Compliance Health

NOM-024-SSA3 and the Electronic Health Record: What Your CIO Needs to Know in 2026.

NOM-024-SSA3-2010 remains the “north star” for electronic health records in Mexico. But the EHR is no longer viewed as an internal project isolated from the HIS—it is part of a broader conversation about interoperability, retention, traceability, and privacy. What are the current requirements, what operational controls can a B2B document stack actually support, and what does integration with third parties entail?

Every so often, a technology provider emerges promising a “complete solution for NOM-024-SSA3.” The reality is more nuanced: no single B2B product—not even the most expensive HIS on the market or the most sophisticated ECM—can, on its own, cover all the components required by the standard. NOM-024 is a regulatory framework that spans multiple technical domains simultaneously. What does exist are layers that cover specific components, and a well-designed stack integrates several of them.

This post is not an exhaustive guide to the regulation. It is an honest analysis of which operational controls a B2B document stack (document management, intelligent capture, print management) can support without false claims —and where integration with an HIS, an authorized PSC, or the hospital’s own infrastructure is necessary.

What Is NOM-024-SSA3? (A Brief Overview)

NOM-024-SSA3-2010 — "Electronic Health Record Information Systems. Health Information Exchange"—is the official Mexican standard that regulates clinical information systems in the public and private health sectors. Its primary objective is to ensure the interoperability and integrity of the electronic health record (EHR) among different health care providers, hospital information systems (HIS), laboratories, pharmacies, and other components of the ecosystem.

The standard establishes requirements in several areas: record structure, unambiguous patient identification, clinical semantics (classifications, ICD codes), security (access control, integrity, confidentiality), interoperability (HL7 and CDA exchange formats), and retention and preservation. It covers both the system that generates the data and the system that receives and archives it.

NOM-024-SSA3 coexists with other standards and laws that a hospital’s CIO must coordinate: the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), NOM-035-SSA3 on ECE operating criteria, CONAMED guidelines, and—if the institution treats foreign patients or exchanges data with international systems—equivalencies with HIPAA, GDPR, or LGPD.

Components Required by NOM-024 for the ECE

Without claiming to be exhaustive, the seven sections required by the regulation for the electronic medical record are:

  1. Unambiguous patient identification. Each patient must have a unique institutional identifier, linked to their CURP when applicable, and traceable across care episodes and services.
  2. Documented clinical structure. Episodes, notes, orders, lab results, images, prescriptions—each with required metadata and controlled semantics.
  3. Record integrity. Mechanisms to ensure that written data is not silently altered. Versioning, audit trails, and timestamps for critical events.
  4. Granular access control. Each professional should only be able to view information permitted by their role and relationship with the patient. Access logs are retained.
  5. Confidentiality. Encryption in transit and at rest. Emergency procedures (break-the-glass) with auditable justification.
  6. Interoperability. The ability to exchange clinical information with other institutions in standardized formats (HL7 v2/v3, CDA).
  7. Retention. Medical records must be retained for the period specified by applicable law and made available upon authorized request.

Each block has its own level of complexity and its own "technical owner" within a hospital's architecture. None of them can be "bought in a single box."

What Does a B2B Document Stack Actually Support?

A document management stack like DOQSOFT’s (Docuo + Chronoscan + Gespage) does not replace the HIS. The HIS is the transactional clinical system—that’s where patient episodes, orders, and ICD codes reside—and it must remain so. What a document management stack provides is the layer surrounding the HIS: the digitization of legacy paper records, the repository for documents associated with the medical record that the HIS does not natively handle, and the protection of PHI that is physically printed.

Specifically:

Clinical Digitization Layer (Chronoscan)

Chronoscan enables the capture of legacy clinical documents using OCR + AI. Hospitals that have been dealing with decades of paper—medical records, nursing notes, test results—need to digitize this archive in order to integrate it into the ECE. Chronoscan processes documents without requiring specific templates, extracts metadata (page number, patient, date, document type), and delivers them indexed.

This partially covers Block 2 (documented clinical structure) for documents that already exist in paper form. It does not cover the native creation of clinical notes—that is handled by the HIS.

Document Repository Layer (Docuo)

Docuo is an ECM with granular RBAC, an immutable audit log, configurable retention, and AES-256 + TLS 1.3 encryption. It serves as a repository for documents associated with patient records that the HIS does not natively handle: signed consent forms, administrative forms, clinical attachments, admission and discharge documents, and copies of identification.

