Patient data available in digital form anytime, anywhere – from a certified platform.

In the past three years, certain processes have been completely digitalized, such as patient onboarding, healthcare professional onboarding (HCP), identification and authentication of the citizen or patient to obtain an electronic ID.

The Federal Act on the Electronic Patient Record (EPRA) aims to strengthen the quality of medical treatment, improve treatment processes, increase patient safety and the efficiency of the healthcare system, and promote patients' health literacy. University hospitals, private hospitals, regional hospitals, rehabilitation clinics, psychiatric clinics, nursing and retirement homes, doctors' offices, laboratories and radiology departments, outpatient care and maternity clinics are obliged to join or establish a (parent) healthcare network.

The EPRA establishes the legal requirements under which the medical data contained in the electronic patient record can be processed.

Each (parent) healthcare network must guarantee the minimum technical and organizational requirements derived from this with its EPR software platform providers and have its affiliated healthcare facilities certified. KPMG certifies all parent healthcare networks and all healthcare facilities within Switzerland. 

Stakeholder groups

Parent and community networks including EPR software platform providers

The chart shows that many parent and community networks (including EPR software platform providers) are part of the stakeholder groups. Along with the aforementioned medical service providers, administrative groups such as cantonal health departments, the FOPH and support companies, to name but a few, are also part of this.

Graphic: Stakeholder groups

Click on the image to enlarge it

Risks in the area of e-patient records

  • Inadequate security measures for information and communication systems
  • Loss of sensitive patient data
  • Unauthorized access to data
  • Inadequate business processes or transactions, inadequate protection of processed information
  • Cyber attacks (unauthorized access to core systems)
  • Failure / inadequacy of management systems and structures
  • Software misconfigurations
  • Loss of particularly sensitive patient data
  • Data theft at hospitals and IT support companies

Our approach to certification audits

Conformity/ GAP assessment

Ahead of the certification audit, KPMG conducts a pre-audit assessment with selected audit objectives to help you prepare for certification and identify any gaps and risks.


Certification audit in accordance with EPRO (FDHA) TOZ Annex 2

KPMG audits the EPR in accordance with the minimum administrative and technical requirements (e.g. ToD, TOE). This audit results in EPRO certification by KPMG and an official "federal confirmation" as well as certification by the Federal Office of Public Health (FOPH).


Re-audits are carried out in Year 2 and Year 3 to maintain compliance with the requirements of the EPRO (FDHA) TOZ Annex 2.

Graphic: Our approach to certification audits

Click on the image to enlarge it

Analysis of specialist topics

The chart illustrates the various specialist topics that are subject to analysis in a certification audit in accordance with the implementing provisions of the EPRO (FDHA) TOZ Annex 2.

The specialist topics can be divided into the following areas:

  • Organization, legislation, processes
  • IT, operation and maintenance
  • Software configuration
  • Security protection in the ICT server infrastructure 
Graphic: Analysis of specialist topics

Click on the image to enlarge it



Electronic patient records, technical and organizational certification requirements for parent / community networks.


EPRO (FDHA) IdP Annex 8

Establishment of Identity Providers (IdP) for healthcare professionals (HCP) and for patients for the issuing of means of identification used in the field of electronic health records. 


KPMG can rely on proven specialists who perform audits in ICT and software testing, engineering and compliance and have detailed knowledge of the specific requirements of the EPRA.

In addition, KPMG has a wealth of knowledge gained in various software engineering and healthcare projects.