From a general perspective, digital solutions for health and health-related matters are a reality and are frequently used. The benefits of digital solutions for patients, healthcare professionals and authorities are evident, but there is nevertheless room to improve regulation. In Mexico, there are no specific regulations in place for these digital solutions, other than general regulations applicable to certain aspects of such technologies (such as data protection, sanitary regulation, IP and software as a medical device, among others).

From a Healthcare Provider’s Perspective

From a healthcare provider’s perspective, using digital solutions represents the opportunity to improve the quality of medical care and optimise patient management. These technologies enable providers to access real-time clinical information, perform remote consultations, make more accurate diagnoses and provide personalised treatments. Implementing these digital solutions increases providers’ operational efficiency, reduces costs and improves communication between different healthcare professionals.

From a Patient’s Perspective

From a patient’s perspective, the use of digital solutions allows the patient to access their medical information anytime and anywhere, and to receive remote medical assistance and digital drug prescriptions, among other benefits. On the other hand, the use of mobile apps, wearable devices and online platforms helps patients to monitor (in real time) their health condition.

From a Regulatory Perspective

From a regulatory perspective, the sanitary authority oversees the regulation and supervision of healthcare products and services in Mexico. As these technologies evolve, regulators must ensure that the regulations promote safety, quality, confidentiality and the efficacy of health data collected through digital technologies.

Technology platforms that collect and store data play an essential role in generating clinical evidence and improving patient care; unfortunately, there is no regulation of these platforms, despite the privacy regulation applicable to personal data. These technologies enable efficient data collection and subsequent analysis in the context of medical interventions, such as surgeries. The interaction between technology platforms and clinical evidence also contributes to more informed, evidence-based care, resulting in improvements in healthcare. 

According to the National Centre for Health Technology Excellence (“CENETEC” being its Spanish acronym; which is a decentralised organism of the Ministry of Health), digital health is a broader concept and is defined as the rendering of health services using information and communication technologies, when physical interaction is not necessary, with the purpose of continuing patient care, in this case, not only related to medical services but also to health-related services. Digital medicine is the rendering of health services, where healthcare professionals and patients are located in different places, using information and communication technologies to exchange information for the diagnosis, treatment and prevention of diseases and injuries, as well as for continuing medical education. 

Besides these definitions and some guidelines issued by CENETEC (which are not compulsory), there are few references in the General Health Law and its regulations regarding digital health, digital medicine, electronic prescriptions, digital medical files and information and communication technologies. That being said, there is no list of matters covered by digital health or digital medicine; the analysis is done based on the general regulation applicable to health services and medical devices. 

The development of digital health technology (both digital healthcare and digital medicine) in Mexico is now driven by various stakeholders including start-ups (predominantly comprised of technology firms), healthcare providers (such as hospitals and academic institutions), as well as investors. 

Key technologies in digital healthcare are based on mobile applications (apps), wearables and other devices. The development of technologies for digitalising healthcare in Mexico has been gaining momentum as a result of the COVID-19 pandemic, during which digital healthcare was used to optimise the health of patients, by being able to monitor certain health indicators and anticipate potential health issues. On the other hand, digital medicine has been driven by telemedicine, artificial intelligence (mainly in the diagnostic field), electronic health records and digital prescriptions, and other developments that improve medical care from a professional healthcare standpoint. 

The most relevant legal issue in digital health is the lack of regulations. At the time of writing in 2024, specific legislation governing digital health or digital medicine in Mexico is scarce and dispersed in different pieces of legislation. 

Additionally, there is a gap between regulation and practice. For instance, digital prescription is allowed by the Health Input Regulations; however, its implementation has faced some barriers, since the regulation applicable to the supply of medicines by pharmacies obliges patients to provide the pharmacies with a physical prescription (complying with certain requirements, including the signature of the doctor). Therefore, it is necessary to update the whole legal framework for digital prescriptions to become a reality (eg, allowing the use of electronic signatures in such prescriptions).

The Federal Commission for the Protection Against Sanitary Risks (“Cofepris” being its Spanish acronym) is the regulatory and enforcement agency for the digital health industry. This authority is responsible for verifying the quality, efficacy and efficiency of health inputs, including services, medicines and medical devices. Cofepris is in charge of granting marketing authorisations for software as a medical device. 

Additionally, the Federal Consumer Protection Bureau (“PROFECO” for its Spanish acronym) is the government agency responsible for safeguarding and promoting consumer rights; this agency is focused on commercial and promotional matters.

