787 974 136
For many medical facilities, a contract with the National Health Fund (NFZ) is the foundation of their operations. Obtaining or retaining such a contract depends not only on the price offered, but also on quality criteria – and this is where ISO certificates play a role that cannot be ignored. In NFZ tenders, holding an ISO 9001 or ISO 27001 certificate literally translates into extra points in the tender process. And every point counts – especially when the bids from several facilities are very similar.
Pursuant to the Order of the President of the National Health Fund on the determination of bid evaluation criteria (Order No. 3/2014/DSOZ and subsequent updates), healthcare providers may obtain additional points in the category ‘Quality – external assessment – management systems’ for the following certificates:
This means that a facility holding both ISO 9001 and ISO 27001 can accumulate a total of 3 points solely on the basis of certification – without any investment in equipment or medical staff.
For emergency medical services and patient transport, the score is even higher – the ISO 9001 certificate alone is worth as many as 5 points. Spa treatment facilities holding ISO 22000 certification, in turn, can count on an additional 2 points.
The scoring varies depending on the facility’s specialisation. The National Health Fund (NFZ) specifies in its tender tables which certifications are taken into account for specific types of services. For example:
Before deciding to implement certification, it is worth carefully analysing the specific NFZ tender table for the relevant scope of services. Obtaining all certificates ‘just in case’ is pointless – in many cases, it will yield the same number of points as two certificates selected in line with the facility’s profile.
ISO 27001 is identified by the National Health Fund (NFZ) as one of the certificates awarded points, alongside ISO 14001, in the area of quality. In the context of the medical sector, this has additional justification: healthcare facilities process electronic medical records, patients’ personal data (including sensitive data as defined by the GDPR) and use IT systems connected to external registers. This is an environment prone to security incidents.
Implementing ISO 27001 is therefore not merely a matter of ‘scoring points’ – it is a response to real risks that are growing alongside the digitalisation of healthcare. At the same time, this certification provides the facility with strong arguments both in National Health Fund (NFZ) tenders and in discussions with patients and partners.
Good news for organisations considering both certifications: ISO 9001 and ISO 27001 are based on the same normative structure (Harmonised Structure). This means that the systems can be implemented and maintained together – a shared policy, shared internal audits, and a shared management review. The cost and workload involved in an integrated implementation are significantly lower than for two separate projects.
For an organisation that has not yet held any certification, an integrated ISO 9001 + ISO 27001 implementation is often the most cost-effective route – both in terms of costs and the time taken to achieve certification.
DJB DORADZTWO
Marcin Chorąży
