CFM 2.454/2026: The New Legal Framework for AI in Healthcare and its Practical Impacts
CFM Resolution No. 2.454/2026 establishes a watershed moment in Brazilian medicine by regulating the use of Artificial Intelligence in the sector. Doctors, clinics, and hospitals have until August 2026 to adapt their technological structures and governance processes to this new framework, which aims to ensure patient safety and the ethical responsibility of professionals in the face of the advancement of digital tools.
The Context of CFM Resolution 2.454/2026
The rapid integration of Artificial Intelligence (AI) systems into clinical practice has brought undeniable benefits but also dangerous regulatory gaps. CFM Resolution 2.454/2026 does not arise in isolation; it is the operational arm of broader legislation, such as the General Data Protection Law (LGPD) and the Legal Framework for AI in Brazil. The objective is to transform generic ethical principles into practical and auditable obligations.
Before this regulation, there was a gray area about who would be responsible for a diagnostic error suggested by an algorithm. Now, the Federal Council of Medicine makes it clear that technology should serve as support, and never as a substitute for human judgment. For healthcare managers, the rule requires a transition from passive technological adoption to active digital governance.
The Four Pillars of Compliance in AI in Healthcare
The new regulation is structured around four fundamental axes that should guide the actions of any healthcare service provider:
1. Medical Supervision and Human Decision
This is the central pillar. The resolution strictly prohibits the delegation of critical clinical decisions exclusively to automated systems. The concept of “human-in-the-loop” becomes mandatory. This means that every report, triage, or treatment plan generated by AI must be validated by a duly registered physician, who assumes ethical and legal responsibility for the adopted conduct.
2. Transparency and Right to Information
The patient has the right to know when their health is being monitored or evaluated by AI tools. Transparency must be documented in an understandable manner. It is not enough to inform that the system was used; it is necessary to explain clearly the role of technology in the process, respecting the Medical Code of Ethics and the rights of the data subject provided for in the LGPD.
3. Governance and Traceability of Systems
Hospitals and clinics must maintain a rigorous inventory of all AI software in use. This includes everything from complex radiology tools to customer service chatbots that use natural language. The institution must be able to prove:
- The origin and quality of the data that feeds the system;
- Who is the technical manager responsible for monitoring the tool;
- What are the specific purposes of each algorithm.
4. Risk and Incident Management
Algorithm failures, diagnostic errors due to data bias, or leaks of sensitive information must have immediate response protocols. Risk management needs to be preventive, with periodic audits to identify whether the AI is exhibiting unexpected or discriminatory behaviors.
Shared Responsibility between Doctors and Institutions
A crucial point of Resolution 2.454/2026 is the expansion of the responsibility spectrum. It does not only affect the doctor who signs the medical record. Responsibility is now shared with technical directors, technology managers, and hospital administrators.
“The absence of an internal AI governance policy can be interpreted as institutional negligence, subjecting the entity to sanctions not only from the CFM but also from the ANPD and consumer protection agencies.”
This implies that contracts with technology providers (IT Vendors) must be reviewed immediately. Liability clauses, service levels (SLA), and transparency about how the algorithm works (the so-called ‘explainability’) become items of legal survival for healthcare providers.
Step by Step for Implementation by August 2026
The deadline for adaptation is short given the complexity of the task. An immediate action schedule is recommended:
- Inventory Mapping (Gap Analysis): Identify which systems already have AI components, often hidden in legacy management software modules.
- Data Audit: Verify that the data processing performed by the AI is in full compliance with the LGPD, ensuring the proper treatment of sensitive data.
- Development of the AI Governance Policy: Create an internal regulatory document that defines the limits of technology use in the institution.
- Training of the Clinical Staff: Educate physicians about the ethical and legal implications of validating decisions suggested by machines.
Conclusion
The arrival of CFM Resolution 2.454/2026 represents the end of the era of unregulated experimentation of AI in Brazilian healthcare. More than a bureaucratic obstacle, this standard should be seen as an opportunity for healthcare institutions to raise their standard of quality and legal certainty.
August 2026 will be the milestone where non-compliance becomes an unsustainable liability. Investing in specialized legal advice and robust digital governance processes is no longer optional; it is the fundamental requirement for the practice of modern and ethical medicine.