Regarding the self-assessment and reporting obligations of healthcare institutions, because the digital technologies used in health matters are not regulated directly under the Mexican legal framework, there is no legal requirement to self-assess or report any specific matter related to digital medicine or digital health. 

There have been few recent developments in digital healthcare activities, as any efforts tend to have been addressed in separate regulations, rather than in a single set of rules governing digital health. For example, in December 2021, a new regulation regarding software as a medical device was issued. In May 2023, a new General Law on Humanities, Sciences, Technologies and Innovation was enacted which will affect research and development for technologies in the healthcare sector, but not necessarily in a positive way since this new law (among other things):

• allows the government to have centralised control over the areas of research and innovation in which public funds are going to be allocated; and
• provides that research and development activities and projects (with public funds) have to be based on a special programme to be developed by the federal government (which can be biased).

Other drafts of initiatives are being discussed in congress but, so far, Mexico lacks state-of-the-art legislation that specifically governs the development and use of digital health and digital medicine.

There are a few other draft regulations underway regarding digital health. Some of these include artificial intelligence, cybersecurity, digital health as an ecosystem, electronic clinical records and digital prescriptions; however, these are still pending to be approved by the Mexican Congress.

There are some particular drafts of amendments to the General Health Law, such as:

• the draft of amendments submitted by various congressmen of different parliamentary groups on July 2023, the main purpose of which is to regulate the use of artificial intelligence in health care; and
• the draft of an amendment submitted by Éctor Jaime Ramirez Barba on July 2023, the main purpose of which is to regulate software as a medical device.

Other bills are focused on electronic clinical records and digital prescriptions.

Cofepris is the enforcement agency regarding health matters. 

The administrative process is initiated by a verification visit to an establishment, after which an official action will be issued containing the results of such verification and listing the irregularities identified. The establishment involved should answer with corrective actions, or arguments contradicting the findings. A resolution will be issued in which sanctions may be imposed. This resolution can be challenged before a federal court. Cofepris has the authority to impose sanitary measures during the administrative process, at any time.

The non-healthcare regulatory agencies that could be involved in digital healthcare are:

• PROFECO regarding commercial matters; and
• the National Institute for Transparency, Access to Information and Protection of Personal Data (“INAI” for its Spanish acronym) for data protection matters. 

Preventative care includes those medical activities which are generally advertised through campaigns to prevent a specific disease or condition. There is no official definition for “diagnostic care”; however, it can be defined as those medical activities related to finding a specific pathology in a patient. 

Preventative care is focused on awareness campaigns about the consequences of specific diseases or conditions, by creating consciousness among the population; these actions are mainly managed by the Ministry of Health at a national level. Diagnostic actions are carried out by each healthcare professional following the medical guidelines or the Mexican standard norms. 

Some campaigns and legal actions conducted by the Mexican government could be considered as preventative care. 

• The inclusion of the COVID-19 vaccine in the Universal Vaccination Programme. 

• The prohibition of edible oils and fats, known as “trans fats”, in food and non-alcoholic beverages. 

• The implantation by the IMSS (National Health Service for private sector employees) of an app called heart attack code (Código Infarto), the purpose of which is for a person with an infarction with chest pain and shortness of breath or fainting, to receive medical care within 30 minutes or less. As a result of the implementation of the heart attack code, 885 patients were treated in 2023, most of them successfully. The app is beneficial for around 55 million users through 344 medical units equipped to provide this service, including 11 high specialty medical units, 181 regional or area general hospitals, and 152 family medicine units.
• The amendment on 27 March 2020 of relevant provisions to the General Health Law and the Mexican Official Norm NOM-0051-SCFI/SSA1-2010, to include the requirement to use labels on the front and back of food products and non-alcoholic beverages with added sugars, carbohydrates, oils and fats, calories and sodium. This amendment was declared legal by the Mexican Supreme Court of Justice on 8 and 9 April 2024, because through this amendment to the General Health Law:
1. the public is receiving true and accurate information; and
2. the state is preserving public health by promoting healthy nutrition, especially in the best interests of minors.

In Mexico, wellness and fitness data is regulated under data protection laws and it is considered to be health-related data, which is more sensitive than any other kind of personal data. Any personal data which, if exploited, might lead to discrimination or pose serious harm to the data owner, is regarded as sensitive personal data. The main rule is that the owner of the personal data must provide their written consent before any processing of such data may take place.

