Epic Website Privacy Policy for Website Visitors & Job Seekers
Last Updated: May 8, 2023
Overview
Epic Systems Corporation (“Epic”) builds software and tools with the patient at the heart.
This Privacy Policy describes how we collect and use your information when you visit the websites listed below (“Our Websites”):
epic.com
careers.epic.com (our “Careers Site”)
cosmos.epic.com
link.epic.com
mychart.org
shareeverywhere.epic.com
uwcs.epic.com
We may update this policy at any time, and future updates are effective as soon as they are published. If you are interested, you should check back from time to time and make sure that you have reviewed the most current version of this policy.
Information You Provide to Our Websites
Information You Give Us
You may contact us through the methods listed on Our Website. If you contact us, we may keep a record of the communication to help answer or resolve the matter you contacted us about. You can decide how much information you want to share with us in those cases.
Our Website and Servers, Your Use of Browsers
When you use Our Websites, our servers may automatically collect and record information. In most cases, this information is generated by technologies, such as “cookies,” “flash LSOs,” “web beacons” or “clear GIFs.” You can read more about how we use cookies below.
Your browser or device may tell us your:
Browser type
Language preference
Internet Protocol (IP) address (which may tell us generally where you are located)
Type of device or system you used
Your browser may also tell us:
The time and date of your request
The page that led you to Our Website
What you typed into a search engine that led you to Our Website, if applicable
Cookies
We use strictly necessary cookies on Our Websites to perform the critical site function of keeping website visitors on the same server they initially connected to when they first navigated to one of our websites (i.e., for load balancing). We do not use third-party cookies on Our Websites.
Do-Not-Track
Some web browsers and operating systems include a Do-Not-Track (DNT) setting that you can activate to signal your preference not to have information about your online activities monitored. There is currently no uniform standard for recognizing and implementing DNT signals. As a result, Our Websites do not respond to DNT signals. If a standard for recognizing DNT signals is adopted in the future and we follow that standard, we will inform you about our approach in an update to this Privacy Policy.
Information You Provide to Our Careers Site
We use our Careers Site to help facilitate our recruitment process. When you contact us through our Careers Site about career opportunities at Epic, we may ask you for certain information so we can evaluate you as a candidate and meet certain legal obligations. The information you provide directly to our Careers Site as part of the application process is collected with your consent, and is collected in addition to the information you provide through Our Websites (as listed above) and may include:
Demographic information, including race, gender, veteran status, and disability status
Contact information
Details of your qualifications, skills, experience, and education
Information about your employment history and salary
Whether you have a disability for which we can make reasonable accommodations during the recruitment process
Information about your legal status to perform the position for which you apply in the region where the position is based
How Do We Collect Your Information?
During the recruitment process, you may provide information to us in the following ways:
The application form on the Careers Site
Your resume or CV (if you submit one with your application)
Tests or other forms of assessments administered during the recruitment process
Copies of transcripts or other documentation submitted by you during the course of your application
Information collected from third parties, including previous employers and educational institutions
How Do We Use Your Information?
The information that you provide to us during the recruitment process is retained and processed as we evaluate you for a position. We may use this information for purposes such as:
Evaluating your candidacy for a position at Epic
Contacting you during our recruitment process
Processing your employment if Epic offers you a position
Processing and storing your data for internal tracking metrics
Processing your data in order to meet certain legal or regulatory obligations
Improving the Careers Site
In addition to processing your data with your consent, Epic has a legitimate interest in processing your data to manage our recruitment process and assess whether you are a viable candidate for a career at Epic. All applicants, regardless of location, may opt out of any future contacts from Epic at any time.
Who Has Access to Your Information?
When you provide your information to Epic as part of the recruitment process, your information may be shared with Epic staff and certain third party service providers working with Epic, such as Avature Recruiting Solutions. Epic staff includes members of the human resources and recruitment teams, interviewers involved in the recruitment process, staff in the business area to which you are applying, and information technology (IT) staff. Other third party service providers or contractors may also have access to your information if we reach out to references or conduct background checks.
How Long Does Epic Keep Your Information?
