Electronic patient record EPR

Electronic patient record (EPR)

Consultancy and support for certification in accordance with the relevant legal requirements (EPDG, EPDV, EPDV-EDI).

We know the tasks and requirements that come with the introduction of the EPR for (parent) communities (hospitals and homes organised as a community). They want a specialist at their side and answers to important questions about operational security, compliant hosting, documentation obligations, authentications, data protection and data security.

We support you in fulfilling the legal requirements to obtain the required certification so that you are allowed to manage and offer an electronic patient dossier and patients can open a patient dossier with you.


Short explanation of the EPDG (Federal Act on Patient Records)

The Federal Electronic Patient Record Act regulates the framework conditions for the introduction and dissemination of the electronic patient record (EPR) and came into force on 15 April 2017. By 2020, all hospitals and by 2022 all homes are to be organised in accordance with the EPDG.

It regulates the prerequisites for processing the data of the electronic patient record and defines measures to support the introduction, dissemination and ongoing development of the electronic patient record.

The law describes and defines the EPR as a tool for patients to

  • strengthen the quality of medical treatment
  • improve treatment processes
  • increase patient safety
  • increase the efficiency of the health care system
  • to promote the health competency of patients

For this purpose, the EPDG regulates organisational, technical and security-relevant aspects:

  • the opening of an EPR
  • the access rights of health professionals
  • access to medical documents in medical emergency situations
  • the identification of patients and health professionals in the EPR
  • the establishment of so-called "communities" and "parent communities"
  • financial support from the federal government


According to Art. 10 EPDG, these are the tasks of the communities and parent communities:

Communities must ensure that:

  • data via the electronic patient record are accessible
  • every processing of data is logged.

Parent communities must in addition

  • manage consents and revocations;
  • give the patients the option to
    a.    assign and adjust access rights for health workers
    b.    access their data
    c.    enter their own data in the electronic patient record
  • store the log data for ten years.


The role of the communities and the parent communities
In the following, we focus on the certification of communities and parent communities and show how Swiss Infosec AG can support and accompany these organisations on their way there.


Certification is mandatory, not an option

From the entry into force of the EPDG (15 April 2017), hospitals and nursing homes have three and five years respectively to join a certified community or a parent community.

In the meantime, it is becoming apparent that a corresponding ordinance could also make it compulsory for doctors' practices to join a parent association, according to a proposal submitted by the National Council's Committee for Social Security and Health in August 2018. Joining a certified parent association would thus be a prerequisite for doctors to be admitted to the basic insurance scheme.

Communities and parent communities will be extensively audited and certified (Appendix 2 to the EPDV-EDI: Technical and organisational certification requirements for communities and parent communities) and will then meet the strict requirements of the EPDG, e.g. with regard to data protection and data security. Together they form the so-called "EPR trust space". The certified communities and parent communities will then be audited on a regular basis.


The Federal Office of Public Health has summarised the most important information regarding the certification of communities and parent communities in a guide.


Certification: There is much to do

The requirements and tasks for (parent) communities listed by the authorities in laws and ordinances coincide in many respects with the requirements for organisations seeking ISO 27001 certification.

For example, you as a (parent) community need to

  • document the processes within your own organisation (including interfaces within and outside the organisation, documented with the corresponding agreements) and
  • ensure the infrastructure provided for under the EPDG, EPDV and EPDV-EDI (e.g. access portals).

Chapter 3 of the Ordinance on the Electronic Patient Record (SR 816.11) describes in detail the tasks and obligations of the communities and parent communities. The following key words show the focal points, or rather the complex security heavyweights, with which (parent) communities must deal. The list is not exhaustive:

  • Object identifiers (OID) and management
  • Data storage and transmission
  • Confidentiality levels
  • Access rights, access portals
  • Data protection and data security
  • Patient information
  • Consent, revocation, deletion

Compliant data protection and effective data security: we have the recipe for it - and so do the professionals, by the way

Data protection and data security are of utmost importance in the highly sensitive health sector. This makes it all the more important for you as a (parent) community to know that you have a partner at your side who has made a name for itself in these disciplines: Swiss Infosec AG. We have the extensive experience and excellently trained specialists that are essential for a trusting cooperation.

Swiss Infosec AG's certification support and advice: Prevention is better than cure
We, your certification specialists,

  • see ourselves as a coach and sparring partner who supports you in all technical, organisational, but also legal matters related to the EPR and helps you move forward
  • advise you on preparing for EPR certification
  • carry out site assessments (health check, gap analysis)
  • develop guidelines (risk analysis, risk treatment plan, document control, instructions, e.g. for users and administrators, for classification, improvement process, security incident management).
  • train and sensitise your employees in the run-up to certification (e-learning, classroom training).
provide you with flexible and practice-oriented support during and, if desired, after certification.


Certification needs preparation and experienced specialists - just like an operation

The path to certification is paved with many challenges. The requirements are complex and numerous, as are the tasks and preparations. To ensure that the chosen path does not end in a blind alley, it is recommended that experienced certification specialists accompany and support you.


Reto Steinmann
Head of Consulting



Non-binding enquiry


Of course 100% confidential, free and non-binding!