Electronic Patient Records and Certifications

Patient data available in digital form anytime, anywhere – from a certified platform.

In the past three years, certain processes have been completely digitalized, such as patient onboarding, healthcare professional onboarding (HCP), identification and authentication of the citizen or patient to obtain an electronic ID.

The Federal Act on the Electronic Patient Record (EPRA) aims to strengthen the quality of medical treatment, improve treatment processes, increase patient safety and the efficiency of the healthcare system, and promote patients' health literacy. University hospitals, private hospitals, regional hospitals, rehabilitation clinics, psychiatric clinics, nursing and retirement homes, doctors' offices, laboratories and radiology departments, outpatient care and maternity clinics are obliged to join or establish a (parent) healthcare network.

The EPRA establishes the legal requirements under which the medical data contained in the electronic patient record can be processed.

Each (parent) healthcare network must guarantee the minimum technical and organizational requirements derived from this with its EPR software platform providers and have its affiliated healthcare facilities certified. KPMG certifies all parent healthcare networks and all healthcare facilities within Switzerland.

Matthias Bossardt

Partner, Head of Cyber & Digital Risk Consulting

KPMG Switzerland

mail
call

Reto P. Grubenmann

Director, Head of Certification & Attestation

KPMG Switzerland

mail
call

Stakeholder groups

Parent and community networks including EPR software platform providers

The chart shows that many parent and community networks (including EPR software platform providers) are part of the stakeholder groups. Along with the aforementioned medical service providers, administrative groups such as cantonal health departments, the FOPH and support companies, to name but a few, are also part of this.

Electronic Patient Dossier Stakeholder Groups

Risks in the area of e-patient records

Inadequate security measures for information and communication systems
Loss of sensitive patient data
Unauthorized access to data
Inadequate business processes or transactions, inadequate protection of processed information
Cyber attacks (unauthorized access to core systems)

Failure / inadequacy of management systems and structures
Software misconfigurations
Loss of particularly sensitive patient data
Data theft at hospitals and IT support companies

Our approach to certification audits

Conformity/ GAP assessment

Ahead of the certification audit, KPMG conducts a pre-audit assessment with selected audit objectives to help you prepare for certification and identify any gaps and risks.

Certification audit in accordance with EPRO (FDHA) TOZ Annex 2

KPMG audits the EPR in accordance with the minimum administrative and technical requirements (e.g. ToD, TOE). This audit results in EPRO certification by KPMG and an official "federal confirmation" as well as certification by the Federal Office of Public Health (FOPH).

Re-audits

Re-audits are carried out in Year 2 and Year 3 to maintain compliance with the requirements of the EPRO (FDHA) TOZ Annex 2.

Electronic Patient Dossier Approach Certification Body

Analysis of specialist topics

The chart illustrates the various specialist topics that are subject to analysis in a certification audit in accordance with the implementing provisions of the EPRO (FDHA) TOZ Annex 2.

The specialist topics can be divided into the following areas:

Organization, legislation, processes
IT, operation and maintenance
Software configuration
Security protection in the ICT server infrastructure

Electronic Patient Dossier Analysis Specialist Topics

Certification Bodies SCESm 0071 and SCESp 0127

EPRO (FDHA) TOZ Annex 2

Electronic patient records, technical and organizational certification requirements for parent / community networks.

EPRO (FDHA) IdP Annex 8
Establishment of Identity Providers (IdP) for healthcare professionals (HCP) and for patients for the issuing of means of identification used in the field of electronic health records.

Meet customer requirements, ensure government regulations and standards, and protect your organization with our certification services.

Cyber & Digital Risk consulting

KPMG can rely on proven specialists who perform audits in ICT and software testing, engineering and compliance and have detailed knowledge of the specific requirements of the EPRA.

In addition, KPMG has a wealth of knowledge gained in various software engineering and healthcare projects.

Helping you respond fast and safeguard business continuity as you deliver value in our digital world.