ISMS Copilot for Swiss healthcare compliance
Revised FADP health-data duties, the EPDG electronic patient record regime, and ISO 27001 — without putting patient data in chats.
Read this first: ISMS Copilot is for documentation, not patient-data processing
ISMS Copilot does not sign an order-processing agreement for patient data and is not a processor for besonders schutzwurdige Personendaten (health data is sensitive under Art. 5(c) revFADP). Use it to draft your FADP records of processing, your Art. 22 DPIA methodology, your EPDG-related security documentation and staff training — but never paste actual patient data (names, AHV number, diagnoses, treatment notes, patient-clinician conversations) into chats. If you need an AI assistant that processes patient data, you need a processor-bound vendor instead.
Full FADP guidance →The Swiss health compliance stack
- Treat health data correctly as sensitive personal data under Art. 5(c) revFADP
- Identify when an Art. 22 revFADP data protection impact assessment is required
- Work the FDPIC breach-notification duty under Art. 24 revFADP
- Map EPDG / electronic patient record (EPD) certification and security requirements for affiliated providers
- Use ISO 27001 as the implementation backbone for EPDG and FADP technical measures
- Draft the Art. 12 revFADP record of processing activities for health processing
Built for Swiss health compliance leads
revFADP sensitive-data and Art. 22 DPIA walkthrough for health processing
FDPIC Art. 24 breach-notification workflow
EPDG / EPD obligation guidance for hospitals and affiliated outpatient providers
ISO 27001 Annex A control library mapped to EPDG technical and organisational requirements
Art. 12 revFADP record-of-processing templates — no patient data required
Cross-mapping revFADP, EPDG security duties and ISO 27001 into one control set
Swiss health data under the revised FADP + EPDG
Swiss health providers carry two national layers beyond ordinary data protection. First, the revised FADP (nFADP, SR 235.1, in force 1 September 2023): health data is besonders schutzwurdig under Art. 5(c), processing it at scale typically triggers an Art. 22 DPIA, and breaches likely to cause high risk must be notified to the FDPIC under Art. 24. Enforcement bites differently from the GDPR — Arts. 60-64 impose criminal fines up to CHF 250,000 on natural persons. Second, the EPDG (Bundesgesetz uber das elektronische Patientendossier): hospitals must be affiliated to a certified EPD community, which imposes specific certification, identity and security requirements on the providers in scope. ISO 27001 is the practical backbone that makes the EPDG and FADP technical measures auditable. ISMS Copilot maps all three into one control set and keeps every analysis documentation-only.
FADP guidance for Swiss organisations →Frequently Asked Questions
Is health data treated differently under the revised FADP?
Yes. Health data is besonders schutzwurdig (sensitive) under Art. 5(c) revFADP, which raises the bar for legal basis, security and impact assessment. Large-scale or high-risk health processing typically requires an Art. 22 DPIA, and qualifying breaches must be notified to the FDPIC under Art. 24. ISMS Copilot walks these duties; it supports your analysis and does not replace legal advice.
What does the EPDG add on top of the FADP?
The EPDG (electronic patient record act) requires hospitals to affiliate with a certified EPD community and meet specific certification, patient-identity and information-security requirements that go beyond the general FADP. ISMS Copilot helps you map those EPDG technical and organisational requirements onto an ISO 27001 control set so they are auditable.
Can we paste patient data into chats?
No. ISMS Copilot is not an order-processing-bound vendor for sensitive health data under the revFADP. Keep patient identifiers, diagnoses and notes out of chats. Describe processes and controls instead — that is what produces the FADP records, Art. 22 DPIA and EPDG security documentation you need.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.