articles 347, 363 and 406:

Art. 347: The promisor who has received all the installments and presents a document proving the registration, may request notification from the promisee, so that, within a deadline of thirty (30) days, he or she shall receive the deed of purchase and sale.

Art. 363: Once a commercial company has been dissolved due to the death of one of the partners, it shall be liquidated to determine the assets of the deceased, with the surviving partner being subrogated, as of right, to the benefits of the law, as long as he or she continues in the same line of business.

Art. 406: Once process has been served, a deadline of five (5) days shall be set, common to all defendants, to file an answer or express their vote on the matter ¹⁸18. Brasil. Código de Processo Civil: Lei nº 13.105, de 16 de março de 2015 [Internet]. 14ª ed. Brasília: Senado Federal; 2021 [acesso 12 jan 2022]. Disponível: https://tinyurl.com/4sdxd6vm
https://tinyurl.com/4sdxd6vm... .

The intention of the letter ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... in associating these legal provisions with the handling of medical record data for research purposes is not clear and there seems to have been a mistake on the part of the regulator (Conep), which perhaps intended to refer to the specific articles of the CC rather than the CPC. Even if this were true, the intention would be doubtful, for if the suggested articles were those of the CC, they would still be out of focus, as they address issues of subrogation in the rights of the satisfied creditor, describe rules of an insolvent debtor and inform on non-agreed late payment interest.

These provisions address subrogation, that is, a condition that determines the possibility of a person’s rights being transferred to another after payment of compensation. This is common in buying mortgaged property or paying insurance claims, but for the field of scientific research with humans, the relevance of the references is not immediately obvious.

Payment to research participants does not seem ethical, as it may affect the need to ensure their ability to decide freely and independently to participate in research ¹⁸18. Brasil. Código de Processo Civil: Lei nº 13.105, de 16 de março de 2015 [Internet]. 14ª ed. Brasília: Senado Federal; 2021 [acesso 12 jan 2022]. Disponível: https://tinyurl.com/4sdxd6vm
https://tinyurl.com/4sdxd6vm... . Consent must occur without any intervention of elements of force or coercion. Broadly speaking, it is assumed that payment constitutes an inducement that harms the participant’s ability to make a voluntary and free decision.

CNS Resolution 466/2012 ³⁰30. Brasil. Conselho Nacional de Saúde. Resolução nº 466, de 12 de dezembro de 2012. Diário Oficial da União [Internet]. Brasília, p. 59, 13 jun 2013 [acesso 29 fev 2023]. Seção 1. Disponível: https://tinyurl.com/5n8d2dyd
https://tinyurl.com/5n8d2dyd... reviewed the guidelines and regulatory standards for research involving humans, explaining the prohibition of payment to CEP and Conep members (Chapter VII.6). However, the resolution is not objective in relation to the prohibition of payment to research participants.

CNS Resolution 196/1996, revoked by resolution 466/2012, set forth clearly, in item II.10, that all forms of remunerating the research participant (called subject) were prohibited. Now, in the current resolution, the wording has been changed to: research participant – an individual who, in an informed and voluntary manner, or under the guidance and authorization of their legal agent(s), accepts to be researched. Participation must be without payment, except for Phase I or bioequivalence clinical research ³⁰30. Brasil. Conselho Nacional de Saúde. Resolução nº 466, de 12 de dezembro de 2012. Diário Oficial da União [Internet]. Brasília, p. 59, 13 jun 2013 [acesso 29 fev 2023]. Seção 1. Disponível: https://tinyurl.com/5n8d2dyd
https://tinyurl.com/5n8d2dyd... .

In this aspect, the new wording opens up the possibility of paid participation, in addition to the reimbursement of expenses incurred by participants and their companions in participating, such as transportation and food.

Offering money as an incentive to take part in research may lead to the exploitation of participants or mask the assessment of risks, which, depending on the study, may be significant. Thus, the decision would be influenced among individuals who are less well-off and would be harmed due to their financial need. Paid participation has ethical rather than legal restrictions and poses a challenge for researchers, proposing institutions, sponsors and research ethics committees, requiring such entities to reach a healthy agreement regarding the effects of remuneration on free consent.

Penal Code: Decree-Law 2,848/1940

In its letter, Conep suggests reading Articles 153 and 154 of the Brazilian Penal Code, established by Decree-Law 2,848/1940 ¹²12. Brasil. Decreto-Lei nº 2.848, de 7 de dezembro de 1940. Código Penal. Diário Oficial da União. Rio de Janeiro, 31 dez 1940 [acesso 23 mar 2023]. Seção 1. Disponível: https://tinyurl.com/2wep92jx
https://tinyurl.com/2wep92jx... . Art. 153 addresses the prohibition of disclosing, without just cause, the content of a private document or confidential correspondence, the publication of which could cause harm to others, providing sanctions for this violation, and determines that the crime only occurs through representation, that is, based on a complaint from the injured party. Art. 154 forbids the disclosure, without just cause, of a secret known due to function, cabinet position, occupation or profession, the disclosure of which could cause harm to others, imposing sanctions for this violation.

Both articles stress that the fact must occur without just cause to be considered a crime. On the other hand, as will be seen in the subsequent sections, more current legislation explains that scientific research for the collective well-being is considered just cause, which contradicts the condition of absence of just cause.

Brazilian Consumer Protection Code: Law 8,078/1990

Law 8,078/1990 ¹⁹19. Brasil. Código de proteção e defesa do consumidor e legislação correlata [Internet]. 5ª ed. Brasília: Senado Federal; 2012 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/5bdwjsf6
https://tinyurl.com/5bdwjsf6... rules on consumer protection and other provisions, establishing standards of public order and social interest for consumer protection and defense. Circular Letter 39/2011/CONEP/CNS/GB/MS ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... highlights Articles 43 and 44 of Chapter 5.

