Not legal advice. This guide is informative and does not constitute legal advice. Consult a licensed attorney in Mexico about your specific situation. (Esta guía es informativa y no constituye asesoría legal. Consulta a tu abogado.)
What is the LFPDPPP?
The Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) is Mexico's federal data protection law for the private sector — the law that governs how businesses and independent professionals, including psychologists and therapists, handle personal data. A brand-new version of the law was published in the Diario Oficial de la Federación on 20 March 2025, abrogating the previous LFPDPPP of 5 July 2010 (Cámara de Diputados, LFPDPPP, 2025; DOF, 20 March 2025). The new law entered into force on 21 March 2025, the day after publication.
If you trained or practiced in the United States, the mental model is simple: where a US therapist thinks "HIPAA," a therapist in Mexico should think "LFPDPPP" — but, as you'll see below, the Mexican law is broader in scope.
Who enforces it now that INAI is gone?
INAI — Mexico's former autonomous data protection authority — was eliminated following a constitutional amendment in November 2024. Under the new LFPDPPP, the enforcement authority for private-sector data protection is the Secretaría Anticorrupción y Buen Gobierno (Ministry of Anti-Corruption and Good Government): the law defines "Secretaría" as that ministry and empowers it to impose sanctions (Chambers, Data Protection & Privacy 2026: Mexico; DLA Piper, Data Protection Laws of the World: Mexico, 2026). If a patient ever files a data protection complaint about your practice, that ministry — not INAI — is where it goes.
Is patient health data "sensitive" under Mexican law?
Yes, expressly. Article 2, fraction VI of the new LFPDPPP lists "estado de salud presente o futuro" — present or future health status — among the categories of datos personales sensibles (sensitive personal data) (Cámara de Diputados, LFPDPPP, Art. 2, 2025). That covers the clinical information a therapist handles every day: diagnoses, session notes, treatment plans, anything describing a patient's mental health. Sensitive data gets the law's strictest treatment.
What consent do therapists need to process clinical data?
For sensitive personal data, the LFPDPPP requires the data subject's express written consent — given through a signature, electronic signature, or another authentication mechanism (Art. 8). The same article prohibits creating databases of sensitive data without a legitimate, concrete justification (Cámara de Diputados, LFPDPPP, Art. 8, 2025; corroborated by DLA Piper, 2026).
There are statutory exceptions (Arts. 9 and 36) — for example, Article 36, fraction II permits transfers of data without consent when necessary for medical prevention or diagnosis, the provision of health care, medical treatment, or the management of health services. But for the routine case — you, a private therapist, opening a clinical file on a new patient — the safe default is a signed consent form before the first session.
Do I need an aviso de privacidad (privacy notice)?
Yes. Every controller — and a therapist who keeps patient files is a controller — must make a privacy notice available to data subjects. Under Article 15, it must contain at minimum: your identity and address; the personal data you process; the purposes of processing (distinguishing those that require consent); the options for limiting use or disclosure; the mechanisms for exercising ARCO rights (access, rectification, cancellation, opposition); and the procedure for communicating changes to the notice. Article 16 allows the notice to be made available in printed, digital, visual, audio, or other formats (Cámara de Diputados, LFPDPPP, Arts. 15–16, 2025).
In practice: a one-page notice on your website or handed to patients at intake, plus a line in your booking flow, covers most solo practices. For an example of a working notice, see Wellbloom's own aviso de privacidad.
How is the LFPDPPP different from HIPAA?
The biggest difference is scope. HIPAA applies only to "covered entities" — health plans, health care clearinghouses, and health care providers (including psychologists), but providers only if they transmit health information electronically in connection with an HHS-standard transaction — and their "business associates"; an entity that does not meet those definitions does not have to comply with the HIPAA Rules (HHS.gov, Covered Entities and Business Associates). The LFPDPPP works the other way around: it covers essentially all private individuals and companies that process personal data, with only two narrow exceptions (credit-reporting companies governed by their own law, and people collecting or storing data exclusively for personal, non-commercial use — Art. 1). A therapist in private practice in Mexico is covered by the LFPDPPP regardless of whether they bill or transmit anything electronically (Cámara de Diputados, LFPDPPP, Arts. 1–2, 2025).
| LFPDPPP (Mexico) | HIPAA (United States) | |
|---|---|---|
| Who must comply | Essentially all private parties processing personal data, with two narrow exceptions (Art. 1) | Only covered entities (health plans, clearinghouses, providers transmitting HHS-standard electronic transactions) and their business associates |
| A solo therapist | Covered, regardless of billing or electronic transmission | A provider that never transmits HHS-standard electronic transactions may fall outside the HIPAA Rules |
| Vendor contracts | No BAA-named instrument; the statute itself regulates transfers and communications of data to third parties (e.g., Art. 36) | Written business associate agreement (BAA) required; business associates directly liable for certain provisions |
| Regulator | Secretaría Anticorrupción y Buen Gobierno (INAI was dissolved) | U.S. Department of Health and Human Services (HIPAA Rules) |
On vendors: under HIPAA, a covered entity that engages a business associate must have a written business associate contract establishing what the business associate may do and requiring it to comply with the HIPAA Rules (HHS.gov). The LFPDPPP has no instrument called a "BAA." Instead, the law itself governs when personal data may be transferred or communicated to third parties — with health-care-specific exceptions such as Article 36, fraction II noted above. So when you evaluate a Mexican software vendor, don't ask "will you sign a BAA?"; read their privacy notice and check what data they actually process.
