From a general perspective, digital solutions for health and health-related matters are a reality and are frequently used. The benefits of digital solutions for patients, healthcare professionals and authorities are evident, but still, there is room for improving regulation. In Mexico, there are no specific regulations in place for these digital solutions, other than general regulations applicable to certain aspects of such technologies (such as data protection, sanitary regulation, IP and cybersecurity, among others).

From a healthcare provider’s perspective, using digital solutions represents the opportunity to improve the quality of medical care and optimise patient management. These technologies enable providers to access real-time clinical information, perform remote consultations, make more accurate diagnoses and provide personalised treatments. Implementing these digital solutions will increase providers’ operational efficiency, reduce costs and improve communication between different healthcare professionals.

From a patient’s perspective, the use of digital solutions allows the patient to access their medical information anytime and anywhere, to receive remote medical assistance and digital drug prescriptions, among other benefits. On the other hand, the use of mobile apps, wearable devices and online platforms helps patients to monitor (in real time) their health condition.

From a regulatory perspective, the sanitary authority oversees regulating and supervising healthcare products and services in Mexico. As these technologies evolve, regulators must ensure that regulation promotes safety, quality, confidentiality and efficacy of health data collected through digital technologies.

Technology platforms that collect and store data play an essential role in generating clinical evidence and improving patient care; unfortunately, there is no regulation for these platforms despite the privacy regulation applicable to personal data. These technologies enable efficient data collection and subsequent analysis in the context of medical interventions, such as surgeries. The interaction between technology platforms and clinical evidence contributes to more informed, evidence-based care, resulting in improvements in health.

According to the National Centre for Health Technology Excellence (CENETEC), which is as a deconcentrated organism of the Ministry of Health, digital health, which is a broader concept, is defined as the rendering of health services using information and communication technologies, when physical interaction is not necessary, with the purpose of continuing patient care, in this case, is not only related to medical services but rather to health-related services. Digital medicine is the rendering of health services, where healthcare professionals and patients are located in different places, using information and communication technologies to exchange information for the diagnosis, treatment and prevention of diseases and injuries, as well as for medical continuing education.

Besides these definitions and some guidelines issued by Cenetec (which are not compulsory), there are few references in the General Health Law and its regulations with respect to digital health, digital medicine, electronic prescriptions, digital medical files and information and communication technologies. That being said, there is no list of matters covered by digital health or digital medicine; the analysis is done based on the general regulation applicable to health services and medical devices.

The development of digital health technology (both digital healthcare and digital medicine) in Mexico is now driven by various stakeholders including start-ups (predominantly comprised of technology firms), healthcare providers (such as hospitals and academic institutions), as well as investors.

Key technologies in digital healthcare are based on mobile applications (apps), wearables and other devices. The development of technologies for digitalising healthcare in Mexico has been gaining momentum as a result of the COVID-19 pandemic, where digital healthcare has been used for optimising health of patients, by being able to monitor certain health indicators and anticipate potential health issues. On the other hand, digital medicine has been driven by telemedicine, artificial intelligence (mainly in the diagnosis field), electronic health records and digital prescriptions, and other developments that improve medical care from a healthcare professional standpoint.

The most relevant legal issue in digital health is the lack of regulations. As at the time of writing in 2023, specific legislation governing digital health or digital medicine in Mexico is scarce and dispersed in different pieces of legislation.

Additionally, there is a gap between regulation and practice. For instance, digital prescription is allowed by the Health Input Regulations; however, its implementation has faced some barriers, since the regulation applicable to the supply of medicines by pharmacies obligates patients to provide the pharmacies with a physical prescription (complying with certain elements, including the signature of the doctor). Therefore, it is necessary to update the whole legal framework for digital prescriptions to become a reality (for example, allowing the use of electronic signature in such prescriptions).

COVID-19 accelerated enormously the use of digital health and digital medicine; such technologies allowed healthcare professionals to remain connected with their patients and provide essential treatments and diagnoses in challenging situations (without compromising the health of such physicians).

There are several examples of digital health initiatives across the country, that were implemented to face the COVID-19 pandemic, such as:

• a high-performance broadband satellite network that connects hospitals and healthcare institutions for better information integration processing;
• an electronic platform exclusively designed for hearing-impaired individuals providing crucial COVID-19 diagnostic support serving Mexicans across Puebla; and
• some states developed mobile applications to facilitate self-diagnosis of COVID-19.