On the other hand, from a sanitary standpoint, developers of apps and wearables that manage wellness and fitness data must carefully review the way in which such data is provided to the user of the app or device so that it is not considered to be medical advice (which would be regarded as rendering professional medical services, for which a licence is required).

Preventative care is a goal of the national health system and the Ministry of Health is responsible for this. Preventative care has been focused on specific diseases such as cancer, diabetes, hypercholesterol, AIDS and others; for these, the Ministry of Health has created Mexican Official Standards and clinical guidelines to prevent these diseases. Moreover, vaccination and immunisation policies have also been created; nevertheless, due to the COVID-19 pandemic, vaccination rates have decreased considerably. 

The two main challenges of non-healthcare companies entering the market are: 

• compliance with the provisions set forth under the personal data protection law (INAI, as the authority in charge of granting access to public information and protecting personal data, has been conducting extensive reviews of, and in many occasions imposing penalties on, the parties responsible for the processing of sensitive personal health data); and 
• compliance with the health regulation regarding the promotion of products and services.

Several technological solutions have been introduced throughout Mexico’s hospitals to enhance patient care and make better use of connected medical equipment, for example: 

• electronic medical records – doctors have been able to access and update the clinical information of their patients (this allows various departments and healthcare professionals to communicate easily with one another and seamlessly share data, which ultimately leads to improved healthcare co-ordination and quality); and

• connected medical devices – vital sign monitors and other telemedicine devices have enabled remote monitoring of patients (these gadgets provide data to doctors in real-time, making it easier for doctors to spot potential health issues early on).

Remote health in Mexico has been significantly supported by technological advancements, such as:

• telemedicine – virtual medical consultations are now possible because of widespread video-conferencing platforms and software designed for mobile devices (patients can communicate with their healthcare providers via the use of video-conferencing, which helps save time and money, and provides quicker access to medical treatment); and
• patient monitoring – gadgets that can keep track of patients suffering from chronic conditions have made it possible, for example, to detect glucose levels in patients diagnosed with diabetes and remotely exchange data with their treating doctors (this makes it possible to continuously evaluate the health situation of chronically ill patients and make appropriate modifications to their therapy as needed).

A substantial amount of progress has been made in Mexico regarding home care after hospital release thanks to technological developments. Some advancements worth noting are:

• post-operative telemonitoring, which allows patients who have just had surgery to be remotely monitored at home using linked electronic equipment (medical professionals can track a patient’s progress towards recovery, identify any issues that may arise, and provide advice even if the patient is not at the hospital); and
• digital medicine and mobile applications – patients can now obtain individualised medical advice, access their own health information, and receive prescription reminders from their mobile devices, thanks to the development of mobile apps, which facilitate home healthcare and encourage people to take an active role in their own medical treatment.

It is possible to incur civil liability due to adverse healthcare outcomes; this responsibility could fall on the healthcare professional, the hospital and/or the manufacturer of a health device. All these responsibilities are based on the damages caused to the victim, who may seek compensation from the party responsible for such damages. 

Moreover, healthcare professionals, hospitals and developers can be held liable for infringement of the General Health Law and its regulations; in this case, all of them could face administrative sanctions (such as fines), the healthcare professional could be disbarred, and the developer could face the cancellation of its marketing authorisation, among other things, such as product seizures, service bans and facility closures.

The main risk identified for the cloud computing environment is that security may be violated through cyberattacks, which could lead to data loss or breaches in confidentiality, resulting in the infringement of data protection laws.

On the other hand, the key risks assessed for the on-premises and local computing environment are non-authorised access (which could lead to data leaking or even identity theft) and service interruption (which can result from a cyberattack intended to slow or even shut down these services). 

Most cybersecurity risks may be addressed in the contracts or agreements between third parties and healthcare institutions, in which the liability for each of the parties is clearly outlined and specific performance standards (including emergency response, remedial actions, access to audits, etc) are agreed upon. In terms of data protection laws, the party in charge of collecting the personal data will be the one responsible before the authority. Thereafter, indemnifications may be adopted in the contract in case of any economic sanctions.

It is relevant to note that, in the past 12 months, there have been several drafts of bills of law that have tried to regulate cybersecurity (with a relevant impact on digital health), but none of these drafts of bills were transformed into actual regulation.