What are the penalties for violating the LFPDPPP?
Fines are set in UMA (Unidad de Medida y Actualización), an inflation-indexed unit whose value changes every year. Under Article 59, violations are punishable with fines of 100 to 160,000 UMA for some infractions and 200 to 320,000 UMA for more serious ones, plus an additional 100 to 320,000 UMA for repeated violations — and sanctions can be increased up to twofold when sensitive data (like health data) is involved (Cámara de Diputados, LFPDPPP, Art. 59, 2025). At the UMA daily value current in mid-2026 (MXN 117.31 per DLA Piper, 2026), the 320,000 UMA cap works out to approximately MXN 37–40 million (Chambers, 2026) — before any doubling for sensitive data.
There are also criminal penalties: 3 months to 3 years of prison under Article 62 and 6 months to 5 years under Article 63 — and Article 64 doubles those penalties when sensitive personal data is involved (Cámara de Diputados, LFPDPPP, Arts. 62–64, 2025). For a mental-health professional, whose entire caseload is sensitive data, this is worth taking seriously.
Practical checklist: LFPDPPP basics for a therapy practice
- Publish an aviso de privacidad. Cover the Article 15 minimum content; make it available where you collect data — your website, your intake form, your booking flow (Arts. 15–16).
- Get express written consent before opening a clinical file. A signed form (paper or electronic signature) covering the sensitive data you'll process, before the first session (Art. 8).
- Don't hoard sensitive data. The law prohibits creating databases of sensitive data without a legitimate, concrete justification — collect only what your clinical work requires (Art. 8).
- Map your tools. Know exactly which systems hold clinical data (notes, diagnoses) versus mere contact and scheduling data, and read each vendor's privacy notice. Less clinical data in third-party tools means less exposure.
- Keep clinical records to standard. Record-keeping in Mexico is also shaped by health norms — see our guide to NOM-004 and NOM-024 for psychology practices (in Spanish).
- Know your regulator. Complaints and sanctions now run through the Secretaría Anticorrupción y Buen Gobierno, not INAI.
FAQ: HIPAA and Mexican data protection law
Does HIPAA apply to therapists practicing in Mexico?
No. HIPAA is a United States law that applies only to covered entities — health plans, health care clearinghouses, and providers that transmit health information electronically in connection with HHS-standard transactions — and their business associates. A therapist practicing privately in Mexico is instead covered by the LFPDPPP, Mexico's federal data protection law for private parties.
Is there a Mexican equivalent of a HIPAA business associate agreement (BAA)?
Not under that name. The LFPDPPP itself regulates how personal data may be transferred and communicated to third parties, and Article 36 includes specific exceptions — for example, transfers necessary for medical prevention or diagnosis, the provision of health care, medical treatment, or the management of health services do not require the patient's consent. Instead of expecting a BAA, review each vendor's privacy notice and what data it processes.
Who handles data protection complaints in Mexico now that INAI no longer exists?
The Secretaría Anticorrupción y Buen Gobierno (Ministry of Anti-Corruption and Good Government). The new LFPDPPP names that ministry as the enforcement authority for private-sector data protection and empowers it to impose sanctions.
Where does Wellbloom fit?
Wellbloom is a practice-management web app for independent therapists in Mexico: online scheduling with real-time availability, WhatsApp appointment confirmations (your patient confirms with one tap — Sí or No), WhatsApp reminders and rescheduling, payment tracking, session links for online sessions, and a patient list. It's bilingual (Spanish/English) and runs in the browser — nothing to install. Note that the WhatsApp messages your patients receive are in Spanish by default; if you see English-speaking and Spanish-speaking clients, see our page for bilingual therapists in Mexico.
Relevant to this guide: by design, Wellbloom stores your patients' contact and scheduling data — name, WhatsApp number, appointment dates and status, and whether a session is marked paid. It does not store session notes, diagnoses, or clinical records; your clinical file stays wherever you choose to keep it, under your own consent forms. You can read exactly what data Wellbloom processes, and for what purposes, in our aviso de privacidad. No tool makes you LFPDPPP-compliant by itself — but knowing precisely which data lives where is half the work.
Coming from a US-based platform? See our SimplePractice alternative for Mexico page.
Try Wellbloom for your practice in Mexico
$400 MXN/month flat, no commission. 2-week free trial, no credit card — and 3 months free when you sign up and book a short onboarding call. Questions? Read the FAQ.
Start free trial See demoRelated guides
This guide is informative and does not constitute legal or tax advice. Consult a licensed attorney or accountant in Mexico. Statutory references are to the LFPDPPP published in the DOF on 20 March 2025. Last updated: June 12, 2026.