The Federal Commission for the Protection Against Sanitary Risks (Cofepris being its Spanish acronym) is the regulatory and enforcement agency for the digital health industry. This authority is responsible for verifying the quality, efficacy and efficiency of health inputs, including services, medicines and medical devices. Cofepris is in charge of granting the marketing authorisations for software as a medical device.

Additionally, the Federal Consumer Protection Bureau is the government agency responsible for safeguarding and promoting consumer rights; this agency is focused on commercial and promotional matters.

Regarding the self-assessments and reporting obligations from healthcare institutions, as digital technologies used in health matters are not regulated directly under the Mexican legal framework, there is no legal requirement to self-assess or report any specific matter related to digital medicine or digital health.

There have been few developments regarding digital healthcare activities. Many of those efforts have been addressed in separate regulations (rather than a single set of rules governing digital health). For example, in December 2021, a new regulation regarding software as a medical device was issued. In May 2023, a new General Law on Humanities, Sciences, Technologies and Innovation was enacted; such law will affect research and development for technologies in the healthcare sector but not necessarily in a positive way, since such new law (among other topics) (i) allows the government to have centralised control over the areas of research and innovation in which public funds are going to be allocated and (ii) provides that research and development activities and projects (with public funds) have to be based on a Special Programme to be developed by the Federal Government (which can be biased). Other drafts of initiatives are being discussed in Congress but, so far, Mexico lacks state-of-the-art legislation that specifically governs the development and use of digital health and digital medicine.

There are a few other draft regulations underway regarding digital health. Some of these include artificial intelligence, cybersecurity, digital health as an ecosystem, electronic clinical records and digital prescriptions; however, these are still pending to be approved by the Mexican Congress.

There is a particular bill, submitted by congressman Éctor Jaime Ramirez Barba on March 2021, the main purpose of which is to develop a legal framework that allows the use of digital technologies in health in an ethical, safe, reliable, equitable and sustainable manner. Other bills are focused on electronic clinical records and digital prescriptions.

Cofeprisis the enforcement agency regarding health matters.

The administrative process shall be initiated by a verification visit to an establishment, whereafter an official action will be issued containing the results of such verification and informing about the irregularities identified. The establishment involved should answer with the corrective actions or its arguments overcoming the findings. A resolution will be issued in which sanctions may be imposed. This resolution can be challenged before a federal court. Cofepris has the authority to impose sanitary measures during the administrative process, at any time.

The Federal Consumer Protection Bureau (PROFECO) regarding commercial matters and the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) for data protection matters, are the non-healthcare regulatory agencies that could be involved in digital healthcare.

Preventive care includes those medical activities which are generally advertised through campaigns to prevent a specific disease or condition. Conversely, there is no definition for “diagnostic care”; however, it can be defined as those medical activities related to the finding of a specific pathology in a patient.

Preventive care is focused on awareness campaigns about the consequences of specific diseases or conditions, by creating consciousness among the population; these actions are mainly managed by the Ministry of Health at a national level. The diagnostic actions are done by each healthcare professional following the medical guidelines or the Mexican Standard Norms.

There are some campaigns and legal actions that have been conducted by the Mexican government to be considered as preventive care:

• inclusion of the COVID-19 vaccine in the Universal Vaccination Programme;
• the prohibition of edible oils and fats in food and non-alcoholic beverages known as trans fats; 
• the implantation by the IMSS (National Health Service for private sector employees) of an app called heart attack code (Código Infarto). The purpose of this app is for an infarcted person with chest pain symptoms, shortness of breath or fainting, to receive medical care within 30 minutes or less. The app is beneficial for around 55 million users through 344 medical units equipped to provide this service, including 11 High Specialty Medical Units, 181 Regional or Area General Hospitals, and 152 Family Medicine Units; and
• the incorporation of preventive seals in food with added sugars, carbohydrates, oils and fats, calories and sodium.

In Mexico, wellness and fitness data is regulated under data protection laws and it is considered as health-related data, which is indeed more sensitive than any other kind of personal data. Any personal data that, if it is exploited, might lead to discrimination, or pose severe harm to the data owner, is sensitive personal data. The main rule is that the owner of the personal data must provide their written consent before any processing of that data may take place.

