Cybersecurity 2025

MEXICO Law and Practice Contributed by: Alejandro Mendiola Diaz and Gunter Schwandt, Nader Hayaux & Goebel

6.3 Cybersecurity in the Healthcare Sector Data protection legislation comes into play, given that sensitive personal data related to individu - als’ health is processed. Also, there are additional regulations contained in official standards, which are mandatory. In this case, a Mexican Official Standard called NOM-004-SSA3-2012 estab - lishes the criteria for the creation, management and conservation of medical records in Mexico. As mentioned in 1.2 Cybersecurity Laws , the primary objective of NOM-004-SSA3-2012 is to ensure the proper documentation, confidential - ity and accessibility of medical information while protecting patients’ rights and improving health - care quality, as follows. • Scope and application – NOM-004- SSA3-2012 applies to all healthcare facilities and professionals in public and private sec - tors. It covers medical records in hospitals, clinics, laboratories, and private practices. • Medical record content – medical records must include personal patient data, medical history, diagnoses, treatment plans, labo - ratory tests, and progress notes. Specific documentation is required for hospitalisation, surgeries, emergency care, and specialised treatments.

• Patient rights and confidentiality – medi - cal records are confidential and can only be accessed by authorised personnel or with patient consent, except in cases required by law. Patients have the right to access their records and request corrections. • Retention and storage – medical records must be kept for at least five years after the last patient interaction. Digital and physical records must follow security and data protec - tion protocols. • Legal and ethical responsibilities – health - care professionals are responsible for accu - rate, complete and timely documentation. Institutions must implement internal poli - cies to ensure compliance with NOM-004- SSA3-2012.

196 CHAMBERS.COM

Powered by