This partially covers blocks 4 (granular access control), 5 (confidentiality—encryption, tenant segregation), and 7 (configurable retention by document type). Block 3 (integrity) is supported via an immutable, versioned audit log.

IHP Security Layer on Paper (Gespage + Hardware)

Even though the ECE is electronic, every hospital continues to print PHI every day: progress notes, prescriptions, orders, and records for medical board meetings. Gespage with pull printing (prints are released only when the user authenticates at the device with an RFID badge), an identity watermark on each sheet, and automatic expiration of unreleased print jobs addresses the risk of paper left behind in trays—one of the most common sources of PHI leaks.

This partially addresses Block 5 (operational confidentiality) in the physical domain—a domain that many purely digital ECE projects overlook and where a significant portion of actual incidents occur.

Even though the ECE is electronic, every hospital continues to print PHI every day—and that is where a significant portion of actual incidents occur.

What is outside the scope of the stack and requires integration

There are components required by NOM-024 that a set of documents alone cannot provide. It is important to identify them so as to avoid false expectations:

  1. The clinical HIS (Hospital Information System). Creating notes, recording episodes, generating orders, managing electronic prescriptions—that’s all handled by the HIS. Docuo integrates with the HIS; it does not replace it.
  2. HL7/CDA Interoperability. The formal exchange of clinical information with other institutions requires HL7 v2/v3, CDA, or FHIR connectors. These can be integrated via middleware or interoperability engines—they are not native features of an ECM.
  3. Electronic signature with evidentiary value under NOM-151. When a clinical document requires a signature with a NOM-151-SCFI-2016 timestamp (for example, certain informed consent forms or discharge summaries), Docuo supports native eIDAS electronic signatures (valid in the EU and by reciprocity), but native NOM-151 requires integration with a Certification Service Provider authorized by the Ministry of Economy. We’re upfront about this: we don’t make claims we can’t back up.
  4. Epidemiological surveillance. Mandatory reporting to the federal or state Department of Health is handled through the HIS and SUIVE systems, not through a document repository.
  5. Reliable timestamp. In addition to Docuo’s audit log, certain critical events in the ECE may require a timestamp issued by a PSC. As with NOM-151, this is integrated externally.

A Practical Checklist for a Hospital CIO

If you are planning or auditing your institution’s compliance with NOM-024-SSA3, here are eight specific questions worth answering before the next audit:

  1. What percentage of your active patients' medical records are still on paper? If the answer is "we don't know exactly," that's the first sign that digitization is still needed.
  2. Does your HIS generate documents in the standardized formats that NOM-024 accepts for exchange? HL7 v2 minimum; v3/CDA for formal integration with other institutions.
  3. Is the audit log for your HIS and your document repository truly immutable, or can it be edited with elevated privileges? This is critical in the event of an audit.
  4. How many minutes does it take a licensed physician to find a specific legacy medical record from 5 years ago? If the answer is hours or days, you’ve already written part of the business case.
  5. What retention policy do you have in place for each type of clinical document? The retention period for a progress note is not the same as that for an informed consent form.
  6. Does your hospital print PHI on shared printers without pull printing? If so, you have a data leak risk that isn't addressed in the "digital ECE" narrative.
  7. Who can declare a "break-the-glass " situation, and what evidence is recorded? Emergency situations are where traceability is most critical.
  8. When was your last NOM-024 audit simulation? If the answer is "never" or "more than two years ago," you should schedule the next one on your calendar.

No single B2B product covers all the components required by NOM-024 on its own. What does exist are layers that cover specific components—and a well-designed stack integrates several of them.

Conclusion

NOM-024-SSA3 is not a checklist that is signed once. It is a framework that is integrated into the hospital’s daily operations and affects the HIS, the ECM, print management, interoperability middleware, and the audit room. A robust document management stack addresses specific components—clinical digitization with Chronoscan, a repository with Docuo, and physical PHI security with Gespage—without replacing the HIS or claiming to provide comprehensive coverage.

If you're evaluating vendors that promise "full NOM-024 compliance in a box," the right question to ask is : Which specific modules does your product cover, and which modules require integration with which system? The honest answer to that question distinguishes vendors who understand hospital compliance from those who just throw the term into their sales pitch.

At DOQSOFT, we work with hospitals and clinical networks in Mexico, the U.S., and Latin America. The Health page outlines specific use cases by type of institution, and the individual products—Docuo, Chronoscan, and Gespage—detail exactly what each one does without making generalizations about what they don’t do.