On the other hand, from a sanitary standpoint, developers of apps and wearables that manage wellness and fitness data, shall carefully review the way in which such data is provided to the user of the app or the device, in order not to be considered as providing medical advice (which would require a licence to render professional medical services).

Preventive care is a goal of the national health system and the Ministry of Health is responsible for that. Preventive care has been focused on specific diseases such as cancer, diabetes, hyper cholesterol, AIDS and others; for these, the Ministry of Health has created Mexican Official Standards and clinical guidelines to prevent these diseases. Moreover, vaccination and immunisation policies have also been created; nevertheless, due to the COVID-19 pandemic, vaccination rates have decreased considerably.

There two main challenge of non-healthcare companies entering the market, which are:

• compliance with the provisions set forth under data protection law; the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) (which is the authority in charge of granting access to public information and protecting personal data) has been conducting extensive reviews (and in many occasions imposing penalties) of the parties responsible for the processing of sensitive personal health data; and
• compliance with the health regulation regarding the promotion of products and services.

Several technological solutions have been introduced throughout Mexico’s hospitals to enhance patient care and make better use of connected medical equipment, for example:

• electronic medical records – doctors have been able to access and keep updated the clinical information of their patients. This allows various departments and healthcare professionals to easily communicate with one another and seamlessly share data, which ultimately leads to improved healthcare co-ordination and quality; and
• connected medical devices – vital sign monitors and other telemedicine devices have enabled remote monitoring of patients. These gadgets provide data to doctors in real-time, which makes it easier for doctors to spot potential health issues early on.

Remote health in Mexico has been significantly supported by technological advancements, such as:

• telemedicine – virtual medical consultations are now possible because of widespread videoconferencing platforms and software designed for mobile devices. Patients can communicate with their healthcare providers via the use of videoconferencing, which helps them save time and money, and provides quicker access to medical treatment; and
• patient monitoring – gadgets that can keep track of patients suffering from chronic conditions have made this possible. Patients diagnosed with diabetes, for instance, can use gadgets that detect their glucose levels and remotely exchange the data with their treating doctors. This makes it possible to continuously evaluate their health situation and make appropriate modifications to their therapy at the appropriate moment.

A substantial amount of progress has been made in home care in Mexico after hospital release because of technological developments. Some advancements worth noting are:

• post-operative telemonitoring, which allows patients who have just had surgery to be remotely monitored at home using linked electronic equipment. Medical professionals can track a patient’s progress toward recovery, identify any issues that may arise, and provide advice even if the patient is not at the hospital; and
• digital medicine and mobile applications – patients now can obtain individualised medical advice, access their own health information, and receive prescription reminders all from their mobile devices thanks to the development of mobile apps. These applications facilitate home health care and encourage people to take an active role in their own medical treatment.

It is possible to incur civil liability because of adverse healthcare outcomes; this responsibility could be of the healthcare professional, the hospital and/or the manufacturer of the health input. All these responsibilities are based on the damages caused to the victim, who may seek compensation from the party responsible for such damage.

Moreover, healthcare professionals, hospitals and developers can be liable for infringement of the General Health Law and its regulations; in this case, all of them could face administrative sanctions (such as fines), the healthcare professional could be disbarred and the developer could face the cancellation of its marketing authorisation, among other things, such as product seizures, service bans and facility closures.

The main risk identified for the cloud computing environment is that security may be violated through cyber-attacks, which could lead to data loss or breaches in confidentiality, resulting in the infringement of data protection laws.

On the other hand, the key risks assessed for on-premises and local computing environment are non-authorised access (this could lead to data leaking or even identity theft), and service interruption (that can be a result of a cyber-attack that intends to slow or even shut down this services).

Most cybersecurity risks may be addressed in the contracts or agreements between third parties and healthcare institutions, in which the liability for each of the parties is clearly outlined and specific performance standards (including emergency response, remedial actions, access to audits, among others) are agreed upon. In terms of data protection laws, the party in charge of collecting the personal data will be the one responsible before the authority. Thereafter, indemnifications may be adopted in the contract in case of any economic sanctions.

