Digital health apps and telemedicine in Brazil

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

1. Software within digital health apps may be considered a medical device and subject to Anvisa  regulations RDC 751/2022, which deals with the classification and registration of medical products. In addition, Anvisa 1 Anvisa stands for National Health Surveillance Agency (Agência Nacional de Vigilância Sanitária in Portuguese) and is responsible for creating standards and regulations and supporting all activities in the health area in Brazil. ANVISA is also responsible for executing sanitary control and inspection activities at ports, airports, and borders. has also published Resolution RDC 657/2022, which provides for the regulation of software as a Medical Device - SaMD);
2. RDC 751/2022 considers “medical device” a synonym for “medical product”. Therefore, a digital health app may be viewed as a medical product;
3. The rules of RDC 657/2022 do not apply to the following software: (i) for well-being; (ii) listed in a list made available by the Anvisa of non-regulated products; (iii) used exclusively for administrative and financial management in health services; (iv) which processes demographic and epidemiological medical data, without any clinical, diagnostic, or therapeutic purpose; and (v) embedded in medical devices under the health surveillance regime.

Yes, there are:

• the General Data Protection Law 13,709/2018 (“LGPD”), which regulates the protection of personal data;
• the Brazilian Civil Code Law 10,406/2002 (“CCB”), which provides the general rules for civil relations and, consequently, civil  liability;
• the Consumer Protection Code Law 8,078/90 (“Consumer Code”), which regulates consumer relations; and
• Internet Law 12,965/2014, which regulates Internet use, including liability regarding app providers.

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

All the above laws apply if the users are residents of Brazil, regardless of where the provider is located.

• The Internet Law and the CCB also apply to users outside Brazil if the software is located in Brazil.
• The LGPD also applies if the data processing takes place in Brazil, personal data is collected in Brazil, or the data processing aims to offer products or services to individuals in Brazil.

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

Where the software is provided in a B2B context, the Consumer Code will generally not apply. In B2C relationships, the Consumer Code applies. Under the Consumer Code, the software provider is strictly liable for damage resulting from defects. The software provider will be safe from liability if it is proven that (i) the defective product was not put on the market; (ii) although being put on the market, the product had no defect; or (iii) the accident occurred as a consequence of the exclusive fault of the consumer. 

Also, the Consumer Code lists some specific requirements to be met when providing goods and services to consumers in Brazil (e.g. in relation to advertising, prohibition of certain clauses in contracting services). In relation to data protection, it does not matter if the use is B2B or B2C; if personal data is processed, the LGPD always applies.

Apart from what is required under the LGPD for data processing operations, no additional consent is required.

The Federal Medical Council (CFM) Resolution 2.314/2022 provides that the physician is professionally liable for telemedicine consultations. Other parties involved (such as digital appliance manufacturers) may be jointly liable in proportion to their contribution to the damage caused. 

Under the Consumer Code, the software or the final product/app providers are liable for defects. The software provider or the app provider will be safe from liability if it is proven that (i) the defective product was not put on the market; (ii) although being put on the market, the product had no defect; or (iii) the accident occurred because of the exclusive fault of the consumer.

Non-compliance with Anvisa regulations may be considered a health violation and may result in the initiation of an administrative process, which may result in the imposition of the following administrative penalties (without prejudice to applicable civil or criminal sanctions):

1. warning;
2. fine;
3. product seizure;
4. product destruction;
5. product interdiction;
6. suspension of sales and/or product manufacturing;
7. product registration cancellation;
8. partial or total closure of the establishment;
9. prohibition of advertising;
10. cancellation of the company's operating authorisation;
11. cancellation of establishment licensing permit;
12. A - intervention in the establishment that receives public resources from any sphere;
13. imposition of rectifying message;
14. suspension of advertising and publicity.

The penalties above may be applied alternatively or cumulatively.

In relation to data protection, the LGPD provides that data processors are jointly liable for any damage when in breach of the LGPD or acting in discordance with the controller’s instructions. Failure to comply with data protection obligations may result in administrative penalties of:

1. warning and a requirement to take corrective measures;
2. fine of up to two per cent (2%) of the revenues of the group in Brazil, limited to fifty (50) million Brazilian Reais per infraction;
3. daily fine, subject to a total limit of fifty (50) million Brazilian Reais;
4. publication of the occurrence of the data breach;
5. blocking or deletion of the affected personal data;
6. partial suspension of the affected database for up to six (6) months, extendable for a further six (6) months, until the data controller’s treatment has been corrected;
7. suspension of relevant data processing activities for up to six (6) months, extendable for a further six (6) months; and/or
8. total or partial prohibition on the exercise of data processing activities. 

