"Insight into regulatory framework translated into concrete requirements and control measures"


Compliance Blueprint

Technological developments have a major impact on how patient data gets recorded, processed, stored, exchanged and must be deleted. Consequently, all of these aspects are of influence on the responsibly usage of patient data. Compliance with the regulatory framework involved, is a necessity in order to gain support for the adaptation of new innovations and digital solutions. Doing this right, boosts the adoption of digital strategy. The regulatory framework should safeguard responsible usage of digital solutions and the privacy of patients. The Deloitte (legal) experts can assist you with:

  • Providing the regulatory framework, which includes:
    • Accounting legislation for individual difference for your organization and the digital solution
    • Providing you with a clear and complete overview of related and sometimes conflicting regulations
    • Knowledge of both international and national regulations
  • Translating regulatory framework into actionable requirements for the organization, processes, systems and contracts, while accounting for your current organizational situation
  • Defining a risk control framework to ensure your organization will continue to comply with all requirements. Which includes:
    • Security, privacy and compliance ‘by design’. Meaning that these aspects are accounted for at the very beginning and therefore avoiding costs and adjustments afterwards
    • Risk-based approach within the context of your organization
    • Embedding the monitoring of controls in the design phase of the process and by doing so offering affordable, scalable and real-time compliance

Our expertise is focussed on the following areas:


Regulatory framework mostly refers to:

  • NEN 7510: Medical informatics – Health data protection
  • NEN 7512: Medical informatics – Health data protection – Trust basis for information exchange
  • NEN 7513: Medical informatics – Logging – Recording actions in electronic patient files
  • ISO/IEC 27001: Information security
  • ISO/IEC 27017: Cloud security
  • The best practices of OWASP (Open Web Application Security Project)
  • National Institute of Directives and Technology (NIST)


Regulatory framework mostly refers to:

  • GDPR (General Data Protection Regulation) supplemented with local privacy legislation, such as:
  • Personal Data Protection Act (Wet bescherming persoonsgegevens)
  • CBP guidelines: personal data security, or, for example:
  • HIPAA (Health Insurance Portability and Accountability Act)
  • Other specific foreign privacy legislation

Medical Devices

Regulatory framework mostly refers to:


There is a great deal of health-care-specific legislation – a selection:

  • “WGBO” – Medical Treatment Contracts Act (Wet op de geneeskundige behandelingsovereenkomst)
  • “Wet BIG” – Individual Health Care Professions Act (Wet beroepen in de individuele gezondheidszorg)
  • “Wkkgz” – Healthcare Quality, Complaints and Disputes Act (Wet kwaliteit, klachten en geschillen zorg)
  • “Wet BSN-z” – Use of Citizen Service Number in Healthcare Act (Wet gebruik burgerservicesnummer in de zorg)
  • “Wmo” – Social Support Act (Wet maatschappelijke ondersteuning)
  • “Jw” – Youth Act (Jeugdwet)
  • “Wmg” – Health Care (Market Regulation) Act (Wet marktordening gezondheidszorg)
  • “WMO” – Medical Research (Human Subjects) Act (Wet medisch-wetenschappelijk onderzoek met mensen)
  • “Wet Bopz“ – Psychiatric Hospitals (Compulsory Admissions) Act (Wet bijzondere opnemingen in psychiatrische ziekenhuizen)
  • “KWZi” – Care Institutions (Quality) Act (Kwaliteitswet zorginstellingen)
  • “Wtg” – Healthcare Charges Act (Wet tarieven gezondheidszorg)
  • “Zvw” – Healthcare Insurance Act (Zorgverzekeringswet)
  • Electronic Signatures Act (Wet elektronische handtekeningen)
  • Patients’ Rights (Electronic Data Processing) Act (Wet cliëntenrechten bij elektronische verwerking van gegevens)

Intellectual Property

Certain health-care laws are gaining traction due to the growing importance of Big Data, such as:

  • “Aw” – Copyright Act (Auteurswet)
  • “Dw” – Database Act (Databankenwet)


The changing health-care landscape creates new partnerships and business models. It should be examined how these fit within:

  • The design of partnerships for tax and legal purposes relating to the use and exchange of patient data
  • VAT aspects for the ‘reuse’ of patient data
  • Using all types of grants and special tax regimes, such as the Innovation Box