open.epic App registration is available to you to submit FHIR API-based patient-facing Apps for use at healthcare organizations using Epic (referred to as “Community Members”). Community Members are third-party beneficiaries under these Terms and Conditions. Apps submitted to open.epic will be able to connect to U.S.-based Community Members that are using either EpicCare Ambulatory Base (or EHR Suite) or EpicCare Inpatient Base (or EHR Suite) and the Epic 2015 or later release and have chosen to enable APIs for this purpose. Apps that use any other APIs, have other users such as providers, or are developed for a particular Community Member will follow a different process and different terms may apply. You may use open.epic documentation of Epic’s support of FHIR APIs (referred to as the “Materials”) to develop Apps and submit them to open.epic as long as you follow these rules
- You agree to indemnify, hold harmless and defend Epic, its subsidiaries, and Community Members and their affiliates, and all of the employees, officers, directors, contractors and other personnel of any of them from and against any claim arising out of or relating to, directly or indirectly, you, any of your Apps, or any use of any of your Apps.
- Epic will issue a unique client identifier for each App you submit to keep track of which Apps use Epic’s FHIR APIs. Epic or a Community Member might need to suspend or revoke an App’s client identifier if there are issues, concerns, or things are otherwise not going well with one of your Apps. If this happens, your App will not be able to communicate with Community Member systems until the concern is resolved and the suspended client identifier is restored. Contact Epic or the Community Member in question to work on resolving the problem that led to the App’s client identifier being suspended. Because it is possible that your app will be suspended, you will clearly inform users of your app that it might not always be available to them and that they should not rely on it in an emergency.
- Direct access to Epic’s software is not required to develop or test your products. Testing can be done via the open.epic sandbox, or by working with a Community Member to test against a particular system. Your receipt of the Materials does not give you permission to access Epic’s software, and does not give you permission to access a Community Member’s Epic system. Your access to Epic’s software can only be granted by Epic.
- You and Apps you submit on open.epic must follow the open.epic FHIR App Development Guidelines, including documenting compliance to the ONC Certification Criteria. For reference, here is Epic's ONC Health IT Certification (for Meaningful Use) information including pricing and limitations.
As an App developer, you are obligated to be familiar with principles for responsible healthcare App development and usage. As part of those responsibilities, you and Apps you submit to open.epic must follow all of the below guidelines. If you or your Apps fail to follow these guidelines or misbehave in any other way, Epic or Community Members may take action on your App, including notifying users of your App’s non-compliance, or suspending your App until the issue can be resolved. If you have reason to suspect your App is not following the guidelines or is misbehaving and would like Epic to suspend use of your App until the issue is resolved, you can contact us.
- Transparency. Your pricing and marketing materials must be clear and consistent. You and your App must provide to users and Community Members understandable financial and licensing terms that will apply to the use of your Apps(k)(1). All information you provide about yourself and your products must be accurate and truthful.
- Safety. Your App must be designed and implemented to not put patients or your users at risk of harm(g)(3). You may not use the Materials for any activities that could lead to death, personal injury, or damage to property. Your application must adhere to usability standards, specifically safety-enhanced design(g)(3) and accessibility-centered design(g)(5)
- Security. Your App must not pose a direct risk or otherwise increase the risk of a security breach in any system it connects to. Data exchange between your App and Epic’s APIs and between your App and any other third-party system must be secured with industry standard encryption while in transit(d)(9), and use authentication and authorization protocols(d)(1). Your App must secure all data on an end-user’s device(d)(7) (d)(8), and enforce inactivity time-outs(d)(5). You and your App must not introduce any code of a destructive nature into any system you or your App connect to. Your App’s client identifier is given to you for your use only for a single App. You agree to keep your App’s client identifier confidential, and will not disclose it to any third party, or use it for any other purpose. Epic will provide a log of the activity of your App at connected Community Member locations for their review.
- Sharing. You may not share the data collected by your App with any third party without the explicit consent of the user of the App and the patient whose data is being shared, and without notifying the Community Member where the data originated. When sharing data, document what was shared, when, with whom, and for what purpose, and provide your users access to that documentation upon request(d)(3) (d)(11). Your App must provide the means for a user to export, transfer, or remove his or her data from application(b)(6).
- Reliability.Your App must be properly tested and must be stable, predictable, and not negatively impact clinical operations or patient safety for users or Community Members. Development of your App must be documented and managed in a Quality Management System (QMS)(g)(4) and complaints and defects reported about your App must be managed in a complaint tracking system(n). If you identify a patient-safety, security, data breach, or privacy issue with one of your Apps, you must follow your documented complaint process to notify all users(n), and proactively contact Epic to disable your App’s usage at Community Member sites until you resolve the issue.
- Efficiency. Your App is not permitted to generate excessive load on a user’s systems or a Community Member’s systems, or to cause other systems to behave inaccurately or unexpectedly.
- Data Integrity. You and Your Apps must not corrupt or otherwise cause material inconsistencies in any data used by your Apps(d)(2).
- Reciprocity. You will provide FHIR API-based Access(g)(7) (g)(8) (g)(9) to any data you and your App collect or derive to your users on the same terms as provided in these Development Guidelines.
Required ONC Certification Criteria
To ensure minimum standards for safe and effective healthcare software, you and your Apps must meet the below list of ONC certification criteria.
For each App you submit, you must provide one of the following for Epic, Community Members, and users to review:
- Public documentation that your App has been certified to the below specified ONC criteria.
- Public documentation of equivalent functionality in lieu of formal certification.
- Public documentation describing why specific criteria aren’t applicable for your App.
Epic or Community Members may review documentation supplied by you at any time to ensure you meet these criteria. If documentation you supply is missing or inaccurate, Epic or Community Members may take action on your App, including notifying users of your App’s non-compliance, or suspending your App until the issue can be resolved.
Additional Proposed Suspension Criteria
In the future, ONC certification intends to also determine whether HIT modules are:
- Contributing to a patient’s health information being unsecured and unprotected in violation of applicable law;
- increasing medical errors;
- decreasing the detection, prevention, and management of chronic diseases;
- worsening the identification and response to public health threats and emergencies; leading to inappropriate care;
- worsening health care outcomes;
- or undermining a more effective marketplace, greater competition, greater systems analysis, and increased consumer choice.
You will want to be mindful of these goals as you develop your App.