Bill No. 5,875/2013: Health data interoperability advances with a public hearing

The Health Committee (CSAUDE) of Brazil’s House of Representatives discussed Bill No. 5,875/2013 at a public hearing held in May. The proposal under discussion aims to establish a more comprehensive legal framework for health data interoperability in Brazil.

If approved, Bill No. 5,875/2013 could directly impact service providers, healthcare operators, healthtechs, and other industry players in Brazil. They would need to adjust their internal systems and processes to the technical standards and interoperability requirements that would eventually be established.

In this context, the public hearing received contributions from industry stakeholders, who suggested adjustments to the proposal, particularly regarding interoperability governance, information security, and the allocation of responsibilities.

Topics discussed at the public hearing

Submitted on May 12, the latest version of the bill (PRL No. 8) proposes a more comprehensive framework for the health data ecosystem, covering the National Health Data Network (RNDS), interoperability within the Brazilian Unified Health System (SUS), the National Registry of Individuals for Health (CadSUS), and the SUS Digital Platforms.

The public hearing held on May 26 highlighted the proposal’s transition from a focus on the physical SUS card to a national health data infrastructure that integrates public and private services, governed by rules on access, security, privacy, and personal data protection.

Key points discussed at the public hearing include:

• RNDS governance: The network is currently coordinated by the Executive Branch, but the private sector proposes a multisectoral and collegiate-based model.
• Data processors’ roles within the RNDS ecosystem: This includes the responsibilities of the Ministry of Health, local managers, providers, operators, healthtechs, and other private entities that feed, access, or process data within the interoperable environment. Defining the roles of controller, joint controller, or processor will be essential for allocating responsibilities for incidents, responding to data subjects, fulfilling transparency obligations, and implementing security measures.
• Cybersecurity and protection of sensitive health data: Compliance with the Brazilian General Data Protection Law (LGPD) and guidelines set by the Brazilian Data Protection Agency (ANPD), especially as it involves large-scale processing and the sharing of sensitive personal health data between public and private entities.

Current landscape

A new public hearing may be held, as important stakeholders failed to attend the previous debate, including the National Council of Health Secretaries (Conass), the National Council of Municipal Health Departments (Conasems), and representatives from civil society and philanthropic hospitals (“santas casas”).

In addition to the adjustments pointed out in the hearing, reporting congresswoman Adriana Ventura has stated that she will accept contributions submitted to her office, and a new, revised text is expected to be filed shortly. In any case, the proposal must still be reviewed by the Finance and Taxation Committee (CFT) and the Constitution and Justice Committee (CCJ), after which it will be fast-tracked by the House. If the text is approved with substantial changes, it must be sent back to the Federal Senate for review.

Innovations in Bill No. 5,875/2013

• Interoperability between public and private healthcare systems, encompassing service providers, operators, managers, and other stakeholders who use healthcare information systems, with a legally mandated requirement for structured data sharing in accordance with technical standards to be defined by the Ministry of Health.
• Multisectoral governance of interoperability, coordinated by the Executive Branch, but with the participation of the private sector, academia, and civil society. The text provides for forums and mechanisms for social participation, suggesting a collaborative process to define technical standards, information security and personal data protection rules, and parameters for the technological development of the RNDS.
• Technology sandboxes, which allow for the supervised and temporary testing of technologies such as AI, personalized medicine, digital devices, and innovative health data management models. Sandboxes must incorporate privacy-by-design safeguards in line with ANPD initiatives for supervised technology testing and the responsible development of applications that process personal data.
• Safeguards for personal data protection, in line with the LGPD and ANPD guidelines, especially concerning the large-scale processing of sensitive personal health data. Bill 5.875/2013 addresses the processing of sensitive personal data, guarantees mechanisms for traceability and access auditing, ensures access to the data subject’s information-sharing history, and provides tools for correcting, supplementing, or contesting inaccurate data.
• Prohibition against trading RNDS data, which bars selling or charging for mere access to the information. Payment for services related to data processing and handling is authorized, provided it does not constitute the sale of

Given the potential operational and regulatory impact of these innovations, industry stakeholders should closely monitor the progress of Bill No. 5,875/2013.

Demarest’s Life Sciences & Healthcare and Privacy, Technology and Cybersecurity teams remain available to provide any further clarifications that may be necessary.