Contact us
cancel
Contact us
Previous search terms

    Electronic Patient Records and Certifications

    Digital and technological transformation in the healthcare industry.

    Patient data available in digital form anytime, anywhere – from a certified platform.

    In the past three years, certain processes have been completely digitalized, such as patient onboarding, healthcare professional onboarding (HCP), identification and authentication of the citizen or patient to obtain an electronic ID.

    The Federal Act on the Electronic Patient Record (EPRA) aims to strengthen the quality of medical treatment, improve treatment processes, increase patient safety and the efficiency of the healthcare system, and promote patients' health literacy. University hospitals, private hospitals, regional hospitals, rehabilitation clinics, psychiatric clinics, nursing and retirement homes, doctors' offices, laboratories and radiology departments, outpatient care and maternity clinics are obliged to join or establish a (parent) healthcare network.

    The EPRA establishes the legal requirements under which the medical data contained in the electronic patient record can be processed.

    Each (parent) healthcare network must guarantee the minimum technical and organizational requirements derived from this with its EPR software platform providers and have its affiliated healthcare facilities certified. KPMG certifies all parent healthcare networks and all healthcare facilities within Switzerland. 

    Matthias Bossardt
    Matthias Bossardt

    Partner, Head of Cyber & Digital Risk Consulting

    KPMG Switzerland

    Reto Grubenmann
    Reto Grubenmann

    Director, Head of Certification & Attestation

    KPMG Switzerland

    Stakeholder groups

    Parent and community networks including EPR software platform providers

    The chart shows that many parent and community networks (including EPR software platform providers) are part of the stakeholder groups. Along with the aforementioned medical service providers, administrative groups such as cantonal health departments, the FOPH and support companies, to name but a few, are also part of this.

    Electronic Patient Dossier Stakeholder Groups

    Risks in the area of e-patient records

    • Inadequate security measures for information and communication systems
    • Loss of sensitive patient data
    • Unauthorized access to data
    • Inadequate business processes or transactions, inadequate protection of processed information
    • Cyber attacks (unauthorized access to core systems)
    • Failure / inadequacy of management systems and structures
    • Software misconfigurations
    • Loss of particularly sensitive patient data
    • Data theft at hospitals and IT support companies

    Our approach to certification audits

    Conformity/ GAP assessment

    Ahead of the certification audit, KPMG conducts a pre-audit assessment with selected audit objectives to help you prepare for certification and identify any gaps and risks.

     

    Certification audit in accordance with EPRO (FDHA) TOZ Annex 2

    KPMG audits the EPR in accordance with the minimum administrative and technical requirements (e.g. ToD, TOE). This audit results in EPRO certification by KPMG and an official "federal confirmation" as well as certification by the Federal Office of Public Health (FOPH).

    Re-audits

    Re-audits are carried out in Year 2 and Year 3 to maintain compliance with the requirements of the EPRO (FDHA) TOZ Annex 2.

    Electronic Patient Dossier Approach Certification Body

    Analysis of specialist topics

    The chart illustrates the various specialist topics that are subject to analysis in a certification audit in accordance with the implementing provisions of the EPRO (FDHA) TOZ Annex 2.

    The specialist topics can be divided into the following areas:

    • Organization, legislation, processes
    • IT, operation and maintenance
    • Software configuration
    • Security protection in the ICT server infrastructure 
    Electronic Patient Dossier Analysis Specialist Topics

    Certification services

    EPRO (FDHA) TOZ Annex 2

    Electronic patient records, technical and organizational certification requirements for parent / community networks.

    EPRO (FDHA) IdP Annex 8
    Establishment of Identity Providers (IdP) for healthcare professionals (HCP) and for patients for the issuing of means of identification used in the field of electronic health records. 

    Meet customer requirements, ensure government regulations and standards, and protect your organization with our certification services.

    Read more
    EIDAS document signature certification

    Cyber & Digital Risk consulting

    KPMG can rely on proven specialists who perform audits in ICT and software testing, engineering and compliance and have detailed knowledge of the specific requirements of the EPRA.

    In addition, KPMG has a wealth of knowledge gained in various software engineering and healthcare projects.

    Helping you respond fast and safeguard business continuity as you deliver value in our digital world.

    Read more
    Cyber & digital risk consulting

    Contact our experts for more information

    Matthias Bossardt
    Matthias Bossardt

    Partner, Head of Cyber & Digital Risk Consulting

    KPMG Switzerland

    Reto Grubenmann
    Reto Grubenmann

    Director, Head of Certification & Attestation

    KPMG Switzerland

    Advising healthcare organizations

    KPMG specializes in healthcare topics. Learn more about our services & read our latest publications.
    Read more