1 Digital Health and Health Care IT
1.1 What is the general definition of "digital health" in your jurisdiction?
Mexican legislation has not specifically defined "digital health". However, the Federal Commission for the Protection against Sanitary Risks (COFEPRIS) and other private and public entities are already addressing the matter in various aspects (i.e. regulation, guidelines, analysis, forums, and others).
1.2 What are the key emerging technologies in this area?
Many areas of health technology are rapidly developing in Mexico, such as: mobile apps; robots; 3D printing; telemedicine; machine learning; genome research; and drones and healthcare.
In relation to the above, most recent advances in digital health in Mexico have been mainly applied to three diseases: ischaemic heart disease, breast cancer and diabetes. For example, with advances in the genetic analysis of diabetes, Mexican doctors and scientists may be able to predict which students within a student population are likely to develop diabetes, and therefore intercept with preventative measures that will save many costs in the future.
1.3 What are the core legal issues in health care IT?
As a type of medical device aimed to be used by healthcare practitioners and patients, healthcare IT has safety, quality and effectiveness implications. This is currently regulated by COFEPRIS, which grants marketing authorisations to products that are safe and effective.
Data protection is another important issue in the field of healthcare IT. IT often involves the collection and/or transfer of data, and healthcare IT could involve the collection and transfer of sensitive data. The mechanisms of data protection in Mexico are discussed further below.
It is advisable that entities offering healthcare IT are aware of professional liability issues, and that they check whether their professional liability insurance covers things that go wrong when providing healthcare IT services, including providing services that require a medical licence or administering medical care.
2.1 What are the core health care regulatory schemes?
Although developing, the field of digital health is still relatively new in Mexico and its application in real-life settings is still limited. There are no specific healthcare regulatory schemes for digital health; the field is instead being covered by schemes which regulate medicinal products and medical devices, namely:
- the General Health Law (in Spanish, "Ley General de Salud");
- the Health Law Regulations over Healthcare Products (in Spanish, "Reglamento de Insumos para la Salud");
- Official Mexican Standards (NOMs), particularly the NOM-241-SSA1-2012 setting good manufacturing practices for medical devices and NOM-137-SSA1-2008 for the Labelling of Medical Devices;
- the Mexican Pharmacopoeia;
- COFEPRIS' Rules listing healthcare products that do not require a marketing authorisation due to low risks on human health (published in December 2014).
COFEPRIS may already be addressing the need for regulations for mobile medical applications, especially for those that present health risks.
2.2 What other regulatory schemes apply to digital health and health care IT?
Since digital health and healthcare IT implies health information management across computerised systems and the secure exchange of information between consumers, providers, payers and others, it is necessary to keep in mind the compliance with data protection laws in Mexico, as well as regulations dealing with e-commerce and electronic payments.
2.3 What regulatory schemes apply to consumer devices in particular?
Consumer devices require marketing authorisations from COFEPRIS in order to be marketed in Mexico. Marketing authorisation requirements, for medical devices in particular, depend on the level of risk involved in their use, according to a threefold classification system:
- Class I: products that are well-known in medical practice and for which safety and efficacy have been proven. They are not usually introduced into a patient's body.
- Class II: products that are well-known in medical practice but may have material or strength modifications. If introduced, they remain in a patient's body for less than 30 days.
- Class III: products either recently accepted in medical practice or that remain in a patient's body for more than 30 days.
The Mexican Pharmacopoeia provides manufacturers with specific rules and examples as guidance to classify medical devices.
Furthermore, COFEPRIS published a list of medical devices in 2014, which specifies which devices do not require regulatory approval in order to be marketed and sold in Mexico. Such products are usually those that are low risk to a patient's health.
In addition, since consumer devices are also collecting and transferring personal information to various parties, it is also necessary that they comply with data protection laws in Mexico, as well as with regulations dealing with e-commerce and electronic payments.
2.4 What are the principal regulatory authorities? What is the scope of their respective jurisdictions?
The Mexican authority responsible for enforcing the regulatory framework is COFEPRIS. COFEPRIS analyses all medical devices, and if applicable, software that enables them to work.
Additionally, the National Center of Health Technology Excellence was created in order to develop guidelines to evaluate health technologies and clinical practices and manage medical equipment and telemedicine.