None of the initiatives reviewed by the authors regarding digital health matters have addressed specific regulations for the internet of things (IoT). Nowadays, congressmen are focusing on general provisions that may allow the regulation of digital health and digital medicine without entering into a further analysis (such as, the IoT).

However, according to the Mexican Official Standard NOM-241-SSA1-2021, Good Manufacturing Practices for medical devices (which became effective on 21 June 2023), software may be classified as a medical device if it is used for one or more medical purposes, operates on general computer platforms and is used by itself or together with other products.

As mentioned above, although there is no clear legislation in Mexico on the IoT, regulators are (slowly) starting to craft regulations regarding digital technology focused on health matters, which may eventually evolve into regulating the IoT.

The Mexican Official Standard NOM-241-SSA1-2021, Good Manufacturing Practices for medical devices, which became effective on 21 June 2023, is the first legal provision in Mexico to regulate software as a medical device. As a result, software is considered a medical device if it meets the following criteria:

• it is used for one or more medical purposes;
• it has as its main feature that it does not need to be part of the hardware of the medical device to fulfil the intended medical purpose;
• it can run on general computing platforms; and
• it can be used alone or together with other products (such as a module or other medical devices).

Note, however, that software that runs only on a specific physical medical device is exempt from this classification and will not require registration to be marketed within Mexican territory.

Based on the General Health Law and its regulations, the production, sale and distribution of medical devices require marketing authorisation issued by Cofepris. However, it is important to mention that, to date there is no specific regulation regarding the procedure for obtaining the marketing authorisation for software as a medical device, which, in practice, makes it impossible to obtain such authorisation. 

AI and machine learning do not have separate regulation in Mexico; however, since both of them could be defined as software as a medical device, they could be considered as such if the above-mentioned criteria are met. 

Whether software meets the above-mentioned criteria is relevant from different perspectives. For example, considering that a medical device can only be sold in specific establishments (ie, pharmacies), the product can only be promoted, exclusively, to healthcare professionals, technovigilance reports have to be submitted once a year to Cofepris, and the marketing authorisation is subject to renewal.

The Role of Cofepris

The authority with jurisdiction over software as a medical device is Cofepris and it is in charge of validating the quality, safety and efficacy of the software. Among its powers, it can impose sanitary measures such as prohibition to sell the software, and issuing fines to the distributor and manufacturer. Additionally, the owner of the marketing authorisation must be aware and comply with the Data Privacy Law, which establishes an obligation to present a data privacy notice to communicate the uses of the data collected by the software. Moreover, health data is considered sensitive personal data and therefore, it cannot be transmitted to a third party without the approval of the owner of the data. 

Companies outside the care industry must comply with specific requirements such as an operation notice and must designate sanitary responsibility if they wish to register their software as a medical device; conversely, companies that keep their software outside of the definition of a medical device have to be careful with regard to the intended uses and claims of the product to avoid any sanctions from Cofepris. 

Mexico has seen rapid expansion in the use of telehealth. Telemedicine has made possible the creation of “virtual hospitals”, which are places where patients may get medical treatment online by using numerous forms of communication technology and information systems. These virtual hospitals have made it possible for patients located in remote regions to get specialist medical treatment, by providing access to medical professionals.

The advent of telehealth has made it possible to provide medical care to patients who are located at a distance from the provider. This has proved to be particularly helpful in circumstances that make it difficult or expensive to physically attend to the patient. Telehealth allows medical experts to make diagnoses, monitor patients, provide medical advice and issue prescriptions without the need for patients to physically attend the clinic.

Patients can now get their first medical treatment in a more expeditious manner thanks to the advent of telehealth, which has made it possible to utilise virtual consultations as a gateway to medical care. Patients may have remote medical consultations with healthcare experts, without having to travel to a clinic, by using communication software or video-conferencing technology. This has been shown to be particularly helpful in situations involving regular consultations, follow-up consultations with patients with chronic diseases, and early medical assistance.

Regarding cross-border telehealth, it is worth considering the requirements of having a professional licence to practise medicine in different jurisdictions. Patients from various states, provinces or even countries can receive medical assistance through telehealth. However, compliance with the specific regulations and legal requirements of each jurisdiction is required. This includes procuring the essential licences and authorisations to practise medicine in the location where the patient resides, as well as complying with the privacy and data protection laws in each jurisdiction.

