HM Digital logo DIGITAL

Updated · May 2026 · Post-deadline edition

CEZIH for Private Practices in Croatia: What To Do After the May 2026 Deadline

A guide for private practices, polyclinics, and private hospitals that are late connecting to CEZIH after 1 May 2026.

Goal: 14 days from "we haven't even started" to production data exchange with CEZIH.

The deadline for private healthcare institutions to begin data exchange with the Central Health Information System (CEZIH) passed on 1 May 2026. This guide explains what the obligation actually means, what penalties apply to non-compliant practices, and the fastest path to compliance for clinics that are not yet connected.

Fastest path to compliance Read the FAQ

In 60 seconds

  • The deadline to begin data exchange with CEZIH expired in early May 2026 — for both non-contractual providers and contractual providers (for the services they deliver privately).
  • Fines up to €13,200 per breach, under the Health Data and Information Act (NN 14/2019, Articles 28 and 36) — and personal liability for practice owners.
  • Required exchange: ambulatory exam reports, specialist findings, hospital discharge letters.
  • Fastest path to compliance: a cloud solution. No installation, no server, no waiting on IT.
  • First steps if not yet connected: obtain a healthcare institution code from HZZO (a prerequisite) and a qualified certificate (Certilia/AKD) — run these two in parallel.

If you're in one of these situations, this guide is for you

The guide is written for 4 typical situations. If you recognize yourself, the next steps below are concrete.

Opening a new private practice

Run these in parallel: Ministry of Health decision → HZZO institution code → qualified certificate → choosing CEZIH-certified software. A cloud solution shortens the technical part to days.

I have legacy software without CEZIH integration

Legacy software without CEZIH does not meet the legal obligation. You need to switch to a certified solution — fastest via the cloud option, which requires no new on-site equipment.

Non-contractual private provider without an HZZO code

A healthcare institution code (the "Dodjela šifre neugovorni" form) is a prerequisite. File the request immediately — send it to sifriranje.neugovorni@hzzo.hr along with the Ministry of Health decision.

Polyclinic or practice on multiple locations

You need a single software that supports multiple locations and one certificate per signer. A cloud solution lets you work and sign from any location once the session is established.

What changed in early May 2026

Per the official CEZIH notice (12 March 2026), all healthcare providers without an HZZO contract were required to begin data exchange via CEZIH by the start of May 2026 at the latest. At the same time, providers that already exchange data via CEZIH for their HZZO-contract services were required to begin exchange for the services they deliver privately — within the same deadline.

Practices that have not yet established secure data exchange are no longer in the "preparation phase" — as of May 2026 they are exposed to misdemeanor proceedings. Note: certification of software solutions for this purpose (especially for non-contractual providers) was still in progress as of March 2026 — we recommend checking the current list of certified solutions on cezih.hr before choosing software.

Who is covered

  • Non-contractual providers (private practices, polyclinics, and hospitals without an HZZO contract) — must begin CEZIH data exchange
  • Contractual providers (those already using CEZIH for HZZO services) — must also begin exchange for services they deliver privately
  • All specialties — family medicine, dentistry, specialists, diagnostics, private hospitals
  • All sizes — from solo practices to multi-location polyclinics

CEZIH non-compliance penalties

The legal basis is the Health Data and Information Act (NN 14/2019). Article 28 establishes the obligation to integrate with CEZIH; Article 36 sets the penalties for non-compliance.

up to €13,200 per established breach

under Article 36 of the Health Data and Information Act (NN 14/2019) — read the act on Narodne novine (Croatian).

Sanctions also apply personally to practice owners — not only to the legal entity.

Practical consequences for a practice

  • Monetary fine in misdemeanor proceedings
  • Risk of additional HZZO inspections (controls of healthcare delivery)
  • Possible difficulties when renewing HZZO contracts
  • Reputational risk with patients who expect a modern, connected healthcare system

Math: a single €13,200 fine equals 22 years of using a modern cloud CEZIH solution at €49/month. Technical compliance is consistently cheaper than non-compliance.

What exactly must be exchanged with CEZIH

Under the law and implementing regulations, private healthcare institutions must share three core categories of documents through CEZIH: Detailed technical guidance is published in the official CEZIH onboarding PDF.

Ambulatory reports

Reports from outpatient examinations at private healthcare facilities, with conclusions and recommendations.

