Home
Epic Systems Corporation - Web-Based Services Privacy Policy

Effective Date: June 6, 2012

General

Epic takes very seriously its obligation to protect the confidentiality of, and to limit the uses and disclosure of your Personal Information. This Privacy Policy lets you know:

  • what information we collect about you when you register for and use the Services and how that information is used;
  • what additional information you can provide and organize to take advantage of the Services;
  • the limited ways in which we use the additional information you provide;
  • the ways in which we protect the security of your information;
  • the ways in which you control the sharing of your information with others, and the very limited circumstances in which we might ever disclose your information to others without a direction from you to do so;
  • what happens to your information when you choose to close an account;
  • ways in which you can further protect your information;
  • how this privacy policy can change and its scope.

Capitalized terms used in this Privacy Policy have the meanings set forth in the Definitions section found at the end of the policy. This Privacy Policy does not apply to Non-personal Information.

Personal Information we collect and how it is used

When you register to create a Service Account, you must provide certain Personal Information including your name, your date of birth, and a valid email address. You also will select a username and password for the Service Account, and provide other information (such as answers to security questions and a security phrase). We use the information you provide to confirm your eligibility to establish a Service Account, to protect against unauthorized access to the Service Account you create, and to communicate with you regarding the Services. For example, when we send you email, we will include the security phrase that you provided; if you receive an email purporting to be from MyChartCentral that does not contain the security phrase you set on your Service Account, you should not trust that the email was sent by MyChartCentral.

For MyChartCentral Service Accounts, you also will need to provide the username and password you use for each MyChart Account that you wish to have linked to your MyChartCentral Account. Please note we do not store or retain any of your MyChart Account usernames or passwords on Epic Servers. Instead, we use that information to create secure credentialing mechanisms to ensure accurate future system identification between MyChartCentral and your MyChart Account provider organizations’ web sites in connection with your use of the Services.

We also collect and record certain information from your browser each time you connect to our Service Portal, such as your IP address, browser type and language, date, time and duration of your connection, and the actions that you perform. That information becomes part of our Audit Files, which we use only in connection with providing, monitoring or improving the performance of the Services, and in offering any technical support or assistance you might request in connection with your use of the Services.

We also store some information in cookies (small text files) that are created on your computer. The information stored there is retrieved when you connect to our Service Portal and used to improve or simplify your user experience on subsequent visits. Most web browsers allow you to decline cookies, and if you’ve chosen to do so then some features or conveniences otherwise available when using the Services will not work for you.

Other Personal Information you can provide to take advantage of the Services

If you’ve established a Lucy Service Account, you can enter, upload and transfer from other locations a wide variety of other Personal Information to your account for storage, maintenance, editing, organization and sharing with others as you direct. That Personal Information might include health records available to you through MyChart accounts, other health information that you want to organize or share as part of your personal health record, as well as documents, X-rays, other electronic images, and data from various medical monitoring devices such as blood pressure or blood glucose monitors.

We will make good faith efforts to provide you access to your Personal Information through the Service Portal. The Services allow you to delete or correct inaccuracies in your Personal Information that is stored on the Production Servers.

How we use the Personal Information you provide and store in your Service Accounts

Epic will not use, sell, rent, lease or disclose any of your Personal Information for the purpose of allowing third parties to advertise to you or otherwise attempt to sell you products or services or solicit you for business of any kind.

We use your Personal Information in several ways:

  • To provide the Services to you;
  • To provide assistance or technical support in connection with your use of the Services;
  • To audit, monitor, improve and further develop the Services.

We also reserve the right to use your Personal Information to investigate possible violations of the Terms of Service that govern your use of the Services, to protect Epic’s property and rights, to investigate potential fraud or security issues, and to communicate with you regarding the Services or your use of the Services.

How we protect the security of your Personal Information

Epic employs a wide variety of administrative, physical and technical safeguards to protect the confidentiality, integrity, and availability of your Personal Information.

For example, only Epic employees who have a need, such as those assigned to operate and provide support for the Services, are provided electronic access to the Epic Servers on which your Personal Information is stored. Those Epic Servers are kept in secure locations and physical access to them is highly-controlled and tracked.

