HIPAA Who?

Few legal abbreviations are as well known in the United States as HIPAA - the Health Insurance Portability and Accountability Act. It’s best known as the federal law that prevents healthcare providers from disclosing a patient’s protected health information without consent. Go to the doctor and you’ll be asked to sign all sorts of forms related to HIPAA.

In Brazil, there’s no HIPAA. And until recently, there wasn’t even a comprehensive law that governed data privacy let alone the protection of medical information. That all changed though with the LGPD - Lei Geral de Proteção de Dados (or General Data Protection Law). We’ve written about the LGPD before, noting that it resembles the European Union’s GDPR.

But the LGPD isn’t healthcare specific. Instead, confidentiality related to medical information is generally intertwined in a mishmash of policies, guidelines, and ethical codes, such as the Code of Medical Ethics, Good Pharmacy Practices, and the Charter of Rights of Health Users.

The lack of a specific law like HIPAA has resulted in a somewhat nonchalant attitude towards patient privacy in Brazil. Check in forms, including patient lists, are frequently visible to others while medical consultations themselves are often in such close proximity to others that they can easily be overheard.

In theory, a patient’s medical information should be treated as confidential in Brazil just as it is in the US. Yet without stronger legal safeguards, including enforcement mechanisms and penalties for improper disclosures, you shouldn’t expect much in terms of protection. Regrettably, there’s still a long way to go.