Specialist findings

Findings from specialist consultations, diagnostic procedures, and other medical interventions in a standardized format.

Hospital discharge letters

Discharge letters following hospitalization or day-care treatment in private hospitals.

Why the exchange is mandated

The goal is to keep all of a patient's findings and treatments in one place — reducing the risk of errors, duplicated treatments, or duplicated tests, and critically supporting emergency care when a patient is treated by a doctor other than their primary physician.

Concrete examples by document type

Document type Concrete examples
Ambulatory reports Report after a family physician visit; systematic exam report; GP report after initial workup
Specialist findings MRI / CT / ultrasound findings; blood test results; specialist consultations (cardiologist, dermatologist, orthopedist, ophthalmologist, …)
Discharge letters Discharge letter after hospitalization; day-hospital report after a procedure

What is CEZIH (and who runs it)

CEZIH (the Central Health Information System of the Republic of Croatia) is the central IT system that connects healthcare providers, the Croatian Health Insurance Fund (HZZO), and other stakeholders in healthcare. The system is operated by HZZO; the regulatory framework is set by the Ministry of Health.

CEZIH is the channel for issuing and exchanging ePrescriptions, eReferrals, eFindings, and other medical documentation. The system has been operating in public healthcare for over a decade — per Black Book Research (2026), more than 15 million eReferrals and over 60 million prescriptions and findings are issued through CEZIH each year.

Official CEZIH website

CEZIH modules for private practices: ePrescription, eReferral, eFinding

A private practice typically uses three core CEZIH modules. Modern medical software integrates all of them in a single interface — no switching between portals.

ePrescription

Electronic prescription issuance directly from the medical software. The patient picks up the prescription at any pharmacy using their OIB or e-ID — no paper copy needed.

eReferral

Electronic referral for specialist consultations, diagnostics, or hospitalization. The referral is submitted to CEZIH and immediately visible to the receiving facility.

eFinding

Submission of test and specialist findings to CEZIH, where they are immediately accessible to the patient and to other treating physicians (with appropriate authorizations).

Authentication and signing: AKD card + Certilia

HZZO still requires a strict technical setup for CEZIH data exchange: a Windows computer, an AKD smart card with a reader, VPN access, and the software vendor's local agent. In other words, at least one machine in the practice must satisfy all of these requirements to establish a CEZIH session.

What is required to access CEZIH

  • A Windows computer (at least one in the practice)
  • An AKD smart card + a reader connected to that computer
  • VPN access into the HZZO network
  • The software vendor's local agent (the component that bridges the application and CEZIH protocols)

Two signing modes once the session is established

AKD smart card

Classic card-based signing in the reader. Each CEZIH action (ePrescription, eReferral, eFinding) is signed directly with the card.

Certilia (mobile / remote signing)

Once the session is established on the office computer (card + reader + VPN + agent are running), you can sign CEZIH actions via the Certilia mobile app — without physically touching the card for every signature. Useful when you are in another room of the practice, at another location, or working from home.

Our software supports both modes: card-based signing and Certilia mobile remote signing. Pick whichever fits the situation.

Common login issues

  • The system does not recognize the card — most often caused by outdated middleware or an improperly connected reader.
  • VPN is not active — without VPN there is no access, regardless of the card.
  • The local agent is not running — verify the service is started on the office computer.
  • Expired certificate — qualified certificates have a limited validity period and must be renewed before they expire.
  • Wrong PIN — multiple incorrect attempts can lock the card.

How to connect to CEZIH without your own server (cloud vs local)

CEZIH data exchange technically still requires an office Windows computer with a card, reader, VPN, and the software vendor's local agent — regardless of whether the application itself is "cloud" or "local". The cloud-vs-local choice is not about bypassing that setup; it is about where your data lives, how the application is updated, and how you reach the system from devices other than the main office computer.

Legacy software (no CEZIH) vs CEZIH-certified cloud

A quick at-a-glance view — what you gain by switching from outdated software without CEZIH integration to a certified cloud solution.

What you gain Legacy software (no CEZIH) CEZIH-certified cloud software
Legal CEZIH compliance
No on-premise server
Automatic CEZIH protocol updates
Onboarding in days (not weeks)
Work and sign from another device (laptop / phone) between patients
Eliminates the up-to-€13,200 fine risk

Important: both cloud and local solutions require one Windows computer in the practice with card, reader, VPN, and agent — that is an HZZO requirement, not a software limitation. Cloud removes the on-prem server and opens up additional devices for work once the session is established. See our cloud CEZIH software.

