Security & Privacy Policies

Mobile Apps for Patients

Our mobile applications for patients, including MyChart for iOS and Android, connect to servers and systems operated and maintained by healthcare organizations that use Epic – to provide patients with secure, mobile access to health information in those servers and systems.

We refer to our mobile applications for patients as “mobile apps” in this policy.

Epic’s Commitments To You

We do not sell or license your information.

We do not receive or store copies of any health or fitness data that you transmit to your healthcare organizations using our mobile apps.  

This Privacy Policy

This policy describes how we interact with your information when you use our mobile apps.

We may update this policy at any time, and future updates are effective as soon as they are published. Your use of any of our mobile apps is also subject to any applicable End User License Agreement terms and/or other applicable terms of use specified by your healthcare provider.  If you use our mobile apps, you have agreed to the mobile apps’ End User License Agreement terms and/or the other applicable terms of use specified by your healthcare provider and consented to the use of your information as described in this policy.

The Limited Ways Our Mobile Apps Interact With Your Information

These are the limited ways our mobile apps interact with your information on behalf of your healthcare organizations, depending on the features your healthcare organizations enable for your use:

• When you add a profile photo to our mobile apps, you may select an existing photo on your device or take a new photo using the camera app on your device. If you select an existing photo on your device or use a camera app on your device to take a new photo, a temporary copy of your chosen photo is stored in our mobile app via app-private storage on your device. Certain camera apps may save a copy of your new photo in locations outside of our mobile app's app-private storage; you should review the privacy policy for the camera app you use to understand how that app interacts with your photos. Temporary files stored in our mobile app’s app-private storage on your device are regularly deleted and are also deleted if you uninstall our mobile app. If you already have a profile photo stored in your profile through your healthcare organization – our mobile apps do not interact with that photo in any way.
• When you connect our mobile apps to Google Fit, Health Connect (by Google), or Apple Health, your health and fitness data is securely transmitted by our mobile apps and saved in your medical record at your healthcare organization. We do not store any health and fitness data within our mobile apps. Any information required for you to select recipients of your data is encrypted and stored in app-private storage. If you stop sharing your health and fitness data or uninstall our mobile app, the encrypted information is deleted from app-private storage.
• When you view documents from your healthcare organization (such as letters or images) using our mobile apps, to make the files viewable for you temporary copies are stored on your device in app-private storage. The temporary copies are deleted when you close your session on our mobile apps.
• When you include a photo or video in a message you send to your healthcare organization using our mobile apps, you may select an existing photo or video from your device or take a new photo or video using the camera app on your device. If you use the camera app on your device to take new photos or videos, temporary copies are stored on your device in app-private storage.  These temporary files are regularly deleted and are also deleted if you uninstall our mobile apps.
• If your healthcare organization offers telehealth appointments using our mobile apps, when you join a telehealth appointment with your provider, our mobile apps will ask for permission to access your device's video and audio functionality to make the appointment possible. Our mobile apps do not record or store video or audio data from these visits.
• If your healthcare organization offers automatic appointment arrival and you choose to enable it, our mobile apps temporarily store identifiers and times for your upcoming appointments in app-private storage to detect your arrival at an appointment. If you stop using our mobile apps or you disable automatic appointment arrival, the identifiers are deleted.
• If your healthcare organization offers location-based check in for in-person appointments, or allows you to find healthcare providers near you, you may choose to allow our mobile apps to temporarily interact with your device’s location data for those purposes. Our mobile apps do not store or use your location data in any other way.
• If your healthcare organization allows you to notify front desk staff electronically when you arrive for an appointment, you may choose to allow our mobile apps to interact with your Bluetooth data for this purpose. Our mobile apps do not store your Bluetooth data.
• While you use our mobile apps, if you choose to call a phone number displayed within the app, we will ask for permission to access your device’s phone to place a call to the phone number.  Our mobile apps do not store your call history or data about the call. 
• Any temporary files created during the interactions described above are regularly deleted, and are also deleted if you uninstall our mobile apps.
• If you have a MyChart Central account, we store limited personal information on Epic-owned servers in the United States. This information includes your name, date of birth, and the contact information you used to create your account and link it with your MyChart accounts at the healthcare organizations that care for you. This information is used to provide services or functionality for MyChart Central, including: helping you log into your MyChart accounts at your healthcare organizations, MyChart Central password recovery, and MyChart Central user support. You can edit and share MyChart Central account information with the healthcare organizations you have linked to your MyChart Central account. If you need to delete the information used by Epic to create your MyChart Central account, you can do so via the “Account Deactivation” page within MyChart Central. Once you submit an account deactivation request, your account information will be deleted via an automatic deletion process that runs periodically (typically once per day). The deletion only applies to the information used to create your MyChart Central account; for guidance on deleting health data viewable within MyChart, see "Your Healthcare Organizations" below.

Your Healthcare Organizations

To use our mobile apps, you must have an account with a healthcare organization using Epic's software. Because of this, your use of our mobile apps is also subject to each of your healthcare organizations' privacy policies.

