Privacy and Data Protection

Is the use of telehealth permitted?

Yes, telehealth is permitted in Mexico, though it is not expressly provided for under relevant local laws.

How is telehealth regulated?

There are no specific laws that relate to, and / or regulate, telehealth.

After an initial project from December 2015 till 27 April 2018 – being the Mexican Official Standard "PROY-NOM-036-SSA3-2015 for the regulation of distance medical attention" ("NOM Project"), which established regulation of procedures for healthcare personnel conducting remote healthcare services – the Mexican Government has taken the approach that telehealth is an activity integrated in health services and therefore, the laws and regulations (such as the General Health Law and the Regulations of the General Health Law in Matters of the Provision of Health Care Services) applicable to general healthcare services, shall apply to telehealth too.

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

Telehealth is currently available for any type of healthcare services as long as it complies with the regulatory framework applicable for healthcare services generally and, if necessary, with the regulatory framework applicable to each specific sector and / or activity within the field of healthcare.

Mexican laws do no establish any kind of requirement or set forth any indication regarding the platforms that must be used when providing telehealth services. However, NOM-024-SSA3-2012 (discussed below) regulates the exchange of information between electronic health record information systems ("SIRES"), which is an information system that allows the capture, management and exchange of structured and integrated information from the patient’s clinical record, as well as geographic, social, financial, infrastructure and any other information that documents medical care. SIRES must obtain a certification under NOM-024-SSA3-2012.

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

Yes, the Mexican Social Security Institute ("IMSS") and the Institute for Social Security and Services for State Workers ("ISSSTE") provide telehealth services.

However, those services are limited to patients from difficult-to-access parts of the Mexican Republic who require medical attention in a certain medical specialty. Such services are part of the social security of Mexican workers.

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

Under Article 36 of the Data Privacy Law, as a general rule, transfers of personal data to national or foreign third parties requires the holder (i.e. transferor) to issue to the third party a privacy notice and details of the purposes for which that information can be used. The processing of the data must be done as agreed in the privacy notice (which will contain a clause indicating whether or not the owner consents to the transfer of the data), and additionally, the third party recipient, will assume the same obligations that correspond to the responsible who transferred the data.

However, there are some relevant and important exceptions to the general rule that telehealth providers should be aware of. In particular, Article 37 of the Data Privacy Law establishes that national or international transfers of data may be carried out without the consent of the holder when the transfer is necessary for prevention or medical diagnosis, the provision of healthcare, medical treatment or the management of health services. The recipient of the personal data must always assume the same obligations that correspond to the party that transferred the personal data. The party responsible for transferring the personal data may use contractual clauses or other legal instruments to provide for at least the same obligations to which the person responsible for the transfer of the personal data is subject, as well as the conditions under which the holder consented to the processing of the personal data.

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

Not that we are aware of. But, despite the fact that telehealth is not specifically regulated in Mexico, given the Data Privacy Law, those responsible for the processing of personal data must observe the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality and responsibility and personal data must be collected and processed in a lawful manner. Likewise, the Regulations of the General Health Law regarding the Provision of Medical Care Services, NOM-004-SSA3-2012 (concerning the clinical files), and NOM-035-SSA3-2012 (regarding health information), describe how the information contained in the clinical record is handled under the principles of discretion and confidentiality, principles that must also be followed in telehealth.

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

Given the current regulatory landscape in Mexico, there are no specific laws, regulations, and / or regulatory instruments expected to be adopted soon. This view is supported by the 2018 cancellation of the NOM Project mentioned in Availability of Telehealth.