Non-compliance with the Internet Law may incur the following administrative penalties:

1. warning and a requirement to take corrective measures;
2. fine of up to ten per cent (10%) of the revenues of the group in Brazil, considering the economic conditions of the offender and the principle of proportionality between the severity of the fault and the level of the penalty;
3. temporary suspension of activities; or
4. prohibition on the exercise of activities.

If a foreign company infringes the law, its local branch or representative office in Brazil will be liable for paying a fine. 

Non-compliance with the Consumer Code may incur the penalties:

1. fine;
2. product seizure;
3. destruction of the product;
4. cancellation of the product registration with the competent authorities;
5. prohibition of product manufacture;
6. suspension of products or services supply;
7. temporary suspension of activities;
8. revocation of concession or permission to use;
9. cancellation of the permit for the establishment or activity;
10. total or partial closure of the establishment, work, or activity;
11. administrative intervention;
12. counter-advertisement.

If a foreign company infringes the law, its branch or representative office in Brazil will be liable for paying a fine. If the company does not have a branch or legal representative in Brazil, public authorities or plaintiffs may seek liability through international cooperation mechanisms (if any) or even through a "Letter of Request" or "Letter of Rogatory". 

Apart from administrative penalties, infringing companies may face individual claims for damages under the CCB.

Current digital health regulations are quite recent (ANVISA and CFM regulations were issued in 2022). We are not aware of any currently pending legal developments in this area.

The CFM 2 CFM stands for Federal Medical Council (Conselho Federal de Medicina in Portuguese). is the autonomous government agency legally entitled to regulate physicians in Brazil.

Each Brazilian state has a regional council of the CFM, which grants licences to physicians to practice medicine and deals with other state-level regulations.

Resolution No. 2.314/2022of the CFM defines telemedicine as “the practice of medicine mediated by Digital, Information and Communication Technologies (TDICs), for health assistance, education, research, prevention of diseases and injuries, health management and promotion”, which can be performed in real-time (synchronous) or offline (asynchronous). As per Resolution No. 2.314/2022, “telemedicine” may be practised through the following modalities of remote medical care:

1. Teleconsultation - non-face-to-face (remote) medical consultation, mediated by TDICs, with the physician and patient located in different spaces; 
2. Teleinterconsultation - exchange of information and opinions between physicians, with the aid of TDICs, with or without the presence of the patient, for diagnostic or therapeutic, clinical or surgical assistance; 
3. Telediagnosis - medical diagnosis at a geographic and/or temporal distance, with the transmission of graphics, images and data for the issuance of a report or opinion by a physician with a specialist qualification record (RQE) in the area related to the procedure, in response to a request from the attending physician; 
4. Telesurgery - performance of a surgical procedure at a distance, using robotic equipment and mediated by secure interactive technologies. Robotic telesurgery, however, has a specific regulation issued by CFM; 
5. Telemonitoring or telesurveillance - act carried out under the coordination, indication, guidance and supervision of a physician for remote monitoring or surveillance of health and/or disease parameters through clinical evaluation and/or direct acquisition of images, signals and data from equipment and/or devices added or implanted in patients at home, in specialised medical clinics for chemical dependency, in long-term care institutions for the elderly, in clinical or home internment or during patient transport until arrival at the health establishment); 
6. Teletriage – an act performed by a physician, with the remote evaluation of the patient's symptoms, for outpatient or hospital regulation, with definition and direction of the patient to the appropriate type of assistance they need or to a specialist; 
7. Teleconsultancy - consultancy mediated by TDICs between physicians, managers, and other professionals, to provide clarifications on administrative procedures and health actions.

The physicians have the autonomy to decide whether to use or refuse telemedicine, indicating in-person care whenever deemed necessary limited to the benefit and non-maleficence of the patient, in accordance with ethical and legal principles and directly related to responsibility for medical acts. For chronic illnesses or illnesses that require long-term follow-up, a face-to-face consultation must be held with the patient's attending physician at intervals of no more than 180 days.