None of the initiatives reviewed by the authors regarding digital health matters have addressed regulations for specific internet of things (IoT). Nowadays, congressmen are focusing on general provisions that may allow the regulation of digital health and digital medicine without entering into a further analysis (such as internet of medical things).

However, according to Mexican Official Standard NOM-241-SSA1-2021, Good Manufacturing Practices for medical devices (which became effective on 21 June 2023), software may be classified as a medical device if it is used for one or more medical purposes, operates on general computer platforms and is used by itself or together with other products.

As mentioned above, although there is no clear legislation in Mexico on the IoT, regulators are (slowly) starting to craft regulations regarding digital technology focused on health matters, that may eventually evolve into regulating IoT.

The Mexican Official Standard NOM-241-SSA1-2021, Good Manufacturing Practices for medical devices, which became effective on 21 June 2023, is the first legal provision in Mexico to regulate software as a medical device. As a result, software is considered a medical device if it meets the following criteria: (i) it is used for one or more medical purposes; (ii) it can run on general computing platforms; and (iii) it can be used alone or together with other products (such as a module or other medical devices). Please note, however, that software that runs only on a specific physical medical device is exempt from this classification and will not require registration to be marketed within Mexican territory.

AI and machine learning do not have a specific regulation in Mexico; however, as both of them could fill in the definition of software as a medical device, they could be considered as such if the above-mentioned criteria are met.

Whether software meets the above-mentioned criteria is relevant from different perspectives. For example, considering that a medical device can only be sold in specific establishments (ie, pharmacies), promotion of the product has to be done, exclusively, to healthcare professionals, technovigilance reports have to be submitted once a year to Cofepris and the marketing authorisation is subject to renewal.

The authority with jurisdiction over software as a medical device is Cofepris and it is in charge of validating the quality, safety and efficacy of the software. Among its powers, it can impose sanitary measures such as the prohibition of selling the software, and fines to the distributor and manufacturer. Additionally, the owner of the marketing authorisation must be aware and comply with the Data Privacy Law, which established an obligation to present a data privacy notice to communicate the uses of the data collected by the software. Moreover, health data is considered sensitive personal data and therefore if this data is to be transmitted to a third party, then it has to be accepted by the owner of the data.

Companies outside the care industry must comply with specific requirements such as an operation notice and designate a sanitary responsible if they are willing to register their software as a medical device; conversely, companies that keep their software outside of the definition of medical device have to be careful of the intended uses and claims of the product to avoid any sanctions from Cofepris.

Mexico has seen rapid expansion in the use of telehealth. Telemedicine has made possible the creation of “virtual hospitals,” which are places where patients may get medical treatment online by using numerous forms of communication technology and information systems. These virtual hospitals have made it possible for patients located in remote regions to get specialist medical treatment by providing access to medical professionals.

The advent of telehealth has made it feasible to provide medical care to patients who are located at a distance from the provider. This has proven to be particularly helpful in circumstances that make it difficult or expensive to physically go to the patient. Telehealth allows medical experts to make diagnosis, monitor patients, provide medical advice and issue prescriptions without the need for patients to physically attend the clinic.

Patients now can get first medical treatment in a more expeditious manner thanks to the advent of telehealth, which has made it possible to utilise virtual consultations as a gateway to medical care. Patients may conduct medical consultations with healthcare experts remotely, without having to travel to a clinic, by using communication software or videoconferencing technology. This has shown to be particularly helpful in situations involving regular consultations, the follow-up of patients with chronic diseases and early medical assistance.

Regarding cross-border telehealth, it is worth considering the requirements of having a professional licence to practice medicine in different jurisdictions. Patients from various states, provinces, or even countries can receive medical assistance through telehealth. However, compliance with the specific regulations and legal requirements of each jurisdiction is required. This includes procuring the essential licences and authorisations to practice medicine in the location where the patient resides, as well as complying with privacy and data protection laws in each jurisdiction.

During the COVID-19 pandemic, the Federal government declared a state of emergency, which implied that the government was allowed to purchase any health input or any other material that could help in the pandemic without the need to follow the procurement process; several emergency authorisations for vaccines and medicines were granted. Furthermore, the import of health inputs without marketing authorisations was allowed in order to face the COVID-19 emergency.