The National Institute of Transparency, Access to Information and Personal Data Protection (INAI) is the authority responsible for overseeing the Law. Its main purpose is the disclosure of governmental activities, budgets and overall public information, as well as the protection of personal data and the individuals' right to privacy. The INAI has the authority to conduct investigations, review and sanction data protection controllers, and authorise, oversee and revoke certifying entities.
The Ministry of Economy is responsible for informing and educating about the obligations for the protection of personal data between national and international corporations with commercial activities in the Mexican territory. Among other responsibilities, it must issue the relevant guidelines for the content and scope of the Privacy Notice in cooperation with the INAI.
The Federal Consumer Office (PROFECO) monitors the compliance of the applicable provisions concerning information and advertising which could also be applicable to digital health. Additionally, PROFECO observes that "information or advertising of goods, products or services that are disseminated by any means or form must be truthful, verifiable, clear and free of texts, dialogues, sounds, images, trademarks, appellations of origin and other descriptions that lead or may lead to misleading, confusing, deceptive or abusive information".
2.5 What are the key areas of enforcement when it comes to digital health and health care IT?
COFEPRIS can initiate ex officio legal proceedings to sanction non-compliance. Ultimately, these legal proceedings can result in the revocation of the marketing authorisation. COFEPRIS is also entitled to implement measures on behalf of public health, such as the seizure of products and ordering partial or total suspension of activities, services or adverts. Under certain conditions, COFEPRIS has statutory authority to revoke any manufacturing approval or impose sanctions, ranging from a fine of up to 16,000 times the minimum wage to closure of the establishment.
The imposition of administrative sanctions does not exclude civil and criminal liability. Administrative infringements can incur penalties ranging from a fine of up to 20,000 times the minimum wage to final closure of the establishment. Repeated infringement is also considered to be a criminal offence.
COFEPRIS has broad jurisdiction to seize counterfeit or illegal devices. The General Health Law classifies the manufacturing and sale of counterfeit or falsified devices as a crime. In addition, COFEPRIS commonly enters into collaborative agreements with the PGR and the Customs Office in order to investigate and prevent counterfeit and illegal devices from entering the Mexican market.
In accordance to the Federal Law on Protection of Consumers, the Federal Consumer Office can monitor the compliance of the applicable provisions concerning information and advertising which could also be applicable to digital health. This Law provides that "information or advertising of goods, products or services that are disseminated by any means or form must be truthful, verifiable, clear and free of texts, dialogues, sounds, images, trademarks, appellations of origin and other descriptions that lead or may lead to misleading, confusing, deceptive or abusive information". In addition, the provider of goods and services is obliged to comply with the specifications of the goods or services offered.
Since all information dealing with consumer's health is deemed to be sensitive, affected consumers of digital health devices or services may request INAI to initiate an investigative process in case of a data breach, or in case of any other violation to the health information of a data subject. INAI, attending said complaint or ex officio may initiate the investigative process and if it considers that there was any data breach or any other violation to Mexican Data Protection Laws, it may impose administrative sanctions such as fines up to MXN$25,000,000 (approximately USD$1,400,000).
Additionally, there are two activities deemed as felonies related to the wrong use of PI, which are:
- When a data owner authorised to collect, store and use PI with the aim of profiting, causes a security breach in the database containing PI under its custody. This is sanctioned with imprisonment from three months and up to three years.
- To collect, use or store PI, with the aim of profiting, through error or deceit of the data subject, or error or deceit of the person who has to authorise the transfer. This is sanctioned with imprisonment from six months and up to five years.
2.6 What regulations apply to Software as a Medical Device and its approval for clinical use?
There are no specific regulations that apply to Software as a Medical Device and its approval for clinical use. As mentioned above, medical devices, a group under which digital technologies would currently fall, would require a marketing authorisation from COFEPRIS in order to be marketed and sold in Mexico.
So far, the regulations applicable to Software as a Medical Device are those mentioned in the answer to question 2.1. However, COFEPRIS may already be addressing the need for regulation of digital health technologies, especially for those that may present health risks.
To view the full aticle, please click here.
Originally Published by ICLG
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.