The fastest compliance path for unprepared practices

If your practice is not yet connected, here is the order of steps that, in practice, takes 1–2 weeks — assuming the administrative work is not delayed. Steps 1 and 2 (HZZO administration and qualified certificate issuance) are the slowest, so run them in parallel.

  1. 1
    Week 1

    Obtain a healthcare institution code from HZZO

    A healthcare institution code (šifra zdravstvene ustanove) is a prerequisite for CEZIH connection for non-contractual providers. Fill out the "Dodjela šifre neugovorni" form, sign it (digitally) and stamp it with the authorized representative's seal, then submit the request — with the Ministry of Health decision (rješenje Ministarstva zdravstva) attached — by email to sifriranje.neugovorni@hzzo.hr.

  2. 2
    Week 1

    Obtain Certilia / AKD credentials

    If you do not yet have them, start the qualified electronic certificate issuance process with AKD or Certilia. This is often the slowest administrative step — run it in parallel with step 1.

  3. 3
    Week 1

    Choose CEZIH-certified (or in-certification) software

    Check the list of certified solutions on cezih.hr — that list is actively being expanded for non-contractual providers. Cloud solutions have an advantage because they remove installation and on-premise server requirements.

  4. 4
    Week 2

    Onboarding and software configuration

    The vendor configures the practice, users, code lists, and templates. With cloud solutions this typically takes 1–2 days.

  5. 5
    Week 2

    Test and production exchange + training

    Verification that ePrescriptions, eReferrals, and eFindings are correctly delivered to CEZIH; switch to production exchange and a short team training session (1–2 hours).

Need urgent compliance? See our cloud CEZIH software

Want us to handle the technical side for you?

VPN, certificates, AKD card, CEZIH module — we take care of the whole process. Cloud onboarding takes days, not weeks.

Request a free consultation See the cloud CEZIH software

How to choose CEZIH software: 7 criteria

If you are choosing under deadline pressure, these criteria protect you both from fines and from a poor long-term decision. Check the list of certified solutions on the official CEZIH website.

1

CEZIH certification (or in-process)

The software must appear on the official list of CEZIH-certified solutions on cezih.hr. The list is actively being expanded for non-contractual providers (per cezih.hr in March 2026) — verify the latest status before signing.

2

Cloud (no on-premise server)

No installation, no physical server, no dependency on a local computer. Updates roll out automatically.

3

Onboarding speed

Ask explicitly: "How long from contract signature to production?" Target — days, not weeks.

4

Specialization for your practice type

Dentistry, family medicine, physiatry — templates and workflows must match your specialty.

5

Pricing fit for a practice (not a hospital)

Subscriptions of ~€49–€199 per month should be enough for a solo practice or smaller polyclinic. Hospital systems are not appropriate.

6

No long-term lock-in

Monthly cancellable, no multi-year contracts. Freedom to switch if the solution is not a fit.

7

Croatian-language support

Phone and email support in Croatian, with hands-on knowledge of CEZIH and the local regulatory framework.

Questions to ask the vendor before signing

  • How long from contract signature to production data exchange with CEZIH?
  • How are existing data migrated from my current software?
  • What is the support level and SLA — phone, email, response time?
  • Is there contractual lock-in or an exit clause? Monthly cancellable?
  • Can I export my data in a standardized format if I ever cancel?