Epic will retain your information for as long as it makes use of such information as a part of the recruitment process and for other permitted purposes. If your application for employment is successful, information gathered during the recruitment process will be added to your human resources file and may be retained throughout your employment with Epic.
How We Protect Your Personal Information
We use a combination of process, technology and physical security controls to protect the privacy, security, integrity, and availability of your personal information.
When you submit your information through Our Websites, that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a closed lock icon at the top or bottom of your web browser, or looking for “https” at the beginning of the URL address of the web page.
We maintain internal policies and processes that limit access to your information our staff and contractors who need to know the information to perform their jobs and develop or improve our websites, products, and services.
Links to Other Sites
Our Websites contain links to other sites and may contain embedded media hosted by third parties, such as YouTube videos. Epic is not responsible for the content or privacy practices of other sites. We encourage you to be aware when you leave our site or engage with media hosted by third parties and to read the privacy statements of any other site that collects your information.
If you use Share Everywhere
Share Everywhere allows patients to share a one-time, web-based view of their health record from their healthcare organization with anyone they choose, and the individual viewing the record can use Share Everywhere to add documentation to a patient’s electronic health record. In addition to your use of our Share Everywhere website being subject to this policy, your use of Share Everywhere is also subject to the terms of use and privacy policy of the participating healthcare organization. Please contact the participating healthcare organization for more information.
Your Privacy Rights
GDPR and UK GDPR Privacy Questions
If you need to contact our Data Protection Officer or EU Representative, please email EUPrivacyInquiries@epic.com or call +1 608-271-9000.
If you are a Data Subject as defined by GDPR and you have questions related to personal data held by a healthcare organization that uses Epic software, you should reach out to your healthcare organization for requests related to that personal data. If you have questions related to your personal data held by Epic (for example, if you have applied for a job via our Careers Site), you can exercise your rights by contacting Epic at EUPrivacyInquiries@epic.com.
If you have questions about your medical information in an account with a healthcare organization using Epic’s software, please reach out to your healthcare organization using the contact information in their privacy policy.
If you have any questions about this policy, contact us at +1 608-271-9000 or at PrivacyInquiries@epic.com.
Carequality Information Handling Practices Statement
Epic is a member of Carequality, an initiative of The Sequoia Project. Epic makes functionality available to its customers to enable them to exchange data with other healthcare organizations using the Carequality Framework. Epic does not handle information transmitted in the course of its customers’ use of Carequality.
Epic Mobile Application Privacy Policy for Patients
Our mobile applications for patients, including MyChart for iOS and Android, connect to servers and systems operated and maintained by healthcare organizations that use Epic – to provide patients with secure, mobile access to health information in those servers and systems.
We refer to our mobile applications for patients as “mobile apps” in this policy.
This Privacy Policy
This policy describes how we collect and use your information when you use our mobile apps.
We may update this policy at any time, and future updates are effective as soon as they are published. Your use of any of our mobile apps is also subject to the applicable End User License Agreement. If you use our mobile apps, you agree to the applicable End User License Agreement and consent to the use of your information as described in this policy.
Your Personal Information
The Limited Ways We Use Your Information
We do not sell or license your information. These are the limited ways we interact with your information in connection with our mobile apps:
When you choose to add a profile photo to our mobile apps, you may select an existing photo on your device or take a new photo using the camera app on your device. If you select an existing photo on your device, we store a copy of your chosen photo in app-private storage on your device. If you use the camera app on your device to take a new photo, the photo you take is first saved to your camera app and then also saved to app-private storage on your device. If you remove the photo from your profile or delete our mobile apps, the copy of the photo is deleted from the app-private storage, but the photo saved to your camera app remains available in your camera app until you choose to delete it. If you already have a photo stored in your profile through your healthcare organization – we do not interact with that photo in any way.
When you choose to use Apple’s HealthKit or Google Fit, we create encrypted identifiers to identify recipients of your Apple’s HealthKit or Google Fit data and store them on your device in app-private storage. If you choose to stop using Apple HealthKit or Google Fit or delete our mobile apps, the identifiers are deleted.
When you choose to view documents from your healthcare organization (such as letters or images) using our mobile apps, to make the files viewable for you we temporarily store copies on your device in app-private storage. The temporary copies are deleted when you close your session on our mobile apps.
