← Blog

Patient data protection: LPD/nLPD 2026 checklist

Published March 29, 2026 · 8 min read

The new Federal Act on Data Protection (nLPD, RS 235.1) came into force on September 1, 2023. For therapists, it considerably strengthens obligations regarding the processing of health data — data classified as «sensitive» by the law.

This guide offers you a clear and actionable checklist, adapted to the reality of a therapy practice in Switzerland.

What changed with the nLPD

Enhanced duty to inform (art. 19 nLPD)

You must proactively inform your patients about the collection and processing of their data. This information must be clear, understandable, and easily accessible.

Register of processing activities (art. 12 nLPD)

Any therapist regularly processing health data should maintain a register listing data categories, purposes, recipients, and security measures.

Breach notification (art. 24 nLPD)

In the event of a data security breach, you must notify the Federal Data Protection Commissioner (FDPIC) as soon as possible. If the risk is high, the affected patients must also be informed.

Criminal sanctions (art. 60-66 nLPD)

The nLPD provides for fines of up to CHF 250,000 for responsible individuals. Sanctions target individuals, not companies.

1. Information and consent

  • Draft a clear and accessible data protection statement
  • Inform each new patient about: data collected, purpose, retention period, their rights
  • Obtain explicit consent for the processing of health data
  • Keep proof of consent (signature, digital timestamp)
  • Provide a procedure for withdrawing consent

2. Data storage and security

  • Encrypt health data at rest (AES-256 recommended)
  • Encrypt communications (encrypted email or secure patient portal)
  • Host data in Switzerland or in a country recognized by the Federal Council
  • Strong passwords and two-factor authentication
  • Regularly back up data (encrypted backup, off-site)
  • Limit data access to the strict minimum (principle of minimization)

3. Patient rights

  • Allow the patient to access their data on request (art. 25 nLPD)
  • Allow correction of inaccurate data
  • Allow deletion (within the limits of legal retention obligations)
  • Respond to requests within 30 days
  • Document each request and your response

4. Processing register

  • List all categories of data collected (identity, health, billing)
  • Document the purpose of each processing activity
  • Indicate recipients (insurers, laboratories, software)
  • Specify retention period
  • Identify security measures in place

5. Subcontractors and transfers

  • Identify all subcontractors processing patient data
  • Verify that each subcontractor offers sufficient guarantees
  • Conclude a subcontracting agreement (art. 9 nLPD) with each provider
  • Verify data location (Switzerland, EU, other)

Data retention periods

Data typeMinimum periodLegal basis
Patient file10 years after last consultationArt. 26 LPMéd
Invoices10 yearsArt. 958f CO
ConsentsDuration of treatment + 10 yearsFDPIC recommendation
Correspondence10 yearsArt. 958f CO

Warning: cantons may provide for longer periods. Geneva, for example, requires 20 years for medical files in certain cases.

Practical cases

A patient requests deletion of their data

You must delete data not subject to a legal retention obligation. The patient file must be kept for 10 years, but you can delete data that is not medically necessary.

You lose your laptop

This is a security breach. If the data was encrypted, the risk is limited. Otherwise, you must notify the FDPIC and potentially your patients.

Your software stores data abroad

Check that the country is on the Federal Council's list (EU = ok). Otherwise, additional guarantees are required. For health data, prefer hosting in Switzerland.

How Therago helps you

Therago was designed with the nLPD at the core of its architecture:

  • Individual AES-256-GCM encryption: each patient file is encrypted with a key unique to the therapist
  • Exclusive hosting in Switzerland: servers in Geneva, ISO 27001 certified
  • Integrated digital consent: automatic collection and archiving of consents
  • Patient rights: access, correction, and data export in a few clicks
  • Encrypted backup: automatic daily backup, encrypted and off-site

Be nLPD compliant without spending hours on it.

Free 30-day trial

No credit card required. Data hosted in Switzerland.

Patient data protection: LPD/nLPD 2026 checklist | Therago