1 Digital Health

1.1 What is the general definition of "digital health" in your jurisdiction?

Mexican legislation has not specifically defined "digital health". However, the Federal Commission for the Protection against Sanitary Risks (COFEPRIS) and other private and public entities are already addressing the matter in various aspects (i.e. regulation, guidelines, analysis, forums, etc.).

Nevertheless, a definition generally accepted in Mexico – although in constant evolution – is that digital health is a concept that incorporates Information and Communication Technologies, into sanitary assistance products, services and processes, as well as into organisations and institutions that may improve the health of individuals.

1.2 What are the key emerging digital health technologies in your jurisdiction?

Many areas of digital health technologies are rapidly developing in Mexico, such as: portable and ingestible devices; mobile health apps; artificial intelligence (AI); robot health carers; medicine applied robots; 3D organ printing; blockchain; telemedicine; machine learning; genome research; drones; augmented and virtual reality; and electronic records and big data, among others. As stated above, these technologies are in constant evolution.

In relation to the above, the most recent advances in digital health in Mexico have been mainly applied to three diseases: ischaemic heart disease; breast cancer; and diabetes. For example, with advances in the genetic analysis of diabetes, Mexican doctors and scientists may be able to predict which students within a student population are likely to develop diabetes, and therefore intercept with preventative measures that will save many costs in the future.

1.3 What are the core legal issues in digital health for your jurisdiction?

As a type of medical device aimed to be used by healthcare practitioners and patients, digital health has safety, quality and effectiveness implications. This is currently regulated by COFEPRIS, which grants marketing authorisations to products that are safe and effective.

Data protection is another important issue in the field of digital health. IT often involves the collection and/or transfer of data, and digital health could involve the collection and transfer of sensitive data. As a matter of fact, digital health is becoming more and more intrusive as it evolves, which is in itself a reason why the proper handling of personal information, especially the sensitive information, must be a core concern when dealing with new devices for digital health, thus having to bear in mind the concept of privacy by design. The mechanisms of data protection in Mexico are discussed further below.

It is advisable that entities offering digital health are aware of professional liability issues, and that they check whether their professional liability insurance covers events that may go wrong when providing digital health services, including providing services that require a medical licence or administering medical care.

1.4 What is the digital health market size for your jurisdiction?

The field of digital health is still relatively new in Mexico and its application in real life settings is still limited, however, it is rapidly growing, and the COVID-19 pandemic has certainly increased the rendering of remote health services, especially in the private sector. Additionally, due to the country size, Mexico is one of the most attractive markets in Latin America.

1.5 What are the five largest (by revenue) digital health companies in your jurisdiction?

The five largest digital health companies in Mexico are as follows:

  • Eva.
  • Zenda.
  • Yana.
  • Terapify.
  • Sofía.
  • Fundación Carlos Slim.

Please see the following for more information on the most prominent digital health companies in Mexico: https://wortev. capital/empresas-mexicanas-tecnologia-en-la-salud/.

2 Regulatory

2.1 What are the core healthcare regulatory schemes related to digital health in your jurisdiction?

Although developing, the field of digital health is still relatively new in Mexico and its application in real life settings is still limited. There are no specific healthcare regulatory schemes for digital health; the field is instead being covered by schemes which regulate medicinal products and medical devices, namely:

  • the General Health Law (in Spanish, "Ley General de Salud ");
  • the Health Law Regulations over Healthcare Products (in Spanish, "Reglamento de Insumos para la Salud ");
  • Official Mexican Standards (NOMs), particularly the NOM-241-SSA1-2012 setting good manufacturing practices for medical devices and NOM-137-SSA1-2008 for the Labelling of Medical Devices;
  • the Mexican Pharmacopoeia; and
  • COFEPRIS' Rules listing healthcare products that do not require a marketing authorisation due to low risks on human health (published in December 2014).

COFEPRIS may already be addressing the need for regulations for mobile medical applications, especially for those that present health risks.

2.2 What other core regulatory schemes (e.g., data privacy, anti-kickback, national security, etc.) apply to digital health in your jurisdiction?

Since digital health implies health information management across computerised systems and the secure exchange of information between consumers, providers, payers and other suppliers and vendors, it is necessary to keep in mind the compliance with data protection laws in Mexico, as well as regulations dealing with e-commerce and electronic payments.