When you choose to include a photo or video in a message you send to your healthcare organization using our mobile apps, you may select an existing photo or video from your device or take a new photo or video using the camera app on your device. If you use the camera app on your device to take a new photo or video, it will be saved to your camera app. Any photo or video saved to your camera app remains available in your camera app until you choose to delete it.
If your healthcare organization offers telehealth visits using our mobile apps, when you join a visit with your provider, we will ask for permission to access your device’s video and audio functionality to make the telehealth visit possible. We do not record or store video or audio data from these visits.
If your healthcare organization offers automatic appointment arrival and you choose to enable it, we temporarily store identifiers and times for your upcoming appointments in app-private storage to detect when you arrive for an upcoming appointment. If you choose to stop using our mobile apps or you disable automatic appointment arrival, the identifiers are deleted.
If your healthcare organization offers location-based check in for in-person appointments, or allows you to find healthcare providers near you, you may choose to allow our mobile apps to interact with your location data for those purposes. We do not store your location data.
If your healthcare organization allows you to notify front desk staff electronically when you arrive for an appointment, you may choose to allow our mobile apps to interact with your Bluetooth data for this purpose. We do not store your Bluetooth data.
While you use our apps, if you choose to call a phone number displayed within the app, we will ask for permission to access your device’s phone to place a call to the phone number. We do not store your call history or data about the call.
While you use our apps, we collect non-identifying information so we can provide customer service to you or your healthcare organization and understand how people use our mobile apps so we can improve our products. This information includes the time you began using the app, the healthcare organization you interacted with, any error messages or codes, the model of device used and its operating system, and the version of our mobile app used. If you use Android devices, we also collect your connection type (cellular or WiFi) during an error.
You may contact us through the methods listed on Our Website. If you contact us, we may keep a record of the communication. You can decide how much information you want to share with us in those cases.
Your Healthcare Organizations
To use our mobile apps, you must have an account with a healthcare organization using Epic’s software. Because of this, your use of our mobile apps is also subject to your healthcare organization’s privacy policy. Please contact your healthcare organization if you have any questions about their privacy policy.
For Android Users – Required Google Play Disclosures for Certain Health Apps
Google has determined our mobile apps are subject to their COVID-19 apps requirements. As a result, we are required to provide the following information so we can make our mobile apps available to you in the Play store.
Our mobile apps interact with your microphone only if you choose to use your microphone to navigate our mobile apps. Our mobile apps interact with your camera roll only if you choose to add a profile image to a profile in our mobile apps. This information is not used in connection with COVID-19.
Our mobile apps access, collect, use, and share your information (including video, audio, images, files, phone) as stated above in the section titled, “The Limited Ways We Use Your Information.” We also prominently highlight these uses, describe the type of data being accessed, and obtain your consent for these purposes as you use our mobile apps.
Our mobile apps were not created specifically for the COVID-19 pandemic. They existed before the COVID-19 pandemic to allow you to access your health information on file with your healthcare organization. Your healthcare organization may allow you to access COVID-19-related vaccination information, laboratory test results, and documents with illness-related information using our mobile apps. You may choose if or how you want to access, display, or use the information – just like you can make those decisions about health information relating to other conditions, services, tests, or vaccinations.
Your healthcare organization may allow you to use our mobile apps to conduct telehealth appointments with your healthcare providers. Our mobile apps only provide the technical support for those appointments to happen. We do not interact with any health information about you exchanged during any telehealth appointments.
How We Protect Your Personal Information
We use technical controls and safeguards to protect the privacy, security, integrity, and availability of your personal information.
We enable the use of multi-factor authentication for users of our mobile apps by default. Multi-factor authentication is required when you use our mobile apps unless your healthcare organization makes or allows changes to this control.
We use https for secure communication between servers.
When we store data on your mobile device, we store it in app-private storage that cannot be accessed by other apps.
Before data is shared from our mobile apps, we provide in-app notifications so you can choose if you want to share the data.
We disable screen-shot functionality by default for Android devices, and allow Android users to choose if they want to enable the function. We cannot disable this functionality in iOS.
