Home › Articles › Medical secrecy and AI in Switzerland: obligations, risks and best practices
Security & data

Medical secrecy and AI in Switzerland: obligations, risks and best practices

20 April 2026 8 min read Clinovus AI Team

Art. 321 of the Swiss Criminal Code is one of the oldest and strictest professional secrecy provisions in Europe. For physicians, it is far more than a legal obligation — it is the foundation of the trust relationship with patients. The rise of medical AI raises unprecedented questions about its practical application.

What Art. 321 SCC says: the foundations

Art. 321 SCC protects all information that a physician acquires in the course of their professional activities — not just diagnosis or treatment, but also personal data, family and professional circumstances, and any other fact disclosed during a consultation.[1]

Violating Art. 321 SCC is an offence prosecuted on complaint, punishable by a custodial sentence or fine. Administrative sanctions (MedPA) and nFADP violations (fine up to CHF 250,000) may also apply.[1]

Triple protection of medical data

The 3 layers of medical data protection in Switzerland MedPA art. 40 Professional duty — ethics nFADP Data protection — administrative law Art. 321 SCC Medical secrecy — criminal law Patient data Violation art. 321 SCC Custodial sentence Violation nFADP art. 62 Fine CHF 250,000 Violation MedPA Revocation of medical licence
Triple protection of medical data: criminal law, data protection and professional ethics

AI and medical secrecy: the key questions

Is an AI provider an auxiliary under the law?

The concept of auxiliary is central. Under Art. 321 SCC and legal doctrine, an auxiliary is any person collaborating professionally with the physician who is thereby in a position to acquire knowledge of confidential facts.[2]

A Swiss AI provider bound by a data processing agreement including a confidentiality obligation meets this criterion. Recent legal doctrine (Gillieron, HESAV 2025) clarifies, however, that a foreign provider — even if partially hosted in Switzerland — is not considered an auxiliary in the Swiss legal sense if the parent company is foreign. In this case, data transmission constitutes a violation of professional secrecy.

Is audio recording of a consultation lawful?

Compliant data flow with AI

Data flow during a compliant AI-assisted consultation Consultation Audio recording 🔒 AI processing Transcription + structuring Medical note Validation by physician ✓ Médecin Patient record Encrypted storage Infomaniak · Suisse ✓ Swiss servers ✓ No transfer ✓ Art. 321 SCC respected
Compliant flow: data processed in Switzerland, validated by physician, stored encrypted

The 5 conditions for compliant AI use

ConditionLegal basisPractical check
Informed patient consentArt. 321 SCC, Art. 6 nFADPPrivacy notice + verbal explanation
Explicit consent for audioArt. 321 SCC, Art. 6(7) nFADPVerbal or written before recording
Data processing agreementArt. 9 nFADPSigned document with AI provider
Swiss or adequate hostingArt. 16 nFADP, Art. 321 SCCParent company not subject to CLOUD Act
Mandatory medical validationArt. 21 nFADP, MedPA art. 40Physician validates every document before clinical use

See also our article on nFADP and medical AI in Switzerland for detailed coverage of the concrete obligations under the new data protection law.

Frequently asked questions

Does recording a consultation with AI violate medical secrecy?

No, provided three conditions are met: the patient has been informed and has consented (explicitly for audio recording), the recording remains within the medical sphere (processing by a qualified auxiliary or a contractually bound processor), and data is not transferred to third parties without a legal basis.

Is an AI provider an auxiliary under Art. 321 SCC?

Yes, if the provider is established in Switzerland and bound by a data processing agreement including a confidentiality obligation. A foreign provider is not considered an auxiliary in the Swiss legal sense — which creates a risk of violating professional secrecy if data passes through its servers.

Does medical secrecy apply after the patient's death?

Yes. The duty of secrecy persists even after the patient's death. The physician may only disclose information about a deceased patient with authorisation from the competent cantonal authority or where the law provides a specific exception.

What penalties apply for violating medical secrecy?

Violating Art. 321 SCC is an offence prosecuted on complaint. The penalty can be a custodial sentence or a fine. This is compounded by a possible nFADP violation (fine up to CHF 250,000) and a MedPA violation (revocation of medical licence). Liability is personal — the physician is exposed, not just the software provider.

Sources and references

  1. Swiss Criminal Code, art. 321 (professional secrecy). SR 311.0. fedlex.admin.ch
  2. FMH / SAMS (2024). Practical guide — Professional secrecy. leitfaden.samw.fmh.ch
  3. Swiss Confederation. nFADP, SR 235.1, art. 5(c), art. 9, art. 62. fedlex.admin.ch
  4. Federal Act on Health Professions (MedPA), art. 40(f). SR 811.11. fedlex.admin.ch
  5. FDPIC (2023). The current data protection law applies directly to AI. edoeb.admin.ch
  6. Gillieron Ph. (HESAV, 2025). Professional secrecy and health data outsourcing.
Disclaimer: this article is for informational purposes only and does not constitute legal advice. For specific situations, please consult a lawyer specialising in Swiss medical law.

Clinovus AI — compliant with Art. 321 SCC and nFADP

Data processing agreement included. Exclusive Swiss hosting. Data never used to train the AI.

Try free →
A question about this article? Our team replies within 24h.
support@clinovusai.com