Compliance in companies, in any area, has been highlighted in recent years. Its implementation has been the subject of discussions across countries. In Brazil, new laws require companies to adapt to the rules. An example is the new bidding law nº 14,133/21 that requires the company to have a ‘fraud program’ to prevent illicit acts such as fraud or bribery.

Compliance is the company’s adequacy to the rules and the regulatory bodies. Considering the LGPD (Brazilian General Law for the Protection of Personal Data), companies must demonstrate adequacy to the regulations of the ANPD (National Authority for Data Protection). Another government body plays a role in this matter. It is PROCON, which means ‘Consumer Protection and Defense Program’. Invoking general consumer protection, this supervisory body can amerce the company to comply with regulations.

The alignment of the companies’ internal regulations and procedures to the laws and regulations of the country or countries shall cover accounting, competitive, labour, financial, operational, and environmental areas.

When we take this issue to the health area, that is, to a hospital or just a health professional in his office (e.g. practitioner), unlike most companies, framing the law becomes powerful because they work with data from professional secrecy (Field of ethical responsibility).

In the health area, sensitive data will have a greater probability of “damage” and, consequently, imply more significant fines and more extraordinary work to resolve the problem.

Sensitive data can cause discrimination against its holder, such as a congenital disability included in the client’s record or an inconvenient gender reveal. It is an incoherent and illegal practice for someone who waits for a leak to make the defence, administrative or judicial.

The doctor or healthcare professional must adhere to a data protection plan showing their patients that they care about their health and the entire process that involves their service, including a holistic view of protecting patient information.

It is necessary to show your patient that their data will be correctly handled. This means an impact report is ready to be used if an incident happens, with all the necessary measures to mitigate the problem.

The pricing of the service is a topic that is collected on a case-by-case basis, considering the number of processes included in data processing, from its collection to its deletion.

The adequacy should cover the collection, modification, registration and archive of data regarding the service provision contract and the medical record, including photos, exam results, questionnaires, interviews, and filming (expressly consented), among others which can be done within the clinic or even outside.

The adequacy brings a security policy in which the health professional will receive training and an awareness of how the treatment of data should be, having a basic notion of the impacts that the new general data protection law requires from the company or the responsible professional health. This security policy will also explain how the data processing procedures should be from that point onwards, including training for employees and clinic collaborators.

Fines for the health area in data leakage tend to exceed the average due to the intimacy of the data treated. Looking for a specialized training service is a correct decision and whose benefit is visible compared to the possible losses of a data breach incident.