During the COVID-19 pandemic, the federal government declared a state of emergency, which implied that the government was allowed to purchase any health device or any other material that could help in the pandemic without the need to follow the procurement process; several emergency authorisations for vaccines and medicines were granted. Furthermore, the importation of health devices without marketing authorisation was allowed in order to face the COVID-19 emergency. 

Online platforms are regulated in a general manner; there are no specific provisions with regard to digital medicine or digital health.

Public Health Sector

Reimbursement is not managed in the same way in Mexico as it is in Europe or other countries. In Mexico, with respect to patients affiliated to social security, health services, including medicines and some medical devices, are prepaid through social security contributions made by workers and employers on a monthly basis (such mechanism is similar to an insurance scheme, but managed by the government either through IMSS or ISSSTE – the national health system for government employees). For patients without social security, the health services, including medicines and medical devices, are free but limited to those treatments and medicines defined by the government (such services are funded by the government and the states through public budgetary resources). 

Despite the above, public health institutions have several digital health and digital medicines programmes for their patients.

Private Health Sector

In the private sector, the reimbursement from the insurance company will depend on the terms and conditions of the applicable patient’s insurance policy. Therefore, there is no general rule.

The main regulatory issue regarding the internet of medical things is that, at this time, there are no specific provisions that apply to goods or services that are digitally delivered in the health sector (including digital assistants and the internet of medical things). However, indirect regulation applies in general terms to the digital technologies applied to health-related matters. 

If a product (eg, hospital beds, wearables, implantables, etc) will help in medical care for the purpose of diagnosing, preventing, treating, rehabilitating or following up on pathologies, as well as for caring for and promoting health, it will be considered a health device and applicable provisions must be met in this regard (eg, having an operation notice, and securing marketing authorisation and importation permits, among others).

In general terms, 5G networks can provide additional benefits to telehealth, the IoT and medical treatments, such as faster data transfer rates both up/downstream and less latency, providing a more responsive user experience. Greater connectivity, allowing multiple devices to be linked simultaneously while increasing device support capacity, ensures less congestion across the network, resulting in far greater reliability/stability of the connection itself. 

However, the 5G network implies a relevant investment in infrastructure (mainly hardware) to obtain the benefits of the network. Additionally, the gap between urban and rural areas could increase considerably. The Mexican health system infrastructure is obsolete; therefore, it is likely that the medical devices that are currently in use may not support the 5G network. Moreover, for digital medicine, it is necessary that both patients and healthcare providers use the same network, otherwise the speed of transmission will be driven by the slower of the two networks.

Contracts between health institutions and 5G providers should clearly define expected parameters around performance, availability, quality of service covering all backup solutions, redundancy and robust measures regarding security; mainly with respect to patient confidentiality.

According to the Federal Law for the Protection of Personal Data Held by Private Parties, the level of protection afforded to health-related data in Mexico is greater than that given to any other type of personal data; this is because health-related data is considered sensitive personal data, which means that misuse of the information could result in discrimination or constitute a severe threat to the data proprietor. As a general rule, all processing of personal information requires the owner’s written consent.

In addition, databases containing sensitive personal data can only be kept when their legitimate and specific purposes are justified by the responsible party, consistent with the latter’s activities or purposes, and reasonable efforts must be made to limit the processing period to the bare minimum. However, anonymised health data is excluded from the scope of data protection laws, as such data cannot lead to the identification of individuals.

Violation of Data Protection Laws

Depending on the nature of the data, the intentionality of the action or omission constituting the violation, and the financial standing of the data controller, a violation of data protection laws can result in significant fines. In addition, violations of regulations pertaining to sensitive personal data (eg, health data) may result in sanctions and penalties. When attributable to the data controller, breaching the security of databases, premises, computer programs and equipment is considered a criminal offence punishable by up to three to five years in prison, or twice as long if the breach involves unlawful treatment of sensitive personal data.

Regulation of the Collection and Use of Health Data

From the regulatory point of view, the collection and use of health data are highly regulated, for instance, patients must grant their consent for their health data to be collected, and informed consent must express the use of the data. Informed consent must comply with specific requirements that are set down in the regulation of clinical trials. Moreover, the information on the health records belongs to the patient, and access to it is restricted to their healthcare provider. 

Wearables and other devices, that collect personal health information but are not considered medical devices, do not have to comply with the health regulation for data collection, since the goal of collecting that information is out of the scope of the health law. Nevertheless, they have to comply with data privacy regulations and, therefore, a privacy notice must be in place for users to accept the collection and use of their data.   

