ISO 9001 and ISO 27001 in healthcare facilities – how do these certifications translate into points in the National Health Fund (NFZ) tender?

For many medical facilities, a contract with the National Health Fund (NFZ) is the foundation of their operations. Obtaining or retaining such a contract depends not only on the price offered, but also on quality criteria – and this is where ISO certificates play a role that cannot be ignored. In NFZ tenders, holding an ISO 9001 or ISO 27001 certificate literally translates into extra points in the tender process. And every point counts – especially when the bids from several facilities are very similar.

How many points does an ISO certificate award in the NFZ tender?

Pursuant to the Order of the President of the National Health Fund on the determination of bid evaluation criteria (Order No. 3/2014/DSOZ and subsequent updates), healthcare providers may obtain additional points in the category ‘Quality – external assessment – management systems’ for the following certificates:

• ISO 9001 (quality management system) – 2 points
• ISO 14001 (environmental management system) or ISO 27001 (information security management system) – 1 point

This means that a facility holding both ISO 9001 and ISO 27001 can accumulate a total of 3 points solely on the basis of certification – without any investment in equipment or medical staff.

For emergency medical services and patient transport, the score is even higher – the ISO 9001 certificate alone is worth as many as 5 points. Spa treatment facilities holding ISO 22000 certification, in turn, can count on an additional 2 points.

Which certifications are worthwhile for which types of healthcare facilities?

The scoring varies depending on the facility’s specialisation. The National Health Fund (NFZ) specifies in its tender tables which certifications are taken into account for specific types of services. For example:

• Dentistry: ISO 9001 certificates combined with ISO 14001 or ISO 9001 combined with ISO 27001 are awarded bonus points – but only one of these combinations, not both at the same time.
• Outpatient specialist care: additional points for ISO 9001, with the option to add ISO 27001.
• Ambulance services: ISO 9001 offers the highest bonus points of all types of facilities.

Before deciding to implement certification, it is worth carefully analysing the specific NFZ tender table for the relevant scope of services. Obtaining all certificates ‘just in case’ is pointless – in many cases, it will yield the same number of points as two certificates selected in line with the facility’s profile.

ISO 27001 – where is it particularly important?

ISO 27001 is identified by the National Health Fund (NFZ) as one of the certificates awarded points, alongside ISO 14001, in the area of quality. In the context of the medical sector, this has additional justification: healthcare facilities process electronic medical records, patients’ personal data (including sensitive data as defined by the GDPR) and use IT systems connected to external registers. This is an environment prone to security incidents.

Implementing ISO 27001 is therefore not merely a matter of ‘scoring points’ – it is a response to real risks that are growing alongside the digitalisation of healthcare. At the same time, this certification provides the facility with strong arguments both in National Health Fund (NFZ) tenders and in discussions with patients and partners.

Combining ISO 9001 and ISO 27001 – implementation efficiency

Good news for organisations considering both certifications: ISO 9001 and ISO 27001 are based on the same normative structure (Harmonised Structure). This means that the systems can be implemented and maintained together – a shared policy, shared internal audits, and a shared management review. The cost and workload involved in an integrated implementation are significantly lower than for two separate projects.

For an organisation that has not yet held any certification, an integrated ISO 9001 + ISO 27001 implementation is often the most cost-effective route – both in terms of costs and the time taken to achieve certification.