Art. 43. Notwithstanding the provisions of art. 86, consumers shall have access to the information in registries, records and files on their personal and consumption data, as well as to their respective sources.

Art. 44. Public consumer protection bodies shall keep updated records of substantiated complaints against suppliers of products and services, being hereby obliged to disclose them publicly and annually. The disclosure hereof shall indicate whether the complaint has been considered or not by the supplier. Paragraph 1. Access to the information thereof shall be available for guidance and consultation to any interested party ¹⁹19. Brasil. Código de proteção e defesa do consumidor e legislação correlata [Internet]. 5ª ed. Brasília: Senado Federal; 2012 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/5bdwjsf6
https://tinyurl.com/5bdwjsf6... .

Again, the letter’s ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... intention in associating these legal provisions with the handling of medical record data for research purposes does not seem clear. The law provides that consumers have the right to access their personal data records, which has no objective relationship with research.

The ethical concern behind Conep’s letter ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... should focus on researchers’ access to an individual’s personal data. Thus, art. 43 does not contribute to expanding knowledge in this regard and the first paragraph of art. 44 generates controversy when stating that access to the information thereof shall be available for guidance and consultation to any interested party. This message does not seem appropriate for the handling of sensitive data in medical records.

Code of Medical Ethics: CFM Resolution 2,217/2018

Circular Letter 39/2011/CONEP/CNS/GB/MS ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... highlights Articles 11, 70, 102, 103, 105, 106 and 108 of CFM Resolution 2,217/2018 ²⁰20. Conselho Federal de Medicina. Código de ética médica: Resolução CFM nº 1.931, de 17 de setembro de 2009 [Internet]. Brasília: Conselho Federal de Medicina, 2010 [acesso 29 jan 2023]. Disponível: https://tinyurl.com/ycns8yy8
https://tinyurl.com/ycns8yy8... , which reviews the Code of Medical Ethics, establishing standards to be followed by physicians in the exercise of their profession. The highlighted articles address different topics: art. 11, filling out of medical documents; art. 70, professional fees; art. 102, use of therapies approved in Brazil; art. 103 requires compliance with legal standards for carrying out medical research; art. 105 prohibits medical research with participants with some level of subordination to the researcher; and art. 106 addresses the use of placebos in research.

The relationship of the abovementioned provisions with the handling of data in medical records is not clear. art. 108 is relevant to the scope of the recommendation, as it prohibits the use of unpublished data, information or opinions without reference to their author or without their written consent. In this provision, consent must be given in writing, which goes against current ethical standards, which allow consent to be obtained through different means, as long as the individual’s freedom and understanding are respected ²⁰20. Conselho Federal de Medicina. Código de ética médica: Resolução CFM nº 1.931, de 17 de setembro de 2009 [Internet]. Brasília: Conselho Federal de Medicina, 2010 [acesso 29 jan 2023]. Disponível: https://tinyurl.com/ycns8yy8
https://tinyurl.com/ycns8yy8... .

Provisional Measure 2,200-2/2001

PM 2,200-2/2001 ²¹21. Brasil. Medida Provisória nº 2.200-2, de 24 de agosto de 2001. Institui a Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil, transforma o Instituto Nacional de Tecnologia da Informação em autarquia, e dá outras providências. Diário Oficial da União [Internet]. Brasília, p. 65, 24 ago 2001 [acesso 3 ago 2023]. Seção 1. Disponível: https://tinyurl.com/y69wn57y
https://tinyurl.com/y69wn57y... establishes the Brazilian Public Key Infrastructure (ICP-Brasil) to ensure the authenticity, integrity and legal validity of documents in electronic form and of applications that use digital certificates, as well as secure electronic transactions.

Circular Letter 39/2011/CONEP/CNS/GB/MS ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... highlights compliance with the aforementioned PM, which is intended to transform the National Institute of Information Technology into an autonomous agency and set up a ICP-Brasil steering committee to delegate responsibilities and adopt other measures within the scope of the PM. Conep should make clear what lessons can be derived by complying with this provision, which does not make any reference to access to medical record data for research purposes.

Federal Council of Medicine: Opinions 8/2005 and 6/2010

CFM Opinion 8/2005 ²²22. Conselho Federal de Medicina. Parecer CFM nº 8/2005. A inclusão de cláusulas de termo de consentimento que permitam o manuseio de prontuários por pessoas ou instituições alheias à pesquisa não tem respaldo no Código de Ética Médica ou em resolução do Conselho Federal de Medicina [Internet]. Conselho Federal de Medicina: Brasília; 2005 [acesso 20 fev 2023]. Disponível: https://tinyurl.com/yz7k7mmu
https://tinyurl.com/yz7k7mmu... addresses consent for the handling of medical records by people or institutions outside research, with Conep and CNS as interested parties. Consultation by Conep was motivated by multinational studies, as clauses have been included in consent forms providing access to medical records by people and entities outside the institution, including foreign institutions ²⁴24. Consórcio Brasileiro de Acreditação. O CBA [Internet]. 2023 [acesso 3 ago 2023]. Disponível: https://cbacred.org.br/site/o-cba/
https://cbacred.org.br/site/o-cba/... . The opinion’s conclusion determines that access to medical records, a patient document, is subject to patient consent, and therefore such information cannot be handled by people or entities outside the hospital.

Initially, it is important to understand that this opinion does not have the force of law, as it is an administrative and normative act, lower in hierarchy than the law. It is also essential to understand what is meant by people outside the institution: is a professor of undergraduate, residency or graduate courses who works in a given institution (a teaching hospital, for example) a person outside the institution? If people outside the institution cannot handle medical record data, it seems correct to conclude that those that belong to it can, as long as the appropriate ethical rituals are followed.