Online platforms are regulated in a general manner; there are no specific provisions used as part of digital medicine or digital health.

Reimbursement in Mexico is not like in Europe or other countries. In Mexico, with respect to patients affiliated to social security, health services, including medicines and some medical devices, are prepaid through social security contributions done by workers and employers on a monthly basis (such mechanism is similar to an insurance scheme, but managed by the government either through IMSS or ISSSTE (National Health System for governmental employees)). For patients without social security, the health services, including medicines and medical devices, are free but limited to those treatments and medicines defined by the government (such services are funded by the government and the states through public budgetary resources).

Despite the above, public health institutions have several digital health and digital medicines programmes for their patients. 

In the private sector, the reimbursement from the insurance company will depend on the terms and conditions of the applicable patient’s insurance policy. Therefore, there is no general rule.

The main regulatory issue regarding the internet of medical things is that, at this time, there are no specific provisions that apply to goods or services that are digitally delivered in the health sector (including digital assistants and the internet of medical things). However, indirect regulation applies in general terms to the digital technologies applied to health-related matters.

If a product (ie, hospital beds, wearables, implantable, etc) will help in medical care for the purpose of diagnosing, preventing, treating, rehabilitating or following up on pathologies, as well as for caring for and promoting health, it will be considered a health input and applicable provisions shall be met in this regard (eg, having an operation notice, securing a marketing authorisation and importation permits, among others).

In general terms, 5G networks can provide additional benefits to telehealth, IoT and medical treatments, such as faster data transfer rates both up/downstream and less latency, providing a more responsive user experience. Greater connectivity allowing multiple devices to be linked simultaneously while increasing device support capacity ensures less congestion across the network, resulting in far higher reliability/stability of the connection itself.

However, the 5G network implies a relevant investment in infrastructure (mainly hardware) to obtain the benefits of the network. Additionally, the gap between urban and rural areas could increase considerably. Mexican health system infrastructure is obsolete; therefore, it is likely that the medical devices that are currently in use may not support the 5G network. Moreover, for digital medicine, it is necessary that both patients and healthcare providers use the same network, otherwise the speed of transmission will be driven by the lower of the two.

Contracts between health institutions and 5G providers should clearly define expected parameters around performance, availability, quality of service covering all backup solutions, redundancy and robust measures regarding security; mainly with respect to patient confidentiality.

According to the Federal Law for the Protection of Personal Data Held by Private Parties, the level of protection afforded to health-related data in Mexico is greater than that given to any other type of personal data; this is because health-related data is considered sensitive personal data, which means that misuse of the information could result in discrimination or constitute a severe threat to the data proprietor. As a general rule, all processing of personal information requires the owner’s written consent.

In addition, databases containing sensitive personal data can only be kept when their legitimate and specific purposes are justified by the responsible party, consistent with the latter’s activities or purposes, and reasonable efforts must be made to limit the processing period to the bare minimum. However, anonymised health data is excluded from the scope of data protection laws, as such data cannot lead to the identification of a person.

Depending on the nature of the data, the intentionality of the action or omission constituting the violation and the financial standing of the data controller, a violation of data protection laws can result in significant fines. In addition, violations of regulations pertaining to sensitive personal data (for instance, health data) may result in sanctions and penalties. When attributable to the data controller, breaching the security of databases, premises, computer programs and equipment is considered a criminal offence punishable by up to three or five years in prison, or twice as long if the breach involves unlawful treatment of sensitive personal data.

From the regulatory point of view, the collection and use of health data are highly regulated, for instance, patients must grant their consent to collect their health data, and informed consent must express the use of the data. Informed consent must comply with specific requirements that are laid down in the regulation of clinical trials. Moreover, the information on the health records belongs to the patient, and its access is restricted to their healthcare provider.

Wearables and other devices, that collect personal health information, that are not considered medical devices, do not have to comply with the health regulation for data collection, since the goal of collecting that information is out of the scope of the health law. Nevertheless, they have to comply with data privacy regulations and therefore a privacy notice must be in place for users to accept the collection and use of their data. 

It is strongly suggested that any processing of raw health data be preceded by a privacy notice in Spanish that complies with data protection laws and describes the purpose of the processing in detail; this can be reviewed by the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI). As the Health Authority has powers to review the collection of health data, it is important to obtain informed consent for the collection of health data for medical purposes.

