Brazilian medical council establishes regulatory framework for use of AI in medicine

On February 27, 2026, Brazil’s Federal Council of Medicine (CFM) published CFM Resolution No. 2,454/2026, establishing a new regulatory framework governing the use of artificial intelligence (AI) in medicine. Set to take effect in August 2026, the resolution introduces important obligations for both doctors and health institutions.

Significant aspects of CFM Resolution No. 2,454/2026 are outlined below.

Doctors’ rights

The resolution regulates doctors’ rights when using AI systems in medicine and upholds their prerogative to make their own medical decisions.

The following aspects warrant particular mention:

• Use of AI systems: doctors are guaranteed the right to use AI tools to support medical practice, clinical decision-making, health management, scientific research, and ongoing medical study, always in compliance with the ethical and legal limits of the profession;
• Right of refusal: doctors may refuse to use AI systems that lack adequate scientific validation, relevant regulatory certification or that contravene ethical, technical or legal principles; and
• Liability: doctors must not be held responsible for failures attributed exclusively to AI systems, provided the use of these tools is proven to be diligent, critical, and ethical.

Doctors’ duties

Doctors must uphold the following duties (among others) when using AI in medicine:

• Autonomy: AI should be used exclusively as a support tool. Doctors ultimately remain responsible for their clinical, diagnostic, therapeutic and prognostic decisions;
• Critical judgment: Doctors must critically evaluate AI-provided information and recommendations, and stay up to date regarding the system’s capabilities, limitations, risks, and biases;
• Compliance: AI systems can only be used if they comply with ethical, technical, legal and regulatory standards in force in Brazil;
• Medical records: When using AI to support medical decisions, doctors must include this in the patient’s medical record;
• Data privacy: Doctors must ensure the health data processed by AI systems they use remains secure, integral, and confidential. The use of systems that do not ensure minimum security standards compatible with sensitive personal data in Brazil is prohibited; and
• Incident reporting: Any failures, relevant risks or the inappropriate use of AI systems must be reported to the competent authorities.

Healthcare institutions

Some of the obligations for healthcare institutions include:

• Governance: The institution’s technical officer will be responsible for oversight, and for safety, ethics and transparency-related guidelines concerning the use of AI;
• Auditing: Medical institutions must implement specialized auditing and monitoring mechanisms. Medical institutions or doctors that develop or contract AI models, systems, and/or applications must establish internal governance processes capable of ensuring safety, quality, and ethics, including the measures contained in Annex III of CFM Resolution No. 2,454/2026;
• Preliminary assessments: Public or private medical institutions that develop or use AI models, systems, and applications must carry out preliminary assessments in order to determine the degree of risk involved;
• AI-Telemedicine committees: Health institutions that implement their own AI systems must create an AI and Telemedicine Committee subordinate to and coordinated by the institution’s technical board. Such committees must ensure compliance with the rules established by CFM Resolution No. 2,454/2026, as well as the ethical use of the system by its users; and
• Access to information: Legitimately interested bodies – such as the Medical Council, the National Research Ethics Commission, the Public Prosecutor’s Office, and other oversight bodies and entities that defend patients’ rights – must be granted adequate access to audit, monitoring, and AI system configuration reports.

Doctor-patient relationships

Doctors must ensure they do not compromise the doctor-patient relationship when using AI tools, and fully respect relevant aspects established in Brazil’s Medical Ethics Code (Código de Ética Médica). Patients have the right to be informed when AI models, systems, and applications are used as relevant support in their care, diagnosis, or treatment.

Regarding ethical responsibility, medical specialists remain fully responsible for the medical acts they perform using AI models, systems, and applications.

Data protection

Data used to develop, train, validate and implement AI solutions in medicine must be processed in strict compliance with the Brazilian General Data Protection Law (LGPD), as well as specific health information security regulations. The data, models, AI systems and applications, and computational environments involved in the development and implementation process in medicine must be effectively protected against the risk of accidental or intentional data destruction, loss, alteration, unauthorized access or leaks.

Doctors have the duty to ensure that their patients’ personal data (especially sensitive data) is shared with AI models, systems, and applications in a manner that complies with the information the data holders (or their legal or customary representatives) are informed of. Such sharing must occur only when strictly necessary and must comply with the appropriate legal bases set out in the LGPD.

In addition, the use of personal data to train, validate or improve AI models, systems, and applications must comply with ethical, scientific, and general personal data protection principles.

Risk classification and categorization

AI models, systems, and applications in medicine will be categorized by risk (low, medium, high, or unacceptable) and must inform users of their risk level. The CFM has established definitions for the four categories:

• Low-risk solutions: AI use with minimal or non-existent potential to cause negative consequences to the health, fundamental rights or safety of patients and professionals. In this case, the AI does not exert direct decision-making influence on individual diagnoses or treatments. Solutions classified as low risk must be monitored and reviewed periodically.
• Medium-risk solutions: AI applications with potentially adverse impacts that can be mitigated via active human oversight and safety controls. In this case, the doctor’s intervention and control mechanisms are capable of preventing harm, even when the AI malfunctions.

Medium-risk solutions are subject to proportionate control procedures. They will require regular (although not necessarily continuous) monitoring and performance assessments at appropriate intervals, and must be reassessed if there is evidence of a relevant increase or reduction in risk.

• High-risk solutions: AI applications in health with high potential to cause individuals physical, psychological, or moral harm or generate relevant impacts on public health when used inappropriately or without control. This category includes systems that directly influence critical medical decisions or perform automated actions with significant clinical consequences, especially in scenarios where the patient is vulnerable or their life is threatened.

High-risk solutions require rigorous validation processes, regular audits, and ongoing monitoring. Regional Medicine Councils (Conselho Regional de Medicina) will be responsible for oversight and enforcing compliance with CFM Resolution No. 2,454/2026 within their respective jurisdictions.

It is important to note that the CFM’s resolution incorporates concepts and guidelines that are still under debate within the scope of a bill seeking to regulate AI in Brazil. In this context, it will be important to monitor relevant legislative developments to confirm whether the concepts and obligations already established by the CFM are consistent with those provided for in the law arising from the bill, or whether any inconsistencies or the need for interpretative adjustments may arise once the law has been passed.

CFM Resolution No. 2,454/2026 and the bill on the AI Legal Framework

CFM Resolution No. 2,454/2026 has been published in parallel with congressional debates on a federal regulatory framework for AI in Brazil. The main bill being reviewed is Bill No. 2,338/2023, which would establish a formal legal framework for AI in Brazil. The bill was approved by Brazil’s Senate in December 2024 and sent to the House of Representatives in March 2025, where it is still under review.

At the same time, the House is reviewing Bill No. 2,688/2025, which also proposes a regulatory framework governing AI system development and use.

Should either of these bills be signed into law, Brazil will have a federal law regulating AI whose provisions will outrank those in infra-legal regulations, including the resolutions of professional councils such as the CFM. As such, any provisions in CFM Resolution No. 2,454/2026 that may conflict with or contradict federal legislation will be considered illegal and will be subject to review and amendment to ensure they fully comply with the new regulatory framework.

Although the CFM’s resolution has anticipated subjects contemplated in these bills – such as AI system risk classification criteria, human oversight requirements, and governance and data protection requirements – monitoring developments in the federal regulatory framework will be crucial. The potential federal framework proposes establishing general, binding, and uniform parameters regarding the use and development of AI technologies throughout Brazil.

For more information on this topic, please contact Mattos Filho’s Life Sciences & Healthcare and Technology practice areas.

*With the collaboration of Luana Lafayette de Noronha.