We use Symantec Secure Sockets Layer (SSL) certificate technology so that you have assurance when using the Services that our Service Portal is genuine and operated by Epic. That technology also allows us to establish a secure, encrypted connection between our Service Portal and the web browser you are using when you connect to the Service Portal. When the secure, encrypted connection exists, the address appearing in your browser’s address bar will begin with https:// (not just http://). If you use a high-security browser, your browser address bar will turn green to indicate your secure connection. For more information about the Symantec services and certificate technology we use, click on the Norton Secured Seal below.


Please note, however, that when the Services re-direct you to web sites operated by other organizations (such as a healthcare organization at which you have an active MyChart account), you no longer are connected to our Service Portal. At that point, the nature of your connection is governed and controlled by the technology adopted and put into place by the organization operating the web site to which you’ve been re-directed.

Other technical safeguards that we employ at Epic to protect your Personal Information include the following:

  • Service Account passwords are stored in an encrypted format.
  • We provide you guidance on how to create secure passwords.
  • The Service Portal can be accessed only when you are using high-security browsers of certain versions (e.g., Internet Explorer version 7.0 or later, or Firefox version 3.1 or later), all of which must be SSL-compatible.
  • All transfers of data between systems made via the Internet in connection with your use of the Services occur in encrypted form using SSL protocol or similar technology this is widely regarded to be secure and reliable.
  • Firewalls and audit trails are used to safeguard your information further.
How you control the sharing of your Personal Information and the limited circumstances in which we may disclose it to others

The Services allow you to transfer your Personal Information to and from your Service Account. You control those transfers through the features provided within the Services. For instance, you can authorize healthcare providers at the organizations where you have MyChart Accounts to pull designated portions of your Personal Information from your Service Account for inclusion in your electronic medical record at those organizations. Only those provider organizations that you authorize will be able to initiate such transfers, and they will be able to transfer only the Personal Information from your Service Accounts that you choose to make available to them. To enable this functionality, the Services make the fact that you are a Lucy Service Account holder known to those organizations where you have linked MyChart Accounts.

You also will be able to download your Personal Information to your local computer or portable storage devices, or to direct that such Personal Information be transmitted to other entities. Again, all such transfers of your Personal Information will be solely in your control, as directed by you through your use of the Services.

Please note that Epic cannot control and is not responsible for the privacy and security of your Personal Information once it has left Epic in accordance with your requests and directives when using the Services. We cannot retrieve that information after you’ve shared it; and we cannot control or restrict the use of Personal Information by other organizations. For instance, designating within your Lucy Service Account that portions of your Personal Information are not to be shared restricts only the transfer of the Personal Information via the Services; it does not extend those restrictions to organizations to which you’ve sent that information or from which your Lucy Account has received it, such as a healthcare organization where you have a MyChart Account. How such organizations treat your Personal Information is determined by their own privacy practices.

There are very few instances in which your Personal Information ever will be disclosed by us other than as directed by you through your use of the Services. We may disclose your Personal Information in the following circumstances:

  • As we in good faith consider necessary for us to comply with any applicable law compelling a disclosure of the information, to comply with legal process served on us, or in response to the request of a law enforcement or government regulatory agency in circumstances that we believe warrant the disclosure;
  • As we in good faith believe is necessary or appropriate in order to protect the personal safety or health of the public or users of the Service;
  • As we in good faith believe is necessary or appropriate to protect and defend our rights and property, including the enforcement of the Terms or Service that govern your use of the Services;
  • As we in good faith believe is necessary to protect against or address fraud or security breaches.

In addition, Epic may at times engage other companies or individuals to perform certain activities on our behalf and related to our provision of the Services, such as assistance in correcting hardware problems, off-site storage of information for disaster recovery, web site hosting, or technical assistance regarding operating systems, web browsers or other non-Epic software with which the Services might interact. Epic will provide such third parties access to your Personal Information only (i) when such access is necessary to accomplish the activity for which we have engaged the third party; and (ii) when the third-party is contractually bound to us: (a) to use the information only in connection with accomplishment of the activity for which they’ve been engaged and (b) to provide administrative, physical and technical safeguards to protect the confidentiality and security of the information.