Please note, however, that as anonymised data cannot identify a subject, it does not fall within the range of data protection laws. Hence, its use, disclosure and all other relevant activities related thereto comprise a business decision.

Despite the overlap of these regulations, they are aligned in the sense that personal health data is relevant for the patient/owner, and therefore higher restrictions shall be in place to guarantee the proper treatment of the data. Nevertheless, it is important to comply with both regulations.

AI used within the healthcare sector should always be augmented intelligence, since human knowledge and decisions shall always prevail. However, AI is a very effective tool for healthcare professionals to obtain information related to diseases and their treatments or event to manage clinical records (as long as the personal information is shared in compliance with applicable legal provisions).

One of the most relevant risks of electronic medical records is that they may be subject to misuse of personal sensitive data or cybersecurity attacks.

In Mexico, regulation has still not defined the optimal standard for securing businesses against cyber threats. As part of an overarching legal framework for safeguarding individual data protection concerns, those serving as controllers or processors must develop a reasonable network defence and shall routinely perform vulnerability assessments regarding technical infrastructure.

Currently, some initiatives are being discussed in the Mexican congress regarding AI (such as the draft of Law for the Ethical Regulation of Artificial Intelligence and Robotics (Ley para la Regulación Ética de la Inteligencia Artificial y la Robótica) that was introduced for discussion in Congress in May 2023). However, as it is a complex (and rather unexplored) topic, Mexican representatives tend to be extremely cautious and risk averse when discussing and analysing such projects, which has caused the country to lack an appropriate regulation around AI.

As digital healthcare technologies are still not regulated under the Mexican legal framework, healthcare companies using digital health technologies are facing the same issues as non-healthcare companies (which mainly relate to compliance with the provisions provided in the data protection laws and in the consumer protection law).

For telemedicine to be suitable to be implemented within a healthcare institution, it is required that a platform allows doctors and patients to communicate with one another in real time through digital channels. To do this, secure systems for videoconferencing, data transfer and the maintenance of electronic medical records need to be developed. In addition, to have equal access to telemedicine services throughout Mexican territory, there must be a consistent connection across the country at a high speed. This is particularly important in more rural regions.

To harness the potential of machine learning in the healthcare industry, information technology systems that can gather, store, and evaluate enormous amounts of clinical data are required. This implies having cloud storage infrastructures and scalable database systems, in addition to the development of machine learning algorithms that are appropriate for the analysis of clinical data. Besides, stringent security and privacy precautions have got to be taken for complying with applicable provisions of data protection laws.

For integrating IoT, an IT infrastructure is required that can enable the connection and interchange of data between medical and computer systems, operated by networks that are both trustworthy and safe. Interoperability standards shall be developed, making it possible for devices to be seamlessly integrated into healthcare settings. In addition, security and privacy standards need to be devised to safeguard the information that is produced and ensuring compliance with data protection laws.

Together with the IT infrastructure referred to before, increasing the reach of broadband internet and embracing new technologies like fibre optics will allow safer and dependable data transmissions, with additional security measures, such as data encryption and authentication, which should be in place.

There have not been any proposed regulations in addition to those that are already in force; therefore, in terms of data protection laws, data controllers are responsible for conforming to legal principles and obligations, such as implementing appropriate security measures to protect data from loss, theft and unauthorised use or access.

In Mexico it is possible to obtain patent protection for an invention, regardless of the field of technology, if it complies with the following:

• being novel – ie, not being in the state of the art;
• being the consequence of inventive activity – ie, not being apparent or noticeable; and
• the subject of industrial application – ie, the possibility that the invention could be used in any industry.

Databases, algorithms, software, and any technology reflected in writing are not subject to be patentable in Mexico. Nevertheless, the Federal Copyright Law provides protection for databases, algorithms, software and any technology reflected in writing, which basically states that copyright protection begins once the work is fixed on a material support (regardless of its merit, purpose or mode of expression). Nonetheless, for exercising a copyright action before a third party, it must be registered before the National Institute of Copyright.

