Allée d'un centre de données avec des baies de serveurs

Data protection

Patient data and the revFADP: what every practice should know in 2026

lémansoin

By Maxime Maadoune-Meloni20 May 202615 min read

Since September 2023, the revFADP (the revised Federal Act on Data Protection) more strictly governs the processing of personal data in Switzerland. For a practice, health data is among the most sensitive there is, and the responsibility on the practitioner is real. This guide goes over, without jargon, what the revFADP expects of your practice in concrete terms, what you risk in case of a breach, and the right questions to ask your providers.

In short

The practice is the data controller: it is the one that answers, even when the technical cause comes from a provider (the "processor").
For health data, hosting in Switzerland (or failing that in the EU with safeguards) is the safest and easiest choice to defend.
Medical confidentiality (art. 321 of the Swiss Criminal Code) adds to the revFADP and extends to your providers: it must be in the contract.
The revFADP does not demand technical perfection, but proportionate measures, traceability and transparency.
Remember one thing: you remain responsible for your patients' data, even when you delegate the technical side.

1. Data controller or processor: the key distinction

This is the most important point, and the most often misunderstood.

The practice is the data controller. It decides why and how its patients' data is processed. The legal responsibility falls on it.
The technical provider is a processor. The host, the software vendor or the website creator act on the practice's behalf, following its instructions.

The consequence is clear: in case of a problem, it is the practice that answers to the patient and to the authority, even when the technical cause comes from a provider. Hence the importance of framing that provider with a clear contract (often called a data processing agreement) specifying where the data is, how it is secured, and what happens to it at the end of the contract.

2. What data are you actually processing?

People think "medical record", but the scope is broader. Here are the main categories a practice handles.

Type of data	Examples	Sensitivity
Identity data	Name, address, date of birth, phone	Personal
Contact and appointments	Email, slots, visit history	Personal
Health data	Diagnoses, treatments, notes, documents	Sensitive (reinforced protection)
Administrative data	Insurance, billing	Personal to sensitive

Health data benefits from reinforced protection under the revFADP. But even a simple appointment diary, which reveals that a given person is seeing a given specialist, is already data to protect seriously.

3. Where must the data be hosted?

The revFADP does not in itself forbid hosting abroad, but it requires an adequate level of protection and transparency. In practice, for health data, hosting in Switzerland (or failing that in the European Union with real safeguards) is the safest and easiest choice to defend.

True caution means avoiding solutions where the data ends up with a player subject to non-European data-access laws. For a practice, being able to say "my patients' data never leaves Switzerland" is not a marketing line: it is a solid position if questions arise.

4. Medical confidentiality adds to the revFADP

Data protection is not the only framework. Medical confidentiality (art. 321 of the Swiss Criminal Code) also applies. Anyone processing this data on the practice's behalf, including a technical provider, becomes an auxiliary bound by confidentiality. This must be set down in writing in the contract with the provider. A serious processor accepts it without difficulty.

Key point: the revFADP does not demand technical perfection. It demands proportionate measures, traceability and transparency. A practice that knows WHERE its data is, WHO accesses it, and that has backups is already well above average.

5. What a practice actually risks

In case of a breach (a stolen laptop, ransomware, a misconfiguration, an email sent to the wrong recipient), the practice has obligations. Beyond the possible penalty, the real risk lies elsewhere: patient trust and the breach of medical confidentiality. A health-data leak is not "fixed" like a blocked bank card. What is exposed stays exposed.

What to do if a breach happens? The right reflexes, in order:

Contain: cut off access, change passwords, isolate what can be isolated.
Assess: what data, how many people, what risk to them.
Notify if necessary: depending on severity, inform the Federal Data Protection and Information Commissioner (FDPIC) as well as the people concerned.
Document: keep a record of what happened and the measures taken.

Anticipating these steps calmly, before any incident, makes all the difference on the day it happens.

6. The right questions to ask your provider

You don't need to be a lawyer or an engineer. You just need to ask the right questions and listen for clear answers:

Where is my patients' data hosted (country and region)?
Who has access to it, and how is that access logged?
Are there automatic backups, and are they regularly tested?
Is the connection to my management area protected by two-step security?
What happens to my data if I end the contract (return, deletion)?
Is medical confidentiality (art. 321 of the Swiss Criminal Code) provided for in the contract?

A provider who answers these six questions clearly protects you. A provider who dodges or buries the answer in jargon should put you on alert.

Frequently asked questions

Does the revFADP also apply to a small practice?

Yes. The size of the practice changes nothing about the principle: as soon as you process patient data, you are responsible for protecting it. The measures expected are proportionate, but the obligation exists.

Am I responsible even if my provider made the mistake?

Towards the patient and the authority, it is the practice that answers as the data controller. Hence the importance of choosing serious providers and framing them by contract. Between you, the contract can set out each party's responsibilities.

Can my data be hosted abroad?

It is not forbidden, provided there is an adequate level of protection and transparency. But for health data, hosting in Switzerland remains the easiest choice to defend, and the most reassuring for your patients.

Do I have to encrypt the data?

Encryption (in transit and at rest) is among the technical measures expected for sensitive data. Ask your provider how it protects the data, without needing to master every technical detail.

What does "keeping a record of processing activities" mean?

It means documenting what data you process, why, where it is and who accesses it. For a practice, it can stay short and concrete, and it is an excellent way to see your own organisation clearly.

The bottom line

The revFADP is not a trap, it is a framework. The practice that takes it seriously protects its patients and protects itself. If you remember only one thing: you remain responsible for your patients' data, even when you delegate the technical side. So choose providers able to answer, clearly and without evasion, the questions above.

Sources

Federal Data Protection and Information Commissioner (FDPIC) · supervisory authority for the revFADP.
Federal Act on Data Protection (revFADP, RS 235.1) · official text, in force since 1 September 2023 (Fedlex).
Swiss Criminal Code, art. 321 (professional confidentiality) · Fedlex.

A website project for your practice?

Let's spend 20 minutes together. Personalised review and free quote, no commitment.

Let's talk about your project