What happens to your Personal Information when you close a Service Account

You can choose to close a Service Account at any time. If you choose to do so, we will offer you the opportunity to have us retain your Personal Information and Service Account information for a 90-day grace period during which you can easily re-activate the account. If you do not opt for the grace period, we will deactivate your Service Account and delete all your Personal Information from our Production Servers. If you do opt for the grace period then the deletion of your Personal Information from the Production Servers will occur after the passage of the grace period. Please note that closing a Service Account affects only your Personal Information that is stored on Epic Servers. It does not affect, alter or accomplish the deletion of any Personal Information that is stored or maintained on other systems, such as those of your healthcare providers or the organizations at which you have MyChart Accounts.

Your Personal Information may persist in Backup Files for up to a year and in our Audit Files for longer periods of time based upon government agency and private organization guidelines and recommendations that pertain to analogous categories of data and information. Our Backup and Audit Files are never stored on computers connected to the Internet and the data in such files is not readily or even easily accessible. We therefore reserve the right to decline to process requests to provide access to, to delete or to correct inaccurate Personal Information if such requests would be impractical, require disproportionate technical efforts, jeopardize the security of other individuals’ personal information or interfere with Epic’s legal obligations or its legitimate efforts to protect its business interests.

Ways in which you can further protect your Personal Information

You too should be careful with your Personal Information, and there are steps you should take to prevent unauthorized access to or disclosure of the information in your Service Account. For instance:

  • Never share your username and password information with anybody;
  • Do not identify public computers as being private when logging into the Services;
  • Immediately change your password if you believe any unauthorized access to your Service Account has occurred;
  • Always log out of your Service Account when you’ve completed the actions for which you logged in, and never leave a computer on which you’ve logged into your Service Account unattended while it is in an active session;
  • Store any printouts you generate or media onto which you save your Personal Information only in secure locations;
  • Install appropriate security products, such as firewalls, anti-virus and anti-spyware software, and wireless network security products on the computers from which you access your Service Account;
  • Routinely check your computer for spyware and malware.
Changes to this Privacy Policy

We may make changes to this policy from time to time by posting revised versions on the Service Portal.

Questions and concerns

If you have any questions regarding this Privacy Policy or concerns about our use, disclosure or handling of your Personal Information, please contact us by Requesting Help.

Definitions

“Audit Files” refers to files in which logs are made to track the activity occurring on a Service Account, which can be useful in providing support to account holders.

“Backup Files” refers to copies of Epic Servers periodically made and retained for the purpose of being able to restore our systems in the event of an occurrence that would necessitate such restoration.

“Epic” refers to Epic Systems Corporation and all of its controlled affiliates and subsidiaries.

“Epic Servers” means all tangible computer equipment and storage media of any kind owned and controlled by Epic.

“Lucy” refers to the free service Epic provides allowing you to establish, store, maintain and share a personal health record.

“MyChart Account” refers to web-based patient access and services accounts that you hold at healthcare organizations offering such accounts using Epic’s MyChart patient portal software.

“MyChartCentral” refers to the free service Epic provides through which you can access and view alerts from multiple MyChart Accounts through a single portal.

“Non-personal Information” refers to information that cannot reasonably be identified as pertaining to any particular Service Account or reasonably be used to identify any individual person.

“Personal Information” refers to any information that reasonably could be identified as pertaining to you or your Service Accounts or otherwise used to identify you, whether that information is information that we collected about you or that you provided or directed to be transferred into your Service Accounts when using the Services.

“Production Servers” refer to those Epic Servers through which the Services are actively being provided via the Internet and on which Service Account holders’ live, up-to-date information is stored and actively accessed in connection with the provision of the Services, including any real-time copies of such servers that we might maintain and operate for the purpose of providing continuity of service in the event of a disaster at our principle server site.

“Service Accounts” refers to active MyChartCentral and Lucy accounts residing on Epic Servers and accessible via the Internet in which you manage and access the information you enter or transfer into the accounts.

“Service Portal” means the web sites through which Epic provides the Services and for which Epic is the registered owner.

“Terms of Service” means the Epic Systems Corporation Terms of Service for Web-Based Services to which you agree when you establish a Service Account.

“The Services” refers to both MyChartCentral and Lucy services; individually, those services are referred to as either MyChartCentral or Lucy.