ES EN
NOM-024-SSA3-2012 · Self-Assessment

Is your Mexico operation already in violation of federal law?

Under Mexican federal law, any facility with 300+ employees must operate an in-house medical clinic — generating sensitive health data every day. This assessment reveals whether that data is being handled in compliance with NOM-024-SSA3-2012 and LFPDPPP.

12 questions · Yes / No · Based on official NOM-024 provisions Results in under 5 minutes
Progress 0 of 12 answered
How to answer: Base your answers on what you know about your Mexico operations specifically — not corporate-level policies. Each "No" represents a documented compliance gap under NOM-024-SSA3-2012 or LFPDPPP. This document is generated locally. No data is sent to any server. This assessment runs entirely in your browser.
01
Unalterable Records
NOM-024 §6.3.4 · §6.6.2 · §5.9
Are clinical records permanently protected against modification or deletion once they have been created?
02
Audit Log
NOM-024 §3.42 · §3.54 · §6.6.1
Does your system maintain a chronological log of every action performed on clinical records, identifying who made each change and when?
03
Role-Based Access Control
NOM-024 §6.6.4 · §3.18
Does your system restrict access to clinical information based on user roles, ensuring that each user — physician, nurse, or administrative staff — can only access what their responsibilities require?
04
Clinical Data Segregation
NOM-024 §6.6.4 · §3.18 · §5.3 · §3.16
Are technical controls in place to prevent HR personnel from accessing employees' clinical diagnoses, prescriptions, or individual medical records?
05
Information Security Management System (ISMS)
NOM-024 §6.6.1 · §3.46
Do you have a formal Information Security Management System (ISMS) with documented risk assessments, defined procedures, and assigned responsibilities for protecting employees' clinical data?
06
Encryption at Rest and in Transit
NOM-024 §3.12 · §6.6.5
Is the clinical data from employees encrypted both at rest and in transit, rendering it inaccessible to any unauthorized party?
07
Individual User Authentication
NOM-024 §6.6.3 · §3.36
Does each user access clinical records using unique, non-transferable credentials, with no shared accounts or open access permitted?
08
Non-Repudiation and Clinical Traceability
NOM-024 §6.6.2 · §3.54 · §3.45
Can you legally demonstrate, through an unalterable digital record, the identity of the medical professional who issued each prescription, diagnosis, or clinical authorization?
09
Record Availability and Retrievability
NOM-024 §5.6 · §3.17 · §3.31
Can your organization produce the complete clinical record of any current or former employee upon request by a regulatory authority?
10
Standardized Medical Coding
NOM-024 §6.4.2 · Appendix A
Does your organization record diagnoses and procedures using standardized medical coding systems, such as the International Classification of Diseases (ICD), rather than free text or proprietary internal codes?
11
Health Data Processing Consent
NOM-024 §6.6.6 · LFPDPPP
Do you have a formal, documented process for obtaining explicit employee consent prior to collecting or processing their health data?
12
Health Data Privacy Notice
NOM-024 §5.4 · §5.5 · LFPDPPP
Does your company's Privacy Notice in Mexico explicitly address the collection, storage, and intended purpose of employee health data?
Reviewing your responses...
Print
Generate a printable summary with your answers and the date.
This document is generated locally. No data is sent to any server.
Email
Send the summary to your inbox using your default email client.
Opening your email client...
Talk to a Specialist
Share your results and get a personalized compliance review from Sherpa's team.
Schedule a Call