Please contact your healthcare organizations if you have any questions about their privacy policies, how they store and retain your health information, and how you can make requests to them about their  disclosure, correction, or deletion of your health information.   

Google has determined our mobile apps are subject to their Health Apps requirements. As a result, we are required to provide the following information so we can make our mobile apps available to you in the Play store.

• Our mobile apps interact with your microphone only if you use your microphone to navigate our mobile apps. Our mobile apps interact with your camera roll only if you add a profile image to a profile in our mobile apps.
• Our mobile apps access, collect, use, and share your information (including video, audio, images, files, phone) as stated above in the section titled, “The Limited Ways Our Mobile Apps Interact With Your Information.” We also prominently highlight these uses, describe the type of data being accessed, and obtain your permission for these purposes as you use our mobile apps.
• Your healthcare organization may allow you to use our mobile apps to conduct telehealth appointments with your healthcare providers. Our mobile apps only provide a technical mechanism for those appointments to occur. Our mobile apps do not interact with any health information about you exchanged during any telehealth appointments.

Non-identifying Information Collected to Provide Customer Service and Support

While you use our mobile apps, we collect the following non-identifying information so we can provide customer service to you or your healthcare organization and understand how people use our mobile apps:

• the time you began using the app
• the name of the healthcare organization you interacted with
• any error messages or codes
• the model of device you used and its operating system
• the version of our mobile app used
• if you use Android devices, your connection type (cellular or Wi-Fi)during any errors

Information Used to Keep Data and Systems Secure

While you use our mobile apps, our servers automatically collect and record the following information:

• Internet Protocol (IP) address (which may tell us generally where you are located)
• Language preference
• Date and time
• Type of device or system you use

Epic has a legitimate interest in collecting, processing, and retaining this data in support of its information security operations to prevent unauthorized access to or misuse of our systems and to prevent cybersecurity incidents.  

Personal Information Collected From You (If You Contact Us)

If you contact us through the methods listed on Our Website, we may keep a record of the communication. You can decide how much information you want to share with us in those cases

In the limited situations where Epic collects or receives your personal information (for example, if you contact us for support), we use technical controls and safeguards to protect the privacy, security, integrity, and availability of your personal information. Our mobile apps also use technical controls and safeguards to help keep your information safe while you use our mobile apps.

Safeguards and Controls Built Into Our Mobile Apps

• Our mobile apps use multi-factor authentication by default. Multi-factor authentication is required when you use our mobile apps unless your healthcare organization makes or allows changes to this control.
• Our mobile apps store data on your mobile device in app-private storage that cannot be accessed by other apps. Files you download or save from our mobile apps may be placed in locations accessible to other apps, such as your files app, only with your explicit permission.
• Our mobile apps use in-app notifications and permission requests to help you make informed decisions about when and how your data is shared with other apps on your device.
• Our mobile apps disable screen-shot functionality by default for Android devices (we cannot disable this functionality in iOS). Android users can enable the function if they want to.
• Our mobile apps use https for secure communication with servers.

Additional Steps We Take At Epic

• At Epic, we maintain internal policies and processes that limit access to the information you send to us to our staff who need to know the information to perform their jobs.
• At Epic, we maintain internal data retention and deletion policies to help us ensure we only store information about your use of our mobile apps as described above in this policy.

Each healthcare organization you connect to through our mobile apps also uses safeguards to protect your information. Contact them if you have any questions about their safeguards.

You can take other steps to protect your information:

• Do not share the username and password you use with our mobile apps.
• Change your password immediately if you believe any unauthorized access has occurred.
• Use the security tools on devices you use with our mobile apps.
• Do not root or jailbreak devices you use with our mobile apps. Doing so can create security risks by removing your devices’ built-in security measures and exposing sensitive information on your device.

Our mobile apps contain links to external websites and may contain embedded media hosted by third parties, such as YouTube videos. Epic is not responsible for the content or privacy practices of external websites. We encourage you to be aware when you leave our mobile apps or engage with media hosted by third parties and to read the privacy statements of any external website that collects your information.

GDPR and UK GDPR Privacy Questions

If you need to contact our Data Protection Officer or EU Representative, please email EUPrivacyInquiries@epic.com or call +1 608-271-9000. If you are a Data Subject as defined by GDPR, you should reach out to your healthcare organization for requests related to your personal data accessed through our mobile apps.

California Privacy Questions

Please visit our Privacy Notice for California Residents .

If you have questions about your medical information in an account with a healthcare organization using Epic’s software, please reach out to your healthcare organization using the contact information in their privacy policy.

If you have any questions about this policy, contact us at +1 608-271-9000 or at PrivacyInquiries@epic.com.

August 12, 2025 Update:

• In the section titled “This Privacy Policy”
  • Added clarification that use of Epic Mobile Applications is governed by this privacy policy, the Mobile Application End User License Agreement (EULA), and relevant terms of use from your healthcare provider
• In the section titled “The Limited Ways Our Mobile Apps Interact With Your Information”
  • Added information specific to MyChart Central users

Report a Potential Security Vulnerability or Concern