Open.epic & Epic USCDI on FHIR Privacy Policy

Effective Date: June 30, 2020

Overview

This open.epic and Epic USCDI on FHIR Privacy Policy (“Privacy Policy”) is designed to inform you about how Epic Systems Corporation (“Epic”) collects and uses information you provide when you create a user account with open.epic or Epic USCDI on FHIR (“User Account”) or otherwise use the website of either service. Epic may update this Privacy Policy or other privacy notices established for other Epic websites at any time, and future updates to the Privacy Policy will be effective as soon as they are posted on this page. If you are interested, you should check back from time to time and make sure that you have reviewed the most current version of this Privacy Policy. Open.epic and Epic USCDI on FHIR are collectively referred to herein as the “Services.”

Open.epic

Epic created open.epic to provide an open and public platform that shows you the wide variety of integration options we offer to connect with your systems. In order to provide you with access to open.epic, Epic may collect and use your personal information as described in this Privacy Policy.

Epic USCDI on FHIR

Epic created Epic USCDI on FHIR to provide access to and use of certain USCDI FHIR APIs as well as services that are intended to enhance developers’ abilities to use the APIs so they can more efficiently develop, test, and support interoperable software. At uscdi.epic.com, developers may access documentation on Epic's implementation of OAuth 2.0 and the FHIR APIs that access certain data elements in the U.S. Core Data for Interoperability (USCDI) data standard. On the website, developers may also acquire client IDs for their applications and test their applications in a sandbox. In order to provide you with access to Epic USCDI on FHIR, Epic may collect and use your personal information as described in this Privacy Policy.

Information You Provide to the Services

Information That You Give Us

We collect your personal information in order to set up a User Account, and you send this information to Epic when you request your account. Specifically, Epic may collect the following information:

  • Name;
  • Phone number;
  • Business legal name, email, address, incorporated state or country, and website URL;
  • A security question and corresponding answer to assist with account information retrieval and password resets; and
  • Information about the application you plan to submit to either of the Services.

Additionally, you have the option of contacting Epic about via the open.epic email address (open@epic.com), the Epic USCDI on FHIR email address (uscdi@epic.com), other Epic email addresses, phone, mail, or other methods, and we may keep a record of your communication to help answer or resolve the matter you contacted us about. You can decide how much additional information you want to share with us in those cases.

You may also log into the Services using your credentials for Epic’s UserWeb, if applicable. If you log into the Services with your UserWeb credentials, your contact information from the UserWeb will automatically be added to your User Account. Please review the UserWeb Privacy Policy for more information related to the UserWeb and UserWeb-Connected Sites.

Our Website and Servers, Your Use of Browsers

When you communicate with us or access the Services through a browser, application, or other client, our servers automatically collect and record information. In most cases, this information is generated by various tracking technologies, such as “cookies,” “flash LSOs,” “web beacons” or “clear GIFs.” You can read more about how we use cookies below.

Your browser or device may tell us:

  • Your browser type;
  • Language preference;
  • The Internet Protocol (IP) address (which may tell us generally where you are located); and
  • The type of device or system you used.

Your browser may also tell us information such as:

  • The time and date of your request;
  • The page that led you to the Services; and
  • The search terms you typed into a search engine that led you to the Services, if applicable.

Cookies

Like many websites, we use cookies to recognize you and collect information about your access to and use of Our Website. Cookies are small data files that are placed on your computer when you visit a website. Cookies are widely used by many website owners to make their websites work, operate more efficiently, and collect information. We use cookies to help operate the Services, and we specifically use Google Analytics cookies. Our use of the Google Analytics cookie enables us to collect certain data about your visits to the Services, including:

  • Your IP address;
  • The pages of our site that you visit;
  • The time and date of your visit;
  • The time you spend on certain pages on our websites; and
  • Various other statistics.

You have the right to decide whether to accept or reject certain cookies. You can exercise your cookie rights by adjusting cookie usage in your browser settings. You may also prevent the Google Analytics cookie from being placed in your browser by clicking “Decline” on the cookie banner at the top of this webpage, and you may change your decision by deleting cookies via your browser settings. Google’s ability to share and use your information collected via Google Analytics is restricted by the commitments made in the Google Analytics Terms of Service and the Google Privacy Policy.

Do-Not-Track

Some web browsers and operating systems include a Do-Not-Track (DNT) setting that you can activate to signal your preference not to have information about your online activities monitored. There is currently no uniform standard for recognizing and implementing DNT signals. As a result, the Services do not respond to DNT signals. If a standard for recognizing DNT signals is adopted in the future and we follow that standard, we will inform you about our approach in an update to this Privacy Policy.

How Do We Use Your Information?

The information that you provide us, whether through the creation of a User Account or in other ways as you use the Services, will be processed by Epic for as long as you are enrolled in the Services and after you cease using the Services. In addition to using your information to provide you access to the Services, we will use your information for purposes such as:

  • Creating and managing your User Account;
  • Providing you access to the Services;
  • Contacting you to resolve any technical difficulty, if needed;
  • Providing your contact information to Epic customers that use or are interested in your application;
  • Processing and storing your data for Epic’s internal tracking metrics; and
  • Improving the Services.

For users of the Services based in Europe, Epic has a legitimate interest in processing your data in order to allow you to use the Services.

Who Has Access to Your Information?

When you provide your information directly to Epic via the Services, your information will be accessed by Epic staff, and your contact information may be made available to Epic’s customers. The Epic staff that will regularly access your information is limited to those that provide technical or operational support for the Services, those that develop the Services, and Epic’s information technology and operations teams.

How Long Does Epic Keep Your Information?

Epic will retain your information for as long as it makes use of such information as a part of your continued use of the Services and to carry out Epic’s legitimate business or legal purposes. By creating your User Account, you agree to allow us to retain your information in accordance with this policy.

If you are a data subject as defined by the General Data Protection Regulation, (EU) 2016/679, you have a number of rights and can do any of the following by contacting Epic at EUPrivacyInquiries@epic.com:

  • Request a copy your data Epic has received about you;
  • Request that Epic changes incorrect or incomplete data we have about you;
  • Request that Epic delete or stop processing your data; and
  • Express any concerns or objections you have about Epic’s use of your data.

Please note that if you contact us to assist you, for your safety and ours, we may need to authenticate your identity before fulfilling your request.

How We Protect Your Information

We use a combination of process, technology, and physical security controls to help protect your information from unauthorized access, use, or disclosure, but remember that no method of transmission over the Internet, or method of storage, is 100% secure.

When we collect your information through operation of the Services, that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a closed lock icon at the top or bottom of your web browser, or looking for "https" at the beginning of the URL address of the web page. Employees or partners of Epic who have access to your personal information in connection with providing the Services are required to keep the information confidential and are not permitted to use your information for any purpose other than carrying out the services they are performing. However, despite our efforts, no security controls are 100% effective, and we cannot completely ensure or warrant the security of your information.

Links to Other Sites

The Services may contain links to other websites beyond the control of Epic. Epic is not responsible for the content or privacy practices of those websites. We encourage you to be aware when you leave Epic’s websites and to read the privacy statements of any other website that collects your information.

Your California Privacy Rights

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit our CCPA privacy notice for California residents.

Contact Epic

If you have questions or concerns about this privacy policy, please contact us at PrivacyInquiries@epic.com. When you contact us please include the website or reason that led you to contact us.

If you need to contact Epic’s Data Protection Officer or EU Representative as defined by the General Data Protection Regulation, (EU) 2016/679, please email EUPrivacyInquiries@epic.com or call +1 608-271-9000.