2.3 What regulatory schemes apply to consumer healthcare devices or software in particular?

Consumer devices require marketing authorisations from COFEPRIS in order to be marketed in Mexico. Marketing authorisation requirements, for medical devices in particular, depend on the level of risk involved in their use, according to a threefold classification system:

  • Class I: products that are well known in medical practice and for which safety and efficacy have been proven. They are not usually introduced into a patient's body.
  • Class II: products that are well known in medical practice but may have material or strength modifications. If introduced, they remain in a patient's body for less than 30 days.
  • Class III: products either recently accepted in medical practice or that remain in a patient's body for more than 30 days.

The Mexican Pharmacopoeia provides manufacturers with specific rules and examples as guidance to classify medical devices.

Furthermore, COFEPRIS published a list of medical devices in 2014, which specifies which devices do not require regulatory approval in order to be marketed and sold in Mexico. Such products are usually those that are low risk to a patient's health.

In Mexico there is no specific regulation concerning the sanitary approval of algorithms, apps, software, etc. that could be used as healthcare tools. So far, in practice, COFEPRIS reviews these products on a case-by-case basis. In general, these digital products are not considered medical devices as in most cases they do not have direct contact with the human body.

In addition, since consumer devices or technologies are also collecting and transferring personal information to various parties, it is also necessary that they comply with data protection laws in Mexico, as well as with regulations dealing with e-commerce and electronic payments.

2.4 What are the principal regulatory authorities charged with enforcing the regulatory schemes? What is the scope of their respective jurisdictions?

The Mexican authority responsible for enforcing the regulatory framework is COFEPRIS. COFEPRIS analyses all medical devices, and if applicable, software that enables them to work.

Additionally, the National Center of Health Technology Excellence was created in order to develop guidelines to evaluate health technologies and clinical practices and manage medical equipment and telemedicine.

The National Institute of Transparency, Access to Information and Personal Data Protection (INAI) is the Data Privacy Authority (DPA) in Mexico. Its main purpose is the disclosure of governmental activities, budgets and overall public information, as well as the protection of personal data and the individuals' right to privacy. INAI has the authority to conduct investigations, review and sanction data protection controllers and processors, and authorise, oversee and revoke certifying entities

processors, and authorise, oversee and revoke certifying entities. The Ministry of Economy is responsible for informing and educating about the obligations for the protection of personal data between national and international corporations with commercial activities in the Mexican territory. Among other responsibilities, it must issue the relevant guidelines for the content and scope of the Privacy Notice in cooperation with the INAI.

The Federal Bureau for Consumer's Protection (PROFECO) monitors the compliance of the applicable provisions concerning information and advertising which could also be applicable to digital health. Additionally, PROFECO observes that "information or advertising of goods, products or services that are disseminated by any means or form must be truthful, verifiable, clear and free of texts, dialogues, sounds, images, trademarks, appellations of origin and other descriptions that lead or may lead to misleading, confusing, deceptive or abusive information".

At the beginning of 2021 PROFECO launched two initiatives in order to improve the self-regulation of e-commerce activities, which have boomed in Mexico as a consequence of the COVID-19 pandemic. The first one is the creation of a Code of Ethics for the regulation of e-commerce activities, and the second one if the grant of a digital trust seal, for those suppliers of online services who adhere to PROFECO's code of ethics, or who create a code of ethics that complies with PROFECO's guidelines, thus warranting a secure rendering of services for Mexican consumers.

2.5 What are the key areas of enforcement when it comes to digital health?

COFEPRIS can initiate ex officio legal proceedings to sanction non-compliance. Ultimately, these legal proceedings can result in the revocation of the marketing authorisation. COFEPRIS is also entitled to implement measures on behalf of public health, such as the seizure of products and ordering partial or total suspension of activities, services or adverts. Under certain conditions, COFEPRIS has statutory authority to revoke any manufacturing approval or impose sanctions, ranging from a fine of up to 16,000 times the minimum wage to closure of the establishment.

The imposition of administrative sanctions does not exclude civil and criminal liability. Administrative infringements can incur penalties ranging from a fine of up to 20,000 UMAS (Unit of Measure for Sanctions) to final closure of the establishment. Repeated infringement is also considered to be a criminal offence.

To read the full article click here

Originally Published by ICLG

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.