CFM Opinion 6/2010 ²³23. Conselho Federal de Medicina. Parecer CFM nº 6/2010. Liberação de prontuário médico a representante legal de paciente falecido [Internet]. Conselho Federal de Medicina: Brasília; 2010 [acesso 20 fev 2023]. Disponível: https://tinyurl.com/5fv4t7ce
https://tinyurl.com/5fv4t7ce... addresses the possibility of releasing medical records to the legal agent of a deceased patient, such as spouse, ascendant and descendant, with the Regional Council of Medicine of Ceará as interested party. The opinion concludes that confidentiality should be preserved, even after the patient’s death. Just cause includes exceptions arising from the legal system, such as the case of parents of minors, and favorable court decisions.

It is important to note that CFM Opinion 6/2010 was issued before the General Data Protection Law (LGPD), Law 13853/2019 ³¹31. Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
https://bit.ly/3rtV9Ot... , whose art. 11 provides the conditions under which the handling of sensitive personal data may occur without consent from the data subject: in studies by a research body, ensuring, whenever possible, the anonymity of sensitive personal data (paragraph C).

As the opinions are not law, the provisions of current legislation, which are hierarchically higher, should be observed. Therefore, the purpose of scientific research constitutes an exception to the need for data subject consent. This legal understanding will be elaborated on below when addressing the aforementioned law.

Brazilian Accreditation Consortium: standards

CBA is a non-governmental organization founded in 1998 with the mission of promoting improvement in the quality and safety of care provided to patients in health systems and services, through education and training processes and international and specialized accreditation programs ²⁴24. Consórcio Brasileiro de Acreditação. O CBA [Internet]. 2023 [acesso 3 ago 2023]. Disponível: https://cbacred.org.br/site/o-cba/
https://cbacred.org.br/site/o-cba/... .

The publications of this entity do not find legal support in Brazilian legislation. Therefore, they are references rather than obligations to be met. Despite presenting itself as a non-profit institution, the entity sells its products, so this analysis will refrain from addressing this reference for reasons of conflict of interest.

National Supplemental Health Insurance Agency: Normative Resolution 21/2002

ANS Normative Resolution 21/2002 ²⁵25. Agência Nacional de Saúde Suplementar. Coletânea Legislativa da Assessoria Regulamentar. 12ª ed. Curitiba: Unimed Paraná; 2015 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/3krzs5dc
https://tinyurl.com/3krzs5dc... provides for the protection of information on the health condition of consumers of private health insurance plans. Art. 1 establishes that operators of private health insurance plans shall keep protected the healthcare information provided by their consumers or service providers, observing the provisions of RDC Resolution 64, dated April 10, 2001, when accompanied by data that enable their individualization, and shall not disclose or provide such data to third parties, except in cases expressly set forth in legislation ²⁵25. Agência Nacional de Saúde Suplementar. Coletânea Legislativa da Assessoria Regulamentar. 12ª ed. Curitiba: Unimed Paraná; 2015 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/3krzs5dc
https://tinyurl.com/3krzs5dc... .

It is clear that the resolution recognizes in current legislation the responsibility for access to and handling of sensitive patient data. Therefore, the ANS recommendation points to compliance with what is provided in the LGPD (Law 13,853/2019) ³¹31. Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
https://bit.ly/3rtV9Ot... .

Federal Council of Medicine: Resolutions 1,605/2000, 1,638/2002, 1,639/2002 and 1,642/2002

Circular Letter 39/2011/CONEP/CNS/GB/MS ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... highlights CFM resolutions 1,605/2000 ²⁶26. Conselho Federal de Medicina. Resolução nº 1605, de 15 de setembro de 2000. Diário Oficial da União [Internet]. Brasília, p. 30, 29 set 2000 [acesso 19 set 2023]. Seção I. Disponível: https://tinyurl.com/d25fvvy4
https://tinyurl.com/d25fvvy4... , 1,638/2002 ²⁷27. Conselho Federal de Medicina. Resolução nº 1638, de 10 de julho de 2002. Define prontuário médico e torna obrigatória a criação da Comissão de Revisão de Prontuários nas instituições de saúde. Diário Oficial da União [Internet]. Brasília, p. 184-5, 9 ago. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/5n8amcj8
https://tinyurl.com/5n8amcj8... , 1,639/2002 ²⁸28. Conselho Federal de Medicina. Resolução nº 1639, de 10 de julho de 2002. Aprova as normas técnicas para o Uso de Sistemas Informatizados pra a Guarda e manuseio do prontuário médico, dispõe sobre tempo de guarda dos prontuários, estabelece critérios para certificação dos sistemas de informação e dá outras providências. Diário Oficial da União [Internet]. Brasília, p. 124-5, 12 ago 2002 [acesso 5 jan 2023]. Disponível: https://tinyurl.com/2pk6uhd2
https://tinyurl.com/2pk6uhd2... and 1,642/2002²⁹29. Conselho Federal de Medicina. Resolução nº 1642, de 7 de agosto de 2002. Empresas de assistência à saúde não podem interferir nas questões relativas à autonomia profissional dos médicos. Diário Oficial da União [Internet]. Brasília, p. 153, 9 set. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/ynk8t3h5
https://tinyurl.com/ynk8t3h5... of the CFM ²⁴24. Consórcio Brasileiro de Acreditação. O CBA [Internet]. 2023 [acesso 3 ago 2023]. Disponível: https://cbacred.org.br/site/o-cba/
https://cbacred.org.br/site/o-cba/... . Resolution 1,605/2000 ²⁶26. Conselho Federal de Medicina. Resolução nº 1605, de 15 de setembro de 2000. Diário Oficial da União [Internet]. Brasília, p. 30, 29 set 2000 [acesso 19 set 2023]. Seção I. Disponível: https://tinyurl.com/d25fvvy4
https://tinyurl.com/d25fvvy4... indicates the need for medical record content confidentiality and express patient consent, except in cases of judicial request. Resolution 1,638/2002 ²⁷27. Conselho Federal de Medicina. Resolução nº 1638, de 10 de julho de 2002. Define prontuário médico e torna obrigatória a criação da Comissão de Revisão de Prontuários nas instituições de saúde. Diário Oficial da União [Internet]. Brasília, p. 184-5, 9 ago. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/5n8amcj8
https://tinyurl.com/5n8amcj8... defines medical record and makes it mandatory to create a medical record review committee in health institutions.

