International HIPAA Considerations in Mexico

Healthcare is no longer local. With the number of Americans working and traveling overseas, especially to neighboring countries, physicians may have to send records or communicate internationally. Dr. Eduardo Garcia Luna Martinez, dean of the School of Health Sciences, Universidad de Monterrey, in Mexico lends his perspective on Mexico's privacy laws and health information.

Rachel Rose: What are Mexico's laws that are analogous to HIPAA and the sensitivity of protected health information (PHI)?

Eduardo Garcia Luna Martinez: During 2010-2011, Mexico issued legislation to regulate the approach toward personal data by private companies and organizations. It resulted in the creation of the Federal Law for Protection of Personal Data in Possession of Individuals. It is based on the experience of the European and Asia Pacific Economic Cooperation Privacy models. It offers a proper balance between federal regulations and the self-regulatory scheme of the industry. Along with this law, the Mexican norm NOM-024-SSA3-2010 was entered in 2010. It established the technological standards on which the development of products related to electronic medical records should be based. Before 2010, the approach toward the personal data obtained in the healthcare sector was not regulated by specific rules; the exception was the management of the personal data included in clinical records (NOM-168-SSA1-1998). Patients now have four fundamental rights: access, rectification, cancellation, and opposition (ARCO).

RR: What measures are taken when U.S. hospital corporations have a facility in Mexico?

EGLM: Nowadays, corporate hospitals whose main offices are in the United States do have their own systems for medical records ― that are used in both countries. What these hospitals take into consideration is that these systems have to be both NOM-168 and HIPAA compliant, which pretty much have the same objectives, by safeguarding the private information for medical use. So, it's a big challenge for engineers to develop this type of platform [that is] compatible with both laws.

RR: Do you have any additional insights about the transmission of PHI across international boundaries?

EGLM: The big idea is that in the future, the medical records will be used transcontinental, not just in both countries, but to provide a global coverage. Wherefore we should implement a more direct, cost efficient and less time-consuming way of transmitting this information through the global health sector in order to make this easier for both the sender and receiver. Something more like a comprehensive global database of the health system, which you can access via phone or Internet. The best thing about this is most countries already have digital clinical records. We would only need to be able to link them with the other countries and vice versa by the same laws that already exist in HIPAA.