It is strongly suggested that any processing of raw health data be preceded by a privacy notice in Spanish that complies with data protection laws and describes the purpose of the processing in detail; this can be reviewed by INAI. As the health authority has powers to review the collection of health data, it is important to obtain informed consent for the collection of health data for medical purposes. 

However, since anonymised data cannot identify a subject, it does not fall within the range of data protection laws. Hence, its use, disclosure and all other relevant activities related thereto comprise a business decision.

Despite the overlap of these regulations, they are aligned in the sense that personal health data is relevant for the patient/owner, and therefore higher restrictions must be in place to guarantee the proper treatment of the data. Nevertheless, it is important to comply with both regulations.

AI used within the healthcare sector should always be augmented intelligence, since human knowledge and decisions will always prevail. However, AI is a very effective tool for healthcare professionals to use to obtain information related to diseases and their treatment, or even to use to manage clinical records (as long as the personal information is shared in compliance with the applicable legal provisions).

One of the most relevant risks of electronic medical records is that they may be subject to misuse of personal sensitive data or cybersecurity attacks. 

In Mexico, regulation has still not defined the optimal standard for securing businesses against cyber-threats. As part of an overarching legal framework for safeguarding individual data protection concerns, those serving as controllers or processors must develop a reasonable network defence and must routinely perform vulnerability assessments regarding technical infrastructure.

Currently, some initiatives are being discussed in the Mexican Congress regarding AI, such as the draft of the Law for the Ethical Regulation of Artificial Intelligence and Robotics (Ley para la Regulación Ética de la Inteligencia Artificial y la Robótica) which was introduced for discussion in congress in May 2023, and the draft of the amendment to the General Health Law to ensure data protection in AI systems in healthcare, which was introduced for discussion in congress in July 2023. However, as this is a complex (and somewhat unexplored) topic and Mexican representatives tend to be extremely cautious and risk-averse when discussing and analysing such projects, this has resulted in the country lacking, to date, appropriate regulation around AI.

As digital healthcare technologies are still not regulated under the Mexican legal framework, healthcare companies using digital health technologies are currently facing the same issues as non-healthcare companies (which mainly relate to compliance with the provisions provided in the personal data protection laws and in the consumer protection law).

Telehealth

In order for telemedicine to be implemented within a healthcare institution, a platform allowing doctors and patients to communicate with each another in real time through digital channels is required. To do this, secure systems for video-conferencing, data transfer and the maintenance of electronic medical records need to be developed. In addition, in order for there to be equal access to telemedicine services throughout Mexican territory, there must be a consistent, high-speed connection across the country. This is particularly important in the more rural regions.

Machine Learning

To harness the potential of machine learning in the healthcare industry, information technology systems that can gather, store, and evaluate enormous amounts of clinical data are required. This implies having cloud storage infrastructures and scalable database systems, in addition to the development of machine learning algorithms that are appropriate for the analysis of clinical data. In addition, stringent security and privacy precautions need to be taken in order to comply with the applicable provisions of data protection laws.

The IoT

To integrate the IoT, an IT infrastructure is required that can enable the connection and interchange of data between medical and computer systems, operated by networks that are both trustworthy and safe. Interoperability standards need to be developed, making it possible for devices to be seamlessly integrated into healthcare settings. In addition, security and privacy standards need to be devised to safeguard the information that is produced and to ensure compliance with data protection laws.

Data Transmission

Together with the IT infrastructure referred to in the first paragraph, increasing the reach of broadband internet and embracing new technologies like fibre optics will allow safer and more dependable data transmission, with additional security measures in place, such as data encryption and authentication. 

There have not been any proposed regulations in addition to those that are already in force; therefore, in terms of data protection laws, data controllers are responsible for conforming to legal principles and obligations, such as implementing appropriate security measures to protect data from loss, theft and unauthorised use or access.

In Mexico it is possible to obtain patent protection for an invention, regardless of the field of technology, if it complies with the following: 

• it is novel; 
• it is the consequence of inventive activity; and
• it could be the subject of industrial application.

Databases, algorithms, software and any technology reflected in writing are not patentable in Mexico. Nevertheless, the Federal Copyright Law provides protection for databases, algorithms, software and any technology reflected in writing, which basically states that copyright protection begins once the work is fixed on a material platform (regardless of its merit, purpose or mode of expression). However, in order to exercise a copyright action before a third party, the work must be registered before the National Institute of Copyright.