Resolution 1,639/2002 ²⁸28. Conselho Federal de Medicina. Resolução nº 1639, de 10 de julho de 2002. Aprova as normas técnicas para o Uso de Sistemas Informatizados pra a Guarda e manuseio do prontuário médico, dispõe sobre tempo de guarda dos prontuários, estabelece critérios para certificação dos sistemas de informação e dá outras providências. Diário Oficial da União [Internet]. Brasília, p. 124-5, 12 ago 2002 [acesso 5 jan 2023]. Disponível: https://tinyurl.com/2pk6uhd2
https://tinyurl.com/2pk6uhd2... approves the adoption of technical standards for keeping and handling medical records and Resolution 1,642/2002 ²⁹29. Conselho Federal de Medicina. Resolução nº 1642, de 7 de agosto de 2002. Empresas de assistência à saúde não podem interferir nas questões relativas à autonomia profissional dos médicos. Diário Oficial da União [Internet]. Brasília, p. 153, 9 set. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/ynk8t3h5
https://tinyurl.com/ynk8t3h5... addresses the relationship between physicians and companies that provide medical services. These resolutions make no mention of ethical issues related to research involving humans, so Conep’s intention in referring to them is not clear.

General Data Protection Law: Law 13,853/2019

Law 13,853/2019 ³¹31. Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
https://bit.ly/3rtV9Ot... , which amends Law 13,709/2018, now called the LGPD, provides for the protection of personal data, determines the creation of the National Data Protection Authority and provides other measures. It rules on the handling of personal data to protect the fundamental rights of freedom and privacy and the free development of the personality of natural persons, highlighting the inviolability of intimacy, honor and image.

Section I “Requirements for Handling Personal Data” of Chapter II “Handling Personal Data” provides the conditions for handling personal data. Item IV states that in order to carry out studies by a research body, the anonymization of personal data must be guaranteed, whenever possible ³¹31. Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
https://bit.ly/3rtV9Ot... .

In Section II “Handling Sensitive Personal Data,” Item II addresses the conditions for handling personal data without data subject consent. Sub-item C addresses studies carried out by a research body, which includes the need to guarantee, whenever possible, the anonymization of sensitive personal data. The same section includes art. 13 and paragraphs 1 and 2.

Art. 13. When carrying out public health studies, research bodies may have access to personal databases, which shall be handled exclusively within the body and strictly for the purpose of carrying out studies and research. Those databases shall be kept in a controlled and secure environment, in accordance with security practices provided in specific regulation and which include, whenever possible, the anonymization or pseudonymization of data, as well due consideration to appropriate ethical standards related to studies and research ³¹31. Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
https://bit.ly/3rtV9Ot... .

In addition, paragraph 1 provides that the disclosure of the results or of any part of the study or research mentioned in the lead sentence of this article may under no circumstances reveal personal data. Paragraph 2 states: the research body shall be held liable for the security of the information provided in the lead sentence of this article, and under no circumstances is the transfer of data to third parties permitted ³¹31. Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
https://bit.ly/3rtV9Ot... .

One objectively notes that data subject consent to use personal data in scientific research is unnecessary when the institution that uses them is set up for such a purpose. Also explicitly, the law defines research body in the preliminary provisions, in Chapter I, Item XVIII:

XVIII – Body or entity from the direct or indirect public administration or non-profit legal entity of private law, legally organized under Brazilian law, with headquarters and jurisdiction in the country, which includes in its institutional mission or in its corporate or statutory purpose basic or applied research of historical, scientific, technological or statistical nature ³¹31. Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
https://bit.ly/3rtV9Ot... .

There appears to be little room for denying an institution with research purposes the right to access or authorize researchers to access patients’ medical records without data subject consent, provided the confidentiality of the information, the identity of the person, compliance with the purpose of the research and approval by a human research ethics committee are safeguarded.

Final considerations

Circular Letter 39/11/CONEP/CNS/GB/MS ¹⁶16. Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
https://tinyurl.com/bdepn38z... , which addresses the use of medical record data for research purposes, dated 2011, requires reviewing. The legislation referred to in the circular letter has gained new meanings, requiring new interpretations. In particular, the LGPD (13,853/2019) rules on the handling of sensitive data and clearly indicates scientific research purpose as one of the exceptional conditions for handling personal data without data subject consent ³¹31. Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
https://bit.ly/3rtV9Ot... .

Thus, with the authorization of those responsible for keeping the documents, and observing the confidentiality of sensitive data in medical records, the anonymity of the person and the need for approval by an officially established human research ethics committee, access to medical records is possible. It should be stressed that this procedure is explicitly guaranteed to researchers linked to a recognized research institution.

At best, it is hoped that the development of the ethical basis may occur gradually and in extensive collaboration with innovative legislative proposals. Current legislation provides that research institutions may handle medical record personal data without data subject consent. When consent cannot be obtained, researchers are allowed to access, handle and publish sensitive data from medical records, complying with the ethical and legal conditions required to this end.

