Until a few years ago, the clinical record was exclusively integrated as a record that was in physical format. However, with the intervention of technological advances, it has evolved towards the integration of the electronic clinical record by various health institutions in Mexico, which have opted for the application of information and communication technologies (ICT) to facilitate the organization of clinical information and health care of higher quality and more focused on the patient. In this regard, although the electronic clinical record is presented as an invaluable instrument for advances in the health sector, at the same time it raises new questions not only from the medical, but also legal point of view, related to its ownership and access to the personal information it contains, as well as the protection of sensitive data related to the patient, a situation that is sometimes complex due to the large amount of information that said sector generates and the different hypotheses regarding its access and protection. Introduction: In this article, once we referred to the impact that ICTs have had in the field of health, we analyze the minimum content that the legislation on the subject provides for the correct integration of the clinical record. The foregoing gives rise to posing the challenges that in the issue of access and protection of the patient's personal data generates the transit towards the integration of the electronic clinical record in the public health sector, taking into account that any treatment of personal data, must be subject to the regime of principles, duties and rights in the matter of personal data protection, except in the cases provided for in the laws of the matter. Method: The method used is of an analytical type, for the decomposition of the elements, observation of the causes, nature and effects of the implementation of the legal framework that regulates the electronic clinical record in Mexico. In particular, the analysis takes as a point of reference the General Law of Protection of Personal Data in Possession of Obligatory Subjects (LGPDPPSO), which establishes the bases, principles and procedures to guarantee the right of everyone to the protection of their personal data, in possession of obligated subjects; and the NOM- 004-SSA3-2012, of the clinical record, which establishes the mandatory scientific, ethical, technological, and administrative criteria in the preparation, integration, use, management, filing, conservation, ownership, and confidentiality of the clinical record. Results: The right of access to the clinical record is essential so that patients have tools to decide in the most appropriate way about their health, but also so that the institutions that are part of the National Health System, as responsible for the treatment and protection of the patient's personal information, provide more appropriate and quality medical care, preventing data from being dispersed. In this sense, the clinical record guarantees the exercise not only of the right to health of patients, but also that of the protection of their personal data that is processed by medical and administrative personnel who work in a health institution; so its proper integration, in accordance with the legislation that regulates it and, in particular, with NOM-004-SSA3-2012, of the clinical record, grants benefits to both the patient and the service provider in any medical institution. Discussion or Conclusion: The proactive action of the institutions that are part of the National Health System must contribute to providing certainty and security within a strict framework of data governance, in accordance with the following recommendations: a) Establish an adequate governance structure regarding the protection of personal data of patients. It is about assigning areas and personnel responsible for the protection of patient information, responsibilities and procedures in each one; b) Maintain an inventory in databases that allows classifying the personal data of patients by type, differentiating between personal data in general and those of a sensitive nature, generating, where appropriate, dissociation procedures through which personal data cannot be associated with the holder or allow, due to its structure, content or degree of disaggregation, its identification; c) Establish a personal data protection policy within health institutions, in accordance with the current and applicable legal framework for protection; d) Continuously train the staff of health institutions in data protection with specific content for the medical and administrative staff involved; e) Implement technical, physical and administrative security measures to guarantee the confidentiality, integrity and availability of the patient's personal data; and f) Make privacy notices available to patients that are consistent with the data protection policy and the current and applicable legal framework. [ABSTRACT FROM AUTHOR]