We maintain internal policies and processes that limit access to your information to our staff who need to know the information to perform their jobs.
We maintain internal data retention and deletion policies to help us ensure we only store information about your use of our mobile apps as we describe in this policy.
Each healthcare organization you connect to through our mobile apps also uses safeguards to protect your information. Contact them if you have any questions about their safeguards.
You can take other steps to protect your information:
Do not share the username and password you use with our mobile apps.
Change your password immediately if you believe any unauthorized access has occurred.
Use the security tools on devices you use with our mobile apps.
Do not root or jailbreak devices you use with our mobile apps. Doing so can create security risks by removing your devices’ built-in security measures and exposing sensitive information on your device.
Your Privacy Rights
GDPR and UK GDPR Privacy Questions
If you need to contact our Data Protection Officer or EU Representative, please email EUPrivacyInquiries@epic.com or call +1 608-271-9000. If you are a Data Subject as defined by GDPR, you should reach out to your healthcare organization for requests related to your personal data accessed through our mobile apps.
If you have questions about your medical information in an account with a healthcare organization using Epic’s software, please reach out to your healthcare organization using the contact information in their privacy policy.
If you have any questions about this policy, contact us at +1 608-271-9000 or at PrivacyInquiries@epic.com.
Epic Mobile Application Privacy Policy for Providers
Last Updated: June 18, 2020
Overview
Epic takes very seriously its obligation to protect the confidentiality of your personal
information. Epic’s mobile applications for healthcare providers, including Haiku, Canto,
Rover, and Limerick, are intended to connect to servers and systems operated and maintained by
Epic community members in order to provide you secure, mobile access to those systems.
This Privacy Policy
This Privacy Policy describes how Epic Systems Corporation’s (“Epic”) mobile applications
for providers (our “Applications”) use, store, and transmit information and data. Epic may
modify this Privacy Policy at any time effective upon its posting. Your use of our
Applications is subject to the of the applicable Applications’ End User License Agreement.
Your Personal Information
When you use our Applications, Epic does not receive any personal data directly from you or your
device. As described below, our Applications connect with systems operated and maintained by a
healthcare institution that uses Epic’s software.
Connections to Healthcare Institutions
To use our Applications, you must have an account with a healthcare institution who uses
Epic’s software. Your use of our Application with that healthcare institution may be subject
to that healthcare institution’s policies and terms. You understand that while connected or
attempting to connect to a healthcare institution’s system, the healthcare institution may
collect, store, process, maintain, upload, sync, transmit, share, disclose, and use certain
data and related information, including but not limited to information or data regarding the
characteristics or usage of your device, system and application software, and peripherals
as well as your personal information, location data, and other content.
Please contact your healthcare institution if you have any questions about their policies or
terms.
Using Third Party Tools and Features
If you use any third-party tools and features, such as third-party speech-to-text dictation
or third-party video, your use of those features is subject to the terms and policies of
those third parties. If you have any questions about those terms or policies, you should
contact your healthcare institution or the provider of the third-party tool.
How We Protect Your Personal Information
The security of your information and data while using our Applications is very important to us.
Our Applications employ a variety of technical safeguards to protect the confidentiality,
integrity, and availability of your personal information including supporting Transport Layer
Security (TLS)/Secure Sockets Layer (SSL) certificate technology and encryption.
In addition, healthcare providers with whom you connect may use a variety of physical,
administrative, and technical measures to protect your personal information.
Your Privacy Rights
Your California Privacy Rights
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit our CCPA privacy notice for California residents or contact your healthcare institution.
Contact Epic
If you have questions about medical information in an account with a healthcare organization using Epic’s software, please reach out to your healthcare organization using the contact information in their privacy policy.
If you have any questions about this Privacy Policy, you may contact Epic at 608-271-9000 or at PrivacyInquiries@epic.com.
If you need to contact Epic’s Data Protection Officer or EU Representative as defined by the General Data Protection Regulation, (EU) 2016/679 (“GDPR”), please email EUPrivacyInquiries@epic.com or call +1 608-271-9000. If you are a Data Subject as defined by GDPR, you should reach out to your healthcare organization for requests related to your personal data accessed through our mobile apps.