Referências

¹
Thakur S, Lahiry S. Research ethics in the modern era. Indian J Dermatol Venereol Leprol [Internet]. 2019 [acesso 3 ago 2023];85(4):351-4. DOI: 10.4103/ijdvl.IJDVL_499_18
» https://doi.org/10.4103/ijdvl.IJDVL_499_18
²
World Medical Association. Declaration of Helsinki: recommendations guiding physicians in biomedical research involving human subjects. JAMA [Internet]. 1997 [acesso 3 ago 2023];277(11):925-26. DOI: 10.1001/jama.1997.03540350075038
» https://doi.org/10.1001/jama.1997.03540350075038
³
Lima DF, Lima LA, Malacarne V, Cristofoletti JF. O lugar do representante do controle social nos comitês de ética em pesquisa brasileiros. Rev Bioét Derecho [Internet]. 2021 [acesso 19 set 2023];(52):253-64. DOI: 10.1344/rbd2021.52.32048
» https://doi.org/10.1344/rbd2021.52.32048
⁴
Brasil. Ministério da Saúde. Conselho Nacional de Saúde. Resolução nº 196, de 10 de outubro de 1996. Diretrizes e normas reguladoras para pesquisas envolvendo seres humanos. Diário Oficial da União [Internet]. Brasília, 16 out 1996 [acesso 19 set 2023]. Disponível: https://bit.ly/48AtU5g
» https://bit.ly/48AtU5g
⁵
Lima DF, Lima LA, Christofoletti JF, Malacarne V. Ética y control social en la investigación científica en Brasil. Rev Colomb Bioét [Internet]. 2021 [acesso 3 ago 2023];16(1):1-13. DOI: 10.18270/rcb.v16i1.3039
» https://doi.org/10.18270/rcb.v16i1.3039
⁶
Lima DF, Lima, LA. Perspectivas da ética em pesquisa: o repensar para o futuro do sistema normatizador brasileiro. Cadernos UniFOA [Internet]. 2021 [acesso 3 ago 2023];16(45):89-95. DOI: 10.47385/cadunifoa.v16.n45.3335
» https://doi.org/10.47385/cadunifoa.v16.n45.3335
⁷
Lima DF. Dilemas éticos relacionados às pesquisas qualitativas nas ciências humanas e sociais. Revista Pesquisa Qualitativa [Internet]. 2021 [acesso 3 ago 2023];9(22):582-92. DOI: 10.33361/RPQ.2021.v.9.n.22.510
» https://doi.org/10.33361/RPQ.2021.v.9.n.22.510
⁸
Manti S, Licari A. How to obtain informed consent for research. Breathe (Sheff) [Internet]. 2018 [acesso 3 ago 2023];14(2):145-52. DOI: 10.1183/20734735.001918
» https://doi.org/10.1183/20734735.001918
⁹
Gupta UC. Informed consent in clinical research: Revisiting few concepts and areas. Perspect Clin Res [Internet]. 2013 [acesso 3 ago 2023];4(1):26-32. DOI: 10.4103/2229-3485.106373
» https://doi.org/10.4103/2229-3485.106373
¹⁰
Pietrzykowski T, Smilowska K. The reality of informed consent: empirical studies on patient comprehension-systematic review. Trials [Internet]. 2021 [acesso 3 ago 2023];22(1):57-72. DOI: 10.1186/s13063-020-04969-w
» https://doi.org/10.1186/s13063-020-04969-w
¹¹
Brasil. Constituição da República Federativa do Brasil: texto constitucional promulgado em 5 de outubro de 1988, com as alterações determinadas pelas Emendas Constitucionais de Revisão nº 1 a 6/94, pelas Emendas Constitucionais nº 1/92 a 91/2016 e pelo Decreto Legislativo nº 186/2008. Senado Federal [Internet]. 2016 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/4fkxt5av
» https://tinyurl.com/4fkxt5av
¹²
Brasil. Decreto-Lei nº 2.848, de 7 de dezembro de 1940. Código Penal. Diário Oficial da União. Rio de Janeiro, 31 dez 1940 [acesso 23 mar 2023]. Seção 1. Disponível: https://tinyurl.com/2wep92jx
» https://tinyurl.com/2wep92jx
¹³
Finland. Sosiaali- ja terveysministeriö. Laki 552/2019. Lag om sekundär användning av personuppgifter inom social- och hälsovården [Internet]. 2019 [acesso 30 jan 2023]. Disponível em: https://bit.ly/48M5RRl
» https://bit.ly/48M5RRl
¹⁴
Vallgårda S. Ethics, equality and evidence health promotion: Danish guidelines for municipalities. Scand J Public Health [Internet]. 2014 [acesso 3 ago 2023];42(4):337-43. DOI: 10.1177/1403494814525007in
» https://doi.org/10.1177/1403494814525007in
¹⁵
Faxvaag A, Johansen TS, Heimly V, Melby L, Grimsmo A. Healthcare professionals’ experiences with EHR-system access control mechanisms. Stud Health Technol Inform. 2011;169:601-5. DOI:10.3233/978-1-60750-806-9-601
» https://doi.org/10.3233/978-1-60750-806-9-601
¹⁴
Hemminki E, Virtanen JI, Regushevskaya E. Decisions by Finnish Medical Research Ethics Committees: a nationwide study of process and outcomes. J Empir Res Hum Res Ethics [Internet]. 2015 [acesso 3 ago 2023];10(4):404-13. DOI: 10.1177/1556264615599685
» https://doi.org/10.1177/1556264615599685
¹⁶
Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
» https://tinyurl.com/bdepn38z
¹⁷
Brasil. Lei nº 10.406, de 10 de janeiro de 2002. Institui o Código Civil. Diário Oficial da União [Internet]. Brasília, p. 1, 11 jan 2002 [acesso 14 set 2022]. Seção 1. Disponível: https://tinyurl.com/35e8fjba
» https://tinyurl.com/35e8fjba
¹⁸
Brasil. Código de Processo Civil: Lei nº 13.105, de 16 de março de 2015 [Internet]. 14ª ed. Brasília: Senado Federal; 2021 [acesso 12 jan 2022]. Disponível: https://tinyurl.com/4sdxd6vm
» https://tinyurl.com/4sdxd6vm
¹⁹
Brasil. Código de proteção e defesa do consumidor e legislação correlata [Internet]. 5ª ed. Brasília: Senado Federal; 2012 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/5bdwjsf6
» https://tinyurl.com/5bdwjsf6
²⁰
Conselho Federal de Medicina. Código de ética médica: Resolução CFM nº 1.931, de 17 de setembro de 2009 [Internet]. Brasília: Conselho Federal de Medicina, 2010 [acesso 29 jan 2023]. Disponível: https://tinyurl.com/ycns8yy8
» https://tinyurl.com/ycns8yy8
²¹
Brasil. Medida Provisória nº 2.200-2, de 24 de agosto de 2001. Institui a Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil, transforma o Instituto Nacional de Tecnologia da Informação em autarquia, e dá outras providências. Diário Oficial da União [Internet]. Brasília, p. 65, 24 ago 2001 [acesso 3 ago 2023]. Seção 1. Disponível: https://tinyurl.com/y69wn57y
» https://tinyurl.com/y69wn57y
²²
Conselho Federal de Medicina. Parecer CFM nº 8/2005. A inclusão de cláusulas de termo de consentimento que permitam o manuseio de prontuários por pessoas ou instituições alheias à pesquisa não tem respaldo no Código de Ética Médica ou em resolução do Conselho Federal de Medicina [Internet]. Conselho Federal de Medicina: Brasília; 2005 [acesso 20 fev 2023]. Disponível: https://tinyurl.com/yz7k7mmu
» https://tinyurl.com/yz7k7mmu
²³
Conselho Federal de Medicina. Parecer CFM nº 6/2010. Liberação de prontuário médico a representante legal de paciente falecido [Internet]. Conselho Federal de Medicina: Brasília; 2010 [acesso 20 fev 2023]. Disponível: https://tinyurl.com/5fv4t7ce
» https://tinyurl.com/5fv4t7ce
²⁴
Consórcio Brasileiro de Acreditação. O CBA [Internet]. 2023 [acesso 3 ago 2023]. Disponível: https://cbacred.org.br/site/o-cba/
» https://cbacred.org.br/site/o-cba/
²⁵
Agência Nacional de Saúde Suplementar. Coletânea Legislativa da Assessoria Regulamentar. 12ª ed. Curitiba: Unimed Paraná; 2015 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/3krzs5dc
» https://tinyurl.com/3krzs5dc
²⁶
Conselho Federal de Medicina. Resolução nº 1605, de 15 de setembro de 2000. Diário Oficial da União [Internet]. Brasília, p. 30, 29 set 2000 [acesso 19 set 2023]. Seção I. Disponível: https://tinyurl.com/d25fvvy4
» https://tinyurl.com/d25fvvy4
²⁷
Conselho Federal de Medicina. Resolução nº 1638, de 10 de julho de 2002. Define prontuário médico e torna obrigatória a criação da Comissão de Revisão de Prontuários nas instituições de saúde. Diário Oficial da União [Internet]. Brasília, p. 184-5, 9 ago. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/5n8amcj8
» https://tinyurl.com/5n8amcj8
²⁸
Conselho Federal de Medicina. Resolução nº 1639, de 10 de julho de 2002. Aprova as normas técnicas para o Uso de Sistemas Informatizados pra a Guarda e manuseio do prontuário médico, dispõe sobre tempo de guarda dos prontuários, estabelece critérios para certificação dos sistemas de informação e dá outras providências. Diário Oficial da União [Internet]. Brasília, p. 124-5, 12 ago 2002 [acesso 5 jan 2023]. Disponível: https://tinyurl.com/2pk6uhd2
» https://tinyurl.com/2pk6uhd2
²⁹
Conselho Federal de Medicina. Resolução nº 1642, de 7 de agosto de 2002. Empresas de assistência à saúde não podem interferir nas questões relativas à autonomia profissional dos médicos. Diário Oficial da União [Internet]. Brasília, p. 153, 9 set. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/ynk8t3h5
» https://tinyurl.com/ynk8t3h5
³⁰
Brasil. Conselho Nacional de Saúde. Resolução nº 466, de 12 de dezembro de 2012. Diário Oficial da União [Internet]. Brasília, p. 59, 13 jun 2013 [acesso 29 fev 2023]. Seção 1. Disponível: https://tinyurl.com/5n8d2dyd
» https://tinyurl.com/5n8d2dyd
³¹
Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
» https://bit.ly/3rtV9Ot