A trade secret is information about an industrial or commercial application that the person exercising legal control keeps confidential, which means obtaining or maintaining a competitive or economic advantage over third parties in the performance of economic activities, and for which, adopted means or systems to preserve its confidentiality and restricted access exist.

The type of protection, whether it is a patent, copyright or trade secret, will depend on the invention per se and a case-by-case analysis. 

Regarding the possibility to protect an invention or copyright that has been created by AI, machine learning, or any other type of software, in Mexico this is not possible because the Federal Law for the Protection of Intellectual Property and the Federal Copyright Law establish that the inventor or the creator must be a human being. 

As referred to above, algorithms, databases, software (except those classified as medical devices) and any written technology will be considered a work and will be subject to copyright protection. These works do not require to be registered before the National Institute of Copyright, as the protection commences when the work is fixed on a material platform (regardless of its merit, purpose or mode of expression). 

However, to exercise a copyright before a third party, registration with the copyright authority is recommended, as this will mean that the right is duly recognised. 

Licensing intellectual property rights always requires extra caution and a written agreement plays an essential role in establishing the scope and time of the licence, exclusivity if any, territorial delineation, the obligations and rights of each party, the royalties or compensation that the licensee shall pay to the licensor, and whether the licence will be registered. 

A relevant clause in all licensing agreements is the prosecution of potential infringements, including which party will be responsible for making the decision to initiate the action, and what will happen if the party responsible for making that decision refuses to act and there are material or economic damages to the other party. 

Furthermore, it is relevant to include a transitional period at the beginning and the end of the agreement to continue the commercialisation of the product. It is also important to establish which party will be responsible for obtaining the marketing authorisations from the authorities, if any, and what will happen with those marketing authorisations at the end of the licensing agreement – ie, if they are going to be assigned or not, who will pay for the assignment, and the obligation to collaborate in the assignment of rights. 

The authorship of inventors and authors must be recognised as such in the patent or copyrights registration, regardless of the agreement with the university, inventor or healthcare institution. 

If the inventor/author is an employee of a university or healthcare institution, then the Federal Labour Law applies, which states that employees will be the author of inventions made for their employer, but the employer retains ownership of the inventions and the right to exploit the patents or copyrights. 

However, if the inventor/author is not an employee, but rather an independent service provider, the terms of the intellectual property rights will be those laid down in the service agreement, but the authorship of the invention/copyright must be assigned to a physical person. 

According to the New General Law on Humanities, Sciences, Technologies and Innovation (Ley General en Materia de Humanidades, Ciencias, Tecnologías e Innovación) enacted in May 2023, copyright and industrial property rights over works and inventions derived from processes of humanistic and scientific research, technological development and innovation financed with public resources, must benefit and be reserved for the welfare of the people of Mexico. The foregoing is in the terms of the applicable legislation and intellectual property of which the Mexican state is a part.

Any contractual arrangement superseding statutory rules will be considered null, therefore, it shall be aligned to provisions set forth under the applicable legal framework. It is important to note that the recognition of authorship is compulsory in Mexico, but exploitation and/or economic rights can be subject to contractual arrangements. 

There have been no cases in Mexican courts regarding decisions based on digital health technologies. However, based on the liability theories, healthcare professionals and software developers could be responsible for the following.

Civil Liability

Based on the fact that a healthcare professional is responsible for the decisions made regarding their patient, they could be liable for decisions made using AI, machine learning or software as a medical device. This would be regarded as an extra-contractual (tort) liability – ie, a malpractice case.

Product Liability

If a healthcare professional makes a decision based on using software as a medical device, however, the developer of the software could be liable if the malfunctioning of the software can be proved. This would be regarded as product liability.

Liability of Healthcare Professionals and Software Developers

Healthcare professionals and software developers can also be held liable for infringement of the General Health Law and its regulations. In this case, both parties could face administrative sanctions, such as fines; the healthcare professional could be disbarred; and the software developer could face the cancellation of its marketing authorisation including, among other things, product seizures, service bans and facility closures.

Third-party vendors’ products or services can be held legally responsible by extra-contractual liability (tort) or by contractual responsibility. 

In the case of tort responsibility, it is necessary to prove that the third party was negligent in the care of the product or rendering of the services, and to establish a link between the fault and the damage caused by that conduct. If the responsibility arises from contractual breach, it will depend on the terms of the contract entered into with the third party, in which the liability distribution should be detailed.