Health-related data are sensitive personal data. Before recording or transcribing a medical visit, the practice must understand the purpose, the roles of the processing agents, transparency with the patient, security, retention, and how the physician will review the generated content.
1. Describe the purpose in one concrete sentence
Avoid generic purposes such as improving the experience. A clearer workflow would be: capture the conversation to generate a draft clinical document that will be reviewed by the responsible physician. This statement helps determine which data is necessary, who may access it, and when it must be deleted.
If the same recording is used for another purpose, such as internal training, auditing, or model development, that activity must be analyzed separately. Repurposing sensitive data for convenience increases risk and may conflict with the expectation established with the patient.
2. Map the controller, processor, and vendors
According to ANPD guidance, the controller is the party that makes the main decisions about processing, while the processor acts on the controller's behalf. The classification depends on the context. The practice, the platform, and cloud subprocessors may have different responsibilities depending on the purpose and contract.
Request a list of the services that receive audio, transcripts, or clinical documents, the purpose of each transfer, and the country in which processing occurs. The contract must reflect the actual technical workflow, including deletion, support, incidents, and termination of the relationship.
3. Separate transparency, consent, and legal basis
The patient must know that the technology will be used, its purpose, and how to exercise their rights. The manner of communication must be appropriate for the care setting. A brief explanation before capture may be combined with a more complete privacy notice.
Determining the applicable legal basis requires an analysis of the specific case. Do not assume that checking a box resolves every aspect of health data processing. The practice must validate this decision with its data protection officer or legal counsel, considering the LGPD, the duty of confidentiality, and professional rules.
4. Minimize capture and retention
Collect only what is necessary to generate the expected document. Determine whether audio needs to be retained after transcription, how long drafts remain available, and what happens to canceled records. Indefinite retention periods make deletion, auditing, and responses to data subjects more difficult.
The policy must distinguish among audio, transcripts, approved documents, access logs, and backups. Each item may have its own purpose and lifecycle. Deletion visible in the interface must also correspond to the technical and contractual process.
5. Verify controls before using real data
Test authentication, access profiles, session termination, team invitations, and separation between practices. Confirm that front-desk staff can work without viewing clinical content that is not necessary for their role. Log who accesses, modifies, exports, and shares documents.
The ANPD highlights access controls, security of stored data, vulnerability management, and communications security as relevant measures. For clinical data, the pilot should use fictional scenarios until controls, contracts, and responsibilities are clear.
6. Plan for review, incidents, and vendor exit
The physician must review the draft before it is shared in any way. There must also be a way to correct a document, revoke a link, and record a failure. At the same time, the practice must know whom to contact if there is unauthorized access, loss, unavailability, or if a document is sent to the wrong patient.
Before entering into a contract, simulate ending the relationship: how to export documents, remove users, request deletion, and obtain confirmation. Operational portability reduces dependence and reveals gaps that normally appear only after the relationship has ended.
Frequently asked questions
Are health data sensitive personal data?
Yes. The LGPD classifies health-related data as sensitive personal data, which requires heightened attention to purpose, access, security, and data subject rights.
Is patient consent enough to use any tool?
No. Transparency and the patient's expressed choice are parts of the workflow, but the practice must also analyze the legal basis, necessity, security, contracts, and duty of confidentiality in the specific case.
Who is the controller of the data on a medical AI platform?
It depends on each party's actual decisions and purposes. The ANPD advises that roles be defined by the activities performed, not merely by contractual labels.
Sources and references
References consulted while preparing this guide. The article update date appears at the top of the page.
- ANPD GlossaryBrazilian National Data Protection Authority
- Guidance on Definitions of Data Processing Agents and the Data Protection OfficerBrazilian National Data Protection Authority
- Information Security Guidance for Small-Scale Data Processing AgentsBrazilian National Data Protection Authority
- Code of Medical Ethics, CFM Resolution No. 2,217/2018Federal Council of Medicine
This content is informational and does not replace legal assessment, guidance from the data protection officer, or the specific rules of the professional council that apply to the practice.
Update history
- Original publication