Publication Dates

Publication in this collection
18 Dec 2023
Date of issue
2023

History

Received
4 May 2023
Reviewed
13 July 2023
Accepted
28 Aug 2023

This is an Open Access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

[1] ¹
Thakur S, Lahiry S. Research ethics in the modern era. Indian J Dermatol Venereol Leprol [Internet]. 2019 [acesso 3 ago 2023];85(4):351-4. DOI: 10.4103/ijdvl.IJDVL_499_18
» https://doi.org/10.4103/ijdvl.IJDVL_499_18

[2] ²
World Medical Association. Declaration of Helsinki: recommendations guiding physicians in biomedical research involving human subjects. JAMA [Internet]. 1997 [acesso 3 ago 2023];277(11):925-26. DOI: 10.1001/jama.1997.03540350075038
» https://doi.org/10.1001/jama.1997.03540350075038

[3] ³
Lima DF, Lima LA, Malacarne V, Cristofoletti JF. O lugar do representante do controle social nos comitês de ética em pesquisa brasileiros. Rev Bioét Derecho [Internet]. 2021 [acesso 19 set 2023];(52):253-64. DOI: 10.1344/rbd2021.52.32048
» https://doi.org/10.1344/rbd2021.52.32048

[4] ⁴
Brasil. Ministério da Saúde. Conselho Nacional de Saúde. Resolução nº 196, de 10 de outubro de 1996. Diretrizes e normas reguladoras para pesquisas envolvendo seres humanos. Diário Oficial da União [Internet]. Brasília, 16 out 1996 [acesso 19 set 2023]. Disponível: https://bit.ly/48AtU5g
» https://bit.ly/48AtU5g

[5] ⁵
Lima DF, Lima LA, Christofoletti JF, Malacarne V. Ética y control social en la investigación científica en Brasil. Rev Colomb Bioét [Internet]. 2021 [acesso 3 ago 2023];16(1):1-13. DOI: 10.18270/rcb.v16i1.3039
» https://doi.org/10.18270/rcb.v16i1.3039

[6] ⁶
Lima DF, Lima, LA. Perspectivas da ética em pesquisa: o repensar para o futuro do sistema normatizador brasileiro. Cadernos UniFOA [Internet]. 2021 [acesso 3 ago 2023];16(45):89-95. DOI: 10.47385/cadunifoa.v16.n45.3335
» https://doi.org/10.47385/cadunifoa.v16.n45.3335

[7] ⁷
Lima DF. Dilemas éticos relacionados às pesquisas qualitativas nas ciências humanas e sociais. Revista Pesquisa Qualitativa [Internet]. 2021 [acesso 3 ago 2023];9(22):582-92. DOI: 10.33361/RPQ.2021.v.9.n.22.510
» https://doi.org/10.33361/RPQ.2021.v.9.n.22.510

[8] ⁸
Manti S, Licari A. How to obtain informed consent for research. Breathe (Sheff) [Internet]. 2018 [acesso 3 ago 2023];14(2):145-52. DOI: 10.1183/20734735.001918
» https://doi.org/10.1183/20734735.001918

[9] ⁹
Gupta UC. Informed consent in clinical research: Revisiting few concepts and areas. Perspect Clin Res [Internet]. 2013 [acesso 3 ago 2023];4(1):26-32. DOI: 10.4103/2229-3485.106373
» https://doi.org/10.4103/2229-3485.106373

[10] ¹⁰
Pietrzykowski T, Smilowska K. The reality of informed consent: empirical studies on patient comprehension-systematic review. Trials [Internet]. 2021 [acesso 3 ago 2023];22(1):57-72. DOI: 10.1186/s13063-020-04969-w
» https://doi.org/10.1186/s13063-020-04969-w

[11] ¹¹
Brasil. Constituição da República Federativa do Brasil: texto constitucional promulgado em 5 de outubro de 1988, com as alterações determinadas pelas Emendas Constitucionais de Revisão nº 1 a 6/94, pelas Emendas Constitucionais nº 1/92 a 91/2016 e pelo Decreto Legislativo nº 186/2008. Senado Federal [Internet]. 2016 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/4fkxt5av
» https://tinyurl.com/4fkxt5av

[12] ¹²
Brasil. Decreto-Lei nº 2.848, de 7 de dezembro de 1940. Código Penal. Diário Oficial da União. Rio de Janeiro, 31 dez 1940 [acesso 23 mar 2023]. Seção 1. Disponível: https://tinyurl.com/2wep92jx
» https://tinyurl.com/2wep92jx

[13] ¹³
Finland. Sosiaali- ja terveysministeriö. Laki 552/2019. Lag om sekundär användning av personuppgifter inom social- och hälsovården [Internet]. 2019 [acesso 30 jan 2023]. Disponível em: https://bit.ly/48M5RRl
» https://bit.ly/48M5RRl

[14] ¹⁴
Vallgårda S. Ethics, equality and evidence health promotion: Danish guidelines for municipalities. Scand J Public Health [Internet]. 2014 [acesso 3 ago 2023];42(4):337-43. DOI: 10.1177/1403494814525007in
» https://doi.org/10.1177/1403494814525007in

[15] ¹⁵
Faxvaag A, Johansen TS, Heimly V, Melby L, Grimsmo A. Healthcare professionals’ experiences with EHR-system access control mechanisms. Stud Health Technol Inform. 2011;169:601-5. DOI:10.3233/978-1-60750-806-9-601
» https://doi.org/10.3233/978-1-60750-806-9-601

[16] ¹⁴
Hemminki E, Virtanen JI, Regushevskaya E. Decisions by Finnish Medical Research Ethics Committees: a nationwide study of process and outcomes. J Empir Res Hum Res Ethics [Internet]. 2015 [acesso 3 ago 2023];10(4):404-13. DOI: 10.1177/1556264615599685
» https://doi.org/10.1177/1556264615599685

[17] ¹⁶
Brasil. Conselho Nacional de Saúde. Comissão Nacional de Ética em Pesquisa. Carta Circular nº 39/2011/CONEP/CNS/GB/MS [Internet]. Brasília, 2011 [acesso 27 jan 2022]. Disponível: https://tinyurl.com/bdepn38z
» https://tinyurl.com/bdepn38z

