CertiHealthTMCertified digitization in the healthcare sector
“ENSURING TRUST IN DIGITAL HEALTH”
There is hardly an industry in which the digitalization of processes is more necessary than in the healthcare sector. The healthcare industry has hundreds of interfaces in its processes, thousands of media breaks and data transitions in a wide variety of forms. Even relatively simple digitization processes, such as paper scanning, can generate significant benefits.
With the move towards digitization and the change in working methods, patient dossiers, for example, are increasingly being digitized. What applies to the transfer of paper documents and electronic form also applies analogously to the recording of speech. File notes and medical notes can now be recorded, interpreted and digitized using specialized applications. Imaging procedures and video recordings must be cataloged and assigned.
Many of these processes are still in their infancy. However, information about patients and particularly sensitive patient data must be especially protected. Handling them is strictly regulated and requires increased controls. The new Data Protection Act, for example, requires a data protection impact assessment to be carried out BEFORE the planned solution is put into operation.
Many things can go wrong, from classic errors during data capture (duplicates, missing pages, incorrect recognition) to incorrect semantic interpretation of the captured data.
In order to ensure that the digitization processes correspond to the current state of the art and are handled properly, we have expanded our testing services to include the testing and certification of such processes and products.
You can find a short presentation in English here.
Case study 1:
Scanning a patient dossier
Most GPs still keep their dossiers in analog or at best hybrid form. It would make sense to digitize the existing files at the latest when handing over the practice. This procedure should be checked for compliance. In principle, the regularity checklist in accordance with the GeBüV is used here, supplemented with the specific requirements arising from data protection and the security requirements of the ePDG. However, as with all health data, it must also be semantically verified, i.e. it must be possible to structure and assign it correctly. This means that either an assignment is made via the semantic standard and/or a medical specialist also checks the content.
Case study 2:
Language transformation
One provider makes it possible to record conversations between doctor and patient using a cell phone. The app is also used to convert and interpret the spoken text. The result is used for documentation and is transferred in text form to the electronic patient record (ePD).
What are the challenges? Speech recognition algorithms normally use artificial intelligence methods. It is therefore important to determine which methods are used and how they are parameterized. In principle, the transformation must be traceable. This also means that the “Human in the Loop” (HITL) must be a mandatory control instance at least at the beginning of such a process. At the same time, it must be checked that only the really necessary data is recorded and stored. Such a procedure places high demands on the implementation as well as on the necessary control system.
Healthcare: Body of knowledge and test catalog
In Switzerland, there is still no digitization standard for the healthcare sector. With CertiHealthTM and thus offers providers and users a reliable and solid standard for the compliance of digitization in the healthcare sector.
In Switzerland, the Business Records Ordinance is the basic standard for the digitization of data and for ensuring its integrity and security. The basic principles laid down therein can also be applied to health data without further ado. Consequently, the audit catalog is based on these principles. In addition, there are specific requirements that can be derived from national and international laws and standards. Interestingly, Switzerland has no legal requirements for these processes. For this reason, we have supplemented our best practice catalog with controls from these sources:
- ePDG (Electronic Patient Record Act and Ordinances (ePDV); the focus is on security requirements.
- Data Protection Act (DSG), in particular the provisions on privacy by design and privacy by default; data protection impact assessment
- Medical Device Regulation (MepV) and EU standards[1]
- EU AI Act, in particular for the use of procedures with AI support
- TR Resiscan (BSI, DE)
- Semantics (optional): Consideration of ePD standards such as Snowmed CT (optional) or patient-focused procedures such as COBEDIAS®
[1] We do not test the medical devices themselves, but their use in a digitalization process, if applicable
INFO
Questions & Answers
How does an audit of health data differ from a traditional audit?
We are dealing with health data. This means that they are considered particularly worthy of protection not only in terms of data protection, but in general. As a result, the requirements for the control systems are generally much higher than would be the case with normal scanning of accounting documents, for example. This has an impact on the design of our body of knowledge (link), i.e. the applicable audit catalog.
Does krm also test medical devices?
The testing of medical devices used is not part of our process, as their approval is regulated on a country-specific basis and has different life cycles than the process in which they are used. If necessary, we check whether the necessary test certificates are available for the products used. In doing so, we comply with the requirements of Swissmedic.
How do we proceed?
The test procedure is identical to the procedures we have been using for years. You can find a detailed description of the principles and procedure here.
What do you get from us?
Once the certification process has been successfully completed, you will receive a comprehensive report for internal purposes or for submission to third parties. We will also issue a test certificate with an individual seal and a test number, which you can use to promote your product. We also recommend that you publish the application criteria/configuration of the solution publicly.
You have obtained the certification, and now what?
You can advertise the audited process with the seal we have provided. A follow-up audit is always carried out if the procedure changes significantly or if you have to or want to comply with new requirements. We would like to point out that it is your responsibility to report any changes and to initiate the review as early as possible. In the event of significant procedural changes or the replacement of entire technologies, a new audit is mandatory.
You don't need a certificate?
Many users do not require a certificate, but a statement as to whether the planned process complies with the regulatory requirements. This is also possible. In this case, you decide autonomously on any new or subsequent tests.
BLOG
All about certification
New certification for digitalization in the healthcare sector: CertiHealth(TM)
Press release There is hardly an industry in which the digitalization of processes is more necessary than in the healthcare sector. The healthcare industry has hundreds of interfaces in its processes, thousands of media breaks and data transitions in a wide variety of...
Visita Treuhand AG successfully certified
At the beginning of October 2024, krm was able to successfully certify Visita Treuhand AG, Abacus Bronze Partner. Visita Treuhand AG has been supporting companies in the areas of financial and tax management as well as corporate management and monitoring for over 40...
Legal basis for certification in Switzerland
Here we show you the applicable legal bases for electronic bookkeeping and archiving (Switzerland) in words and pictures(YouTube video and a comprehensive presentation)
CONTACT NOW
Call: +41 44 888 10 11
or by mail to digitalkonform@krm.swiss