Frequently asked questions

What if my practice is not yet connected to CEZIH?
You are not alone — a significant share of private practices is in the same position. The fastest path to compliance is a CEZIH-certified cloud solution that requires no installation or on-premise server. Before that, obtain a healthcare institution code from HZZO (a prerequisite for connection) and a qualified signing certificate. Software onboarding with modern cloud solutions takes a few days.
Do I need a special code from HZZO before connecting to CEZIH?
Yes. Per the CEZIH notice (12 March 2026), non-contractual healthcare providers (those without an HZZO contract) must obtain a healthcare institution code (šifra zdravstvene ustanove) from HZZO as a prerequisite for CEZIH connection. The request is filed via the "Dodjela šifre neugovorni" form, signed (digitally) and stamped, and submitted to sifriranje.neugovorni@hzzo.hr — with the Ministry of Health decision (rješenje Ministarstva zdravstva) attached.
Will HZZO inspectors definitely fine me?
Inspections and misdemeanor proceedings are not triggered automatically, but a legal basis has existed since 1 May 2026. The longer you remain non-compliant, the higher the probability of an inspection — especially if patients or other institutions report the absence of data exchange.
How large is the fine, exactly?
Under Article 36 of the Health Data and Information Act (NN 14/2019), fines go up to €13,200 per established breach for the legal entity. Sanctions also apply personally to the practice owner.
Can I keep operating privately without CEZIH if I have no HZZO contract?
No. The obligation to connect to CEZIH does not depend on whether you have an HZZO contract. The exchange of ambulatory reports, specialist findings, and discharge letters is mandated for all healthcare providers.
What if I use legacy software without CEZIH integration?
Legacy software without CEZIH integration does not meet the legal obligation — regardless of whether it has worked for you so far. Switching to a CEZIH-certified solution is required. Cloud solutions ease migration because no new on-site equipment is needed.
How long does the full onboarding take?
With CEZIH-certified cloud software, only a few business days can pass from contract signature to production data exchange — assuming you already have a Certilia / AKD certificate. If you are still obtaining the certificate, add 1–2 weeks for that step.
What is the difference between CEZIH-certified and CEZIH-compatible software?
"Certified" means the solution has passed an official readiness review and appears on the list of approved software solutions on cezih.hr. "Compatible" is a marketing term with no legal weight. Legal compliance requires certified software.
Do I need a smart card reader and VPN?
Yes. For CEZIH data exchange, HZZO requires at least one Windows computer in the practice with an AKD card, a reader, VPN access, and the software vendor's local agent. Certilia (mobile remote signing) does not bypass that requirement — it kicks in only after the session has been established. Once it has, every CEZIH action can be signed via the Certilia mobile app, without physically using the card for every signature. Our software supports both signing modes (card + Certilia mobile).
What is sent to CEZIH? Will my data be visible to everyone?
Ambulatory reports, specialist findings, and discharge letters are sent to CEZIH. Access is strictly regulated — other physicians only see documents for patients they are actively treating, and the system maintains audit trails of every access.
Can I cancel a cloud solution if I change my mind?
With quality cloud solutions — yes, on a monthly basis and without penalties. Insist explicitly on "no long-term lock-in" before signing. Your data must remain exportable (in a standardized format) for migration to another vendor.
I work only privately and have no HZZO contract — do I have to join CEZIH?
Yes. Per the CEZIH notice (12 March 2026), the CEZIH obligation also covers non-contractual healthcare providers — those who work exclusively privately, without an HZZO contract. The first step for you is obtaining a healthcare institution code (šifra zdravstvene ustanove) from HZZO — a prerequisite, filed via the "Dodjela šifre neugovorni" form and emailed to sifriranje.neugovorni@hzzo.hr, with the Ministry of Health decision attached. Only after the code is issued can you start the technical CEZIH connection.
I have practices on two locations — do I need two systems or multiple certificates?
You need a single software that supports multiple locations (cloud solutions handle this natively) and one qualified certificate per signing person. Technically, every location where CEZIH exchange happens requires at least one Windows computer with an AKD card, a reader, VPN access, and the local agent. Certilia mobile signing lets you sign from any location once the session has been established.
What if an inspector arrives while I have already signed a vendor contract but I am not yet in production?
Document everything — the vendor contract, the HZZO forms you have submitted, the certificate issuance status, the planned production date. Although a process in progress does not undo the breach itself, misdemeanor proceedings weigh both the degree of negligence and the steps taken toward compliance. The more evidence you have that the process is actively underway, the higher the chance of leniency. The safest strategy is still to avoid an inspection by accelerating production — with cloud solutions, that is days, not weeks.

Next step: compliance in days, not weeks

If you are looking for the fastest path to CEZIH compliance — without installation, without a server, without waiting on IT — see our cloud CEZIH software. It is purpose-built for private practices and polyclinics, with onboarding that takes days, not weeks.

See the cloud CEZIH software Request a free consultation

Sources and further reading

This content is informational and does not constitute legal advice. For specific legal assessments, consult a qualified attorney or the relevant authority.