[18] ¹⁷
Brasil. Lei nº 10.406, de 10 de janeiro de 2002. Institui o Código Civil. Diário Oficial da União [Internet]. Brasília, p. 1, 11 jan 2002 [acesso 14 set 2022]. Seção 1. Disponível: https://tinyurl.com/35e8fjba
» https://tinyurl.com/35e8fjba

[19] ¹⁸
Brasil. Código de Processo Civil: Lei nº 13.105, de 16 de março de 2015 [Internet]. 14ª ed. Brasília: Senado Federal; 2021 [acesso 12 jan 2022]. Disponível: https://tinyurl.com/4sdxd6vm
» https://tinyurl.com/4sdxd6vm

[20] ¹⁹
Brasil. Código de proteção e defesa do consumidor e legislação correlata [Internet]. 5ª ed. Brasília: Senado Federal; 2012 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/5bdwjsf6
» https://tinyurl.com/5bdwjsf6

[21] ²⁰
Conselho Federal de Medicina. Código de ética médica: Resolução CFM nº 1.931, de 17 de setembro de 2009 [Internet]. Brasília: Conselho Federal de Medicina, 2010 [acesso 29 jan 2023]. Disponível: https://tinyurl.com/ycns8yy8
» https://tinyurl.com/ycns8yy8

[22] ²¹
Brasil. Medida Provisória nº 2.200-2, de 24 de agosto de 2001. Institui a Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil, transforma o Instituto Nacional de Tecnologia da Informação em autarquia, e dá outras providências. Diário Oficial da União [Internet]. Brasília, p. 65, 24 ago 2001 [acesso 3 ago 2023]. Seção 1. Disponível: https://tinyurl.com/y69wn57y
» https://tinyurl.com/y69wn57y

[23] ²²
Conselho Federal de Medicina. Parecer CFM nº 8/2005. A inclusão de cláusulas de termo de consentimento que permitam o manuseio de prontuários por pessoas ou instituições alheias à pesquisa não tem respaldo no Código de Ética Médica ou em resolução do Conselho Federal de Medicina [Internet]. Conselho Federal de Medicina: Brasília; 2005 [acesso 20 fev 2023]. Disponível: https://tinyurl.com/yz7k7mmu
» https://tinyurl.com/yz7k7mmu

[24] ²³
Conselho Federal de Medicina. Parecer CFM nº 6/2010. Liberação de prontuário médico a representante legal de paciente falecido [Internet]. Conselho Federal de Medicina: Brasília; 2010 [acesso 20 fev 2023]. Disponível: https://tinyurl.com/5fv4t7ce
» https://tinyurl.com/5fv4t7ce

[25] ²⁴
Consórcio Brasileiro de Acreditação. O CBA [Internet]. 2023 [acesso 3 ago 2023]. Disponível: https://cbacred.org.br/site/o-cba/
» https://cbacred.org.br/site/o-cba/

[26] ²⁵
Agência Nacional de Saúde Suplementar. Coletânea Legislativa da Assessoria Regulamentar. 12ª ed. Curitiba: Unimed Paraná; 2015 [acesso 3 ago 2023]. Disponível: https://tinyurl.com/3krzs5dc
» https://tinyurl.com/3krzs5dc

[27] ²⁶
Conselho Federal de Medicina. Resolução nº 1605, de 15 de setembro de 2000. Diário Oficial da União [Internet]. Brasília, p. 30, 29 set 2000 [acesso 19 set 2023]. Seção I. Disponível: https://tinyurl.com/d25fvvy4
» https://tinyurl.com/d25fvvy4

[28] ²⁷
Conselho Federal de Medicina. Resolução nº 1638, de 10 de julho de 2002. Define prontuário médico e torna obrigatória a criação da Comissão de Revisão de Prontuários nas instituições de saúde. Diário Oficial da União [Internet]. Brasília, p. 184-5, 9 ago. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/5n8amcj8
» https://tinyurl.com/5n8amcj8

[29] ²⁸
Conselho Federal de Medicina. Resolução nº 1639, de 10 de julho de 2002. Aprova as normas técnicas para o Uso de Sistemas Informatizados pra a Guarda e manuseio do prontuário médico, dispõe sobre tempo de guarda dos prontuários, estabelece critérios para certificação dos sistemas de informação e dá outras providências. Diário Oficial da União [Internet]. Brasília, p. 124-5, 12 ago 2002 [acesso 5 jan 2023]. Disponível: https://tinyurl.com/2pk6uhd2
» https://tinyurl.com/2pk6uhd2

[30] ²⁹
Conselho Federal de Medicina. Resolução nº 1642, de 7 de agosto de 2002. Empresas de assistência à saúde não podem interferir nas questões relativas à autonomia profissional dos médicos. Diário Oficial da União [Internet]. Brasília, p. 153, 9 set. 2002 [acesso 5 jan 2023]. Seção 1. Disponível: https://tinyurl.com/ynk8t3h5
» https://tinyurl.com/ynk8t3h5

[31] ³⁰
Brasil. Conselho Nacional de Saúde. Resolução nº 466, de 12 de dezembro de 2012. Diário Oficial da União [Internet]. Brasília, p. 59, 13 jun 2013 [acesso 29 fev 2023]. Seção 1. Disponível: https://tinyurl.com/5n8d2dyd
» https://tinyurl.com/5n8d2dyd

[32] ³¹
Brasil. Lei nº 13.853, de 8 de julho de 2019. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da União [Internet]. Brasília, 15 ago 2018 [acesso 14 jan 2023]. Seção 1. Disponível: https://bit.ly/3rtV9Ot
» https://bit.ly/3rtV9Ot