IT for Swiss Medical Practices and Clinics: EPR, Data Protection and Secure Patient Data in 2026
In 2026, Swiss medical practices and clinics face clear legal obligations: EPR connection, revised data protection law compliance, and secure IT infrastructure. What this concretely means – and how small medical practices can implement requirements efficiently.
Solution Engineer
IT for Swiss Medical Practices and Clinics: EPR, Data Protection and Secure Patient Data in 2026
TL;DR: As of 2026, Swiss clinics and licensed medical practices are legally required to connect to the Electronic Patient Record (EPR). At the same time, the revised Federal Data Protection Act (revFDPA) tightens IT security requirements. This article shows what concretely needs to be done – from technical infrastructure to choosing the right IT service provider.
What is the EPR – and who is affected by the connection requirement?
The Electronic Patient Record (EPR) is a legally anchored digital file in which patients can securely store their health data and share it with healthcare professionals. The legal basis is the Federal Act on the Electronic Patient Record (EPRA).
The connection requirement applies in Switzerland in a tiered manner:
- Inpatient facilities (hospitals, birthing centres, nursing homes) – legally required since 2022
- Outpatient service providers (medical practices, pharmacies, home care services) – connection requirement gradually expanded, with implementation pressure until 2026
- Small practices and solo practices – voluntary connection possible, but increasingly recommended for competitive reasons
ℹ️ The concrete implementation requirement for outpatient practices depends on cantonal regulations. Cantons such as Zurich, Bern and Geneva actively drive digitalisation and have launched their own support programmes.
What IT requirements does the EPR place on medical practices?
For compliant EPR connection, a medical practice needs more than just a software licence. The technical and organisational requirements are substantial:
Technical minimum requirements
- Certified primary system (e.g. practice management software such as Auris, Tomedo, Axonlab solutions) that is EPR-compatible
- Stable Internet connection with sufficient bandwidth (min. 50 Mbit/s recommended)
- Two-factor authentication (2FA) for all healthcare professionals accessing data
- Connection to a certified community organisation (e.g. EPR Playground, SwissID Health, Cara, eHealth Aargau)
- Encrypted data transmission according to current state of the art (TLS 1.3+)
Organisational requirements
- Training of staff in the use of the EPR
- Documented access rights and role concepts
- Update the privacy statement on the practice website
- Notification obligation for data breaches in accordance with revFDPA (within 72 hours to the FDPIC)
⚠️ If a medical practice processes personal health data and violates the revFDPA, it risks fines of up to CHF 250,000. Data protection is not just a formality, but a matter of leadership responsibility.
How does the revFDPA protect patient data in practice?
The revised Federal Data Protection Act (revFDPA), in force since September 2023, has tightened requirements for all organisations – particularly for those processing especially sensitive data such as health information.
For health IT SMEs, this concretely means:
- Privacy by design: IT systems must be designed in compliance with data protection, not merely adapted retrospectively
- Records of processing activities: Even small practices with fewer than 250 employees should maintain this (highly recommended for health data)
- Data processing agreements: Every cloud provider or IT service provider must be contractually obligated (Data Processing Agreement, DPA)
- Data minimisation: Collect and store only necessary data
💡 Tip: Preferably choose IT service providers and cloud solutions with server location in Switzerland. This considerably simplifies compliance and builds trust with patients.
What does a compliant EPR IT infrastructure cost for a medical practice?
Costs vary depending on practice size, existing infrastructure and chosen provider. A rough guide:
| Component | One-time costs (CHF) | Annual costs (CHF) |
|---|---|---|
| EPR-compatible practice software (licence) | 1,500 – 5,000 | 800 – 2,500 |
| Connection to community organisation | 500 – 2,000 | 300 – 800 |
| IT security setup (firewall, VPN, 2FA) | 2,000 – 8,000 | 500 – 1,500 |
| Managed IT support / IT service provider | — | 3,000 – 12,000 |
| Data protection consulting / revFDPA audit | 1,500 – 4,000 | 500 – 1,500 |
| Total (estimate solo practice) | 5,500 – 19,000 | 5,100 – 18,300 |
📊 According to an estimate by the Federal Office of Public Health (FOPH), over 1.5 million EPRs will be opened in Switzerland by the end of 2026. Practices that connect early benefit from efficiency gains and stronger patient trust.
What IT security measures are indispensable for medical practices in 2026?
Health data is among the most sensitive and sought-after targets for cybercriminals. The number of ransomware attacks on healthcare facilities in Switzerland has increased steadily since 2022.
IT security checklist for medical practices
- Current antivirus software on all devices (including tablets and reception computers)
- Regular, automated backups – separated from the main network (3-2-1 backup rule)
- Segmented WLAN – strictly separate guest WLAN from practice network
- Patch management – consistently keep operating systems and software up to date
- Staff training on phishing and social engineering (at least 1× per year)
- Emergency plan (Business Continuity Plan) in case of cyberattack
⚠️ Outdated Windows systems (Windows 10 without updates) are no longer supported from October 2025. Anyone still working on end-of-life systems in 2026 actively endangers practice operations and violates data protection due diligence obligations.
How do you find the right IT service provider for a medical practice in Switzerland?
Not every IT provider knows the specific requirements of the Swiss healthcare system. When selecting, look for the following criteria:
- Experience in the healthcare sector – references from other medical practices or clinics
- Knowledge of EPRA and revFDPA – the provider must be able to actively support the legal framework
- Local presence – short response times for on-site support are crucial in daily practice
- ISO 27001 certification or comparable evidence of information security
- Clear Data Processing Agreement (DPA) – without it, no data transfer to third parties
💡 On it-provider.ch you will find a curated selection of certified IT service providers in your region – filtered by sector experience, canton and service area. Ideal for medical practices looking to quickly find the right partner.
Frequently Asked Questions
Is the EPR mandatory for all Swiss medical practices in 2026?
Not yet for all. The connection requirement primarily applies to inpatient facilities. For outpatient practices there is a gradual expansion; in several cantons, incentives and deadlines are actively communicated. However, voluntary early connection is recommended for compliance and competitive reasons.
What happens if there is a data breach in a medical practice?
Under the revFDPA, there is a notification obligation to the Federal Data Protection and Information Commissioner (FDPIC) within 72 hours. In case of serious violations, fines of up to CHF 250,000 threaten. Affected patients must also be informed.
Can a medical practice store patient data in the cloud?
Yes, under certain conditions. The cloud provider must be contractually required (Data Processing Agreement, DPA) to ensure appropriate data protection (preferably server location in Switzerland or EU with standard contractual clauses) and data must be encrypted during storage and transmission.
How long does it take to implement EPR connection?
Depending on the starting situation and IT service provider, complete connection takes between 4 and 12 weeks. This includes software configuration, connection to the community organisation, staff training and testing. Early planning is advisable.
Where can I find suitable IT service providers with experience in health IT?
On it-provider.ch, medical practices and clinics can specifically search for IT providers with health IT experience – including regional filtering, customer reviews and service profiles. This saves time in evaluation and increases accuracy when choosing a partner.