A trade secret is the information of an industrial or commercial application that the person exercising legal control keeps confidential, which means obtaining or maintaining a competitive or economic advantage over third parties in the performance of economic activities and for which adopted means or systems to preserve its confidentiality and restricted access exist.

The type of protection, whether it is a patent, copyright or trade secret, will depend on the invention per se and a case-by-case analysis.

Regarding the possibility to protect an invention or copyright that has been created by AI, machine learning, or any other type of software, in Mexico it is not possible to do so because the Federal Law for the Protection of Intellectual Property and the Federal Copyright Law establishes that the inventor or the creator must be a human being.

As referred to above, algorithms, databases, software (except those classified as medical devices) and any written technology will be considered a work and will be subject to copyright protection. These works are not required to be registered before the National Institute of Copyright as the protection commences when the work is fixed on a material support (regardless of its merit, purpose or mode of expression).

Yet, to exercise copyright rights before a third party, registration before the copyright authority is recommended, as this will mean that the right is duly recognised.

Licensing intellectual property rights always requires extra caution and a written agreement plays an essential role to establish the scope and time of the licence, exclusivity if any, territorial delimitation, the obligations and rights of each party, royalties or compensation that the licensee shall pay to the licensor and whether the licence will be registered.

A relevant clause in all licensing agreements is the prosecution of potential infringements, including the dispositions regarding which party will be responsible for making the decision to initiate the action, and what would happen if the party responsible for making that decision refuses to act and there are material or economic damages to the other party. 

Furthermore, it is relevant to include a transitional period at the beginning and the end of the agreement to continue the commercialisation of the product. Additionally, it is important to establish which party will be responsible for obtaining the marketing authorisations from the authorities, if any, and what will happen with those marketing authorisations at the end of the licence agreement – ie, if they are going to be assigned or not, who will pay for the assignment and the obligation to collaborate in the assignment of rights. 

Authorship of inventors and authors must be recognised as such in the patent or copyrights registration, regardless of the agreement with the university, inventor or healthcare institution.

If the inventor/author is an employee of the university or healthcare institution, then the Federal Labour Law applies, and it states that employees will be the author of inventions made for their employer, but the employer retains ownership of the inventions and the right to exploit the patents or copyrights.

However, if the inventor/author is not an employee, but rather an independent service provider, the terms of the intellectual property rights will be those laid down in the service agreement, but the authorship of the invention/copyright must be for a physical person.

According to the New General Law on Humanities, Sciences, Technologies and Innovation (Ley General en Materia de Humanidades, Ciencias, Tecnologías e Innovación) enacted in May 2023, copyright and industrial property rights over works and inventions derived from processes of humanistic and scientific research, technological development and innovation financed with public resources, shall benefit and be reserved for the welfare of the people from Mexico. The foregoing is in the terms of the applicable legislation and intellectual property of which the Mexican State is a part.

Any contractual arrangement superseding statutory rules will be considered null, therefore, it shall be aligned to provisions set forth under the applicable legal framework. Bear in mind that the recognition of authorship is compulsory in Mexico, but the exploitation and/or economic rights can be subject to contractual arrangements.

There have not been cases in Mexican Courts regarding decisions based on digital health technologies, however, based on the liability theories, healthcare professionals and software developers could be responsible for the following.

Civil liability – healthcare professional – based on the fact that the healthcare professional is responsible for the decisions made regarding their patient, they could be liable regardless of whether the decision was made using AI, machine learning or software as a medical device; this will be an extra-contractual (tort) liability – ie, malpractice case. 

Nevertheless, if the decision is based on using software as a medical device, the developer of the software could be liable if the malfunctioning of the software is proven; this will be a product liability. 

Moreover, healthcare professionals and software developers can be liable for infringement of the General Health Law and its regulations; in this case, both could face administrative sanctions, such as fines, the healthcare professional can be disbarred and the software developer can face the cancellation of its marketing authorisation, among other things, such as product seizures, service bans and facility closures.

Third-party vendors’ products or services can be legally responsible by extra-contractual liability (tort) or by contractual responsibility.

In the case of tort responsibility, it is necessary to prove that the third party was negligent in the care of the product or rendering of the services and to establish a link between the fault and the damage caused by that conduct. If the responsibility arises from contractual breach, it will depend on the terms of the contract entered with the third party, in which the liability distribution should be detailed.