10.1 What are the requirements?

Resolution No. 2.314/2022 sets out the requirements for telemedicine to treat patients, namely:

1. Services provided through telemedicine must have the appropriate technological infrastructure and obey the CFM’s rules regarding the storage, handling, integrity, accuracy, confidentiality, privacy, irrefutability, and professional secrecy of information.
2. Records must be done in a physical medical record or using information systems in the Electronic Health Record System (SRES) of the patient, meeting standards of representation, terminology, and interoperability.
3. The SRES used must allow for the capture, storage, presentation, transmission, and printing of digital and identified health information and fully comply with Level of Security Assurance 2 (NGS2) in the Brazilian Public Key Infrastructure (ICP-Brasil) standard or another legally accepted standard.
4. Anamnesis and diagnostic data, results of complementary exams, and medical conduct adopted related to telemedicine care must be preserved under the custody of the physician responsible for the care in their own office, or of the director/technical manager, in the case of involvement of a company and/or institution.
5. In the case of hiring third-party archiving services, responsibility for the custody of patient data and care must be contractually shared between the physician and the contracted company.
6. The SRES must enable interoperability/exchange using flexible protocols by which two or more systems can communicate effectively and guarantee confidentiality, privacy, and data integrity.
7. When using institutional platforms, if necessary, the attending physician must be guaranteed access to patient data throughout the legal period of their preservation. 
8. The patient or their legal representative must authorise telemedicine care and the transmission of their images and data through an informed and free consent form sent electronically or by reading and agreeing to the text, which must be part of the patient's SRES. Explicit consent must be reinforced in every telemedicine care, assuring patients and legal representatives that their personal information may be shared and their right to deny permission for it, except in emergency medical situations.
9. Entities providing telemedicine services, communication platforms, and data storage must have their headquarters established in Brazilian territory and be registered with the Regional Council of Medicine of the state where they are based, with the respective technical responsibility of a doctor regularly registered with the same Council. If the provider is an individual, they must be a physician duly registered in their Regional Council of Medicine and inform the entity of their option to use telemedicine.

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

Prior to the Sars-CoV-2 pandemic, telemedicine was limited to the exchange of information and opinions between physicians aiming the assistance, education and research on health (similarly to what is currently defined as “teleinterconsultation”).

With the break of the Sars-CoV-2 pandemic, a bill was passed to authorise telemedicine as a physician–patient relation, exceptionally during the pandemic. With the official termination of the emergency state on public health in Brazil, telemedicine would return to its origins. The CFM, however, issued Resolution No. 2.314/2022, which is currently in force.

Apart from specific standards due to the means of the consultation (e.g., infrastructure and data protection concerns), physicians must follow the same standards, despite providing an in-person or remote consultation.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

In relation to data protection, physicians should provide a privacy notice to their patients to inform them of data processing operations and request their consent where applicable.

The patient or their legal representative must authorise telemedicine care and the transmission of their images and data through an informed and free consent form, sent electronically or by reading and agreeing to the text, which must be part of the patient’s SRES.

Explicit consent must be ensured in every telemedicine care, assuring the patient and legal representative that their personal information may be shared and their right to deny permission for it, except in emergency medical situations.

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

Resolution 2.314/2022 provides that the physician is professionally liable for telemedicine consultations. Other parties involved may be held liable in proportion to their contribution to the damage caused. The use of telemedicine does not legally affect this liability per se but may increase risks if it makes diagnoses less reliable, for example.

Resolution 2.314/2022 does not restrict types of medicines that can be prescribed through telemedicine but provides that the prescription must contain:

1. Identification of the physician, including name, regional Conusil registry number, and professional address; 
2. Patient identification, address and location of the consultation; 
3. Date and time; 
4. Signature with the physician’s digital certification following the Brazilian Public Key Infrastructure (ICP-Brasil) standard or other legally accepted standards; 
5. Information that the prescription was issued through telemedicine modality.

There are no specific rules regarding reimbursement of telemedicine services.

There are no specific data protection regulations for telemedicine. The LGPD applies.

Current regulation on telemedicine is recent (issued in 2022). We are not aware of any pending legal developments in this area at this time.