Security & Privacy Policies
Epic Mobile Application Privacy Policy for Patients
Last Updated: February 11, 2025
Dutch Translation / Nederlandse Vertaling
Overview
Mobile Apps for Patients
Our mobile applications for patients, including MyChart for iOS and Android, connect to servers and systems operated and maintained by healthcare organizations that use Epic – to provide patients with secure, mobile access to health information in those servers and systems.
We refer to our mobile applications for patients as “mobile apps” in this policy.
This Privacy Policy
This policy describes how we collect and use your information when you use our mobile apps.
We may update this policy at any time, and future updates are effective as soon as they are published. Your use of any of our mobile apps is also subject to the applicable End User License Agreement. If you use our mobile apps, you agree to the applicable End User License Agreement and consent to the use of your information as described in this policy.
Your Personal Information
The Limited Ways We Use Your Information
We do not sell or license your information. These are the limited ways we interact with your information in connection with our mobile apps:
- When you choose to add a profile photo to our mobile apps, you may select an existing photo on your device or take a new photo using the camera app on your device. If you select an existing photo on your device or use a camera app on your device to take a new photo, we store a copy of your chosen photo in our mobile app, within app-private storage on your device. Certain camera apps may save a copy of your new photo in locations outside of our mobile app’s app-private storage; you should review the privacy policy for the camera app you use to understand how that app interacts with your photos. Temporary files stored in our mobile app’s app-private storage on your device are regularly deleted and are also deleted if you uninstall our mobile app. If you already have a profile photo stored in your profile through your healthcare organization – we do not interact with that photo in any way.
- When you choose to connect to Google Fit, Health Connect (by Google), or Apple Health, your health and fitness data is securely transmitted and saved in your medical record maintained by your healthcare organization. We do not store any health and fitness data within our mobile apps. Any information required for you to select recipients of your data is encrypted and stored in app-private storage. If you choose to stop sharing your health and fitness data or uninstall our mobile app, the encrypted information is deleted from app-private storage.
- When you choose to view documents from your healthcare organization (such as letters or images) using our mobile apps, to make the files viewable for you we temporarily store copies on your device in app-private storage. The temporary copies are deleted when you close your session on our mobile apps.
- When you choose to include a photo or video in a message you send to your healthcare organization using our mobile apps, you may select an existing photo or video from your device or take a new photo or video using the camera app on your device. If you use the camera app on your device to take a new photo or video, we temporarily store a copy of your photo or video in app-private storage on your device. Certain camera apps may save a copy of your new photo in locations outside of our mobile app’s app-private storage; you should review the privacy policy for the camera app you use to understand how that app interacts with your photos. Temporary files stored in our mobile app’s app-private storage on your device are regularly deleted and are also deleted if you uninstall our mobile app.
- If your healthcare organization offers telehealth visits using our mobile apps, when you join a visit with your provider, we will ask for permission to access your device’s video and audio functionality to make the telehealth visit possible. We do not record or store video or audio data from these visits.
- If your healthcare organization offers automatic appointment arrival and you choose to enable it, we temporarily store identifiers and times for your upcoming appointments in app-private storage to detect when you arrive for an upcoming appointment. If you choose to stop using our mobile apps or you disable automatic appointment arrival, the identifiers are deleted.
- If your healthcare organization offers location-based check in for in-person appointments, or allows you to find healthcare providers near you, you may choose to allow our mobile apps to interact with your location data for those purposes. We do not store your location data.
- If your healthcare organization allows you to notify front desk staff electronically when you arrive for an appointment, you may choose to allow our mobile apps to interact with your Bluetooth data for this purpose. We do not store your Bluetooth data.
- While you use our apps, if you choose to call a phone number displayed within the app, we will ask for permission to access your device’s phone to place a call to the phone number. We do not store your call history or data about the call.
- While you use our apps, we collect non-identifying information so we can provide customer service to you or your healthcare organization and understand how people use our mobile apps so we can improve our products. This information includes the time you began using the app, the healthcare organization you interacted with, any error messages or codes, the model of device used and its operating system, and the version of our mobile app used. If you use Android devices, we also collect your connection type (cellular or WiFi) during an error.
- You may contact us through the methods listed on Our Website. If you contact us, we may keep a record of the communication. You can decide how much information you want to share with us in those cases.
- If you have a MyChart Central account, we store limited personal information on Epic-owned servers in the United States, including the contact information you used to create your account and link it with your healthcare organization MyChart accounts. You can edit and share MyChart Central account information with the healthcare organizations you choose to link to your MyChart Central account.
Your Healthcare Organizations
To use our mobile apps, you must have an account with a healthcare organization using Epic’s software. Because of this, your use of our mobile apps is also subject to your healthcare organization’s privacy policy. Please contact your healthcare organization if you have any questions about their privacy policy.
For Android Users – Required Google Play Disclosures for Certain Health Apps
Google has determined our mobile apps are subject to their COVID-19 apps requirements. As a result, we are required to provide the following information so we can make our mobile apps available to you in the Play store.
- Our mobile apps interact with your microphone only if you choose to use your microphone to navigate our mobile apps. Our mobile apps interact with your camera roll only if you choose to add a profile image to a profile in our mobile apps. This information is not used in connection with COVID-19.
- Our mobile apps access, collect, use, and share your information (including video, audio, images, files, phone) as stated above in the section titled, “The Limited Ways We Use Your Information.” We also prominently highlight these uses, describe the type of data being accessed, and obtain your consent for these purposes as you use our mobile apps.
- Our mobile apps were not created specifically for the COVID-19 pandemic. They existed before the COVID-19 pandemic to allow you to access your health information on file with your healthcare organization. Your healthcare organization may allow you to access COVID-19-related vaccination information, laboratory test results, and documents with illness-related information using our mobile apps. You may choose if or how you want to access, display, or use the information – just like you can make those decisions about health information relating to other conditions, services, tests, or vaccinations.
- Your healthcare organization may allow you to use our mobile apps to conduct telehealth appointments with your healthcare providers. Our mobile apps only provide the technical support for those appointments to happen. We do not interact with any health information about you exchanged during any telehealth appointments.
How We Protect Your Personal Information
We use technical controls and safeguards to protect the privacy, security, integrity, and availability of your personal information.
- We enable the use of multi-factor authentication for users of our mobile apps by default. Multi-factor authentication is required when you use our mobile apps unless your healthcare organization makes or allows changes to this control. If you have a MyChart Central account, multi-factor authentication is always required for that account.
- We use https for secure communication between servers.
- When we store data on your mobile device, we store it in app-private storage that cannot be accessed by other apps. Files you download or save from our mobile apps may be placed in locations accessible to other apps, such as your files app, with your explicit permission.
- Before data is shared from our mobile apps, we provide in-app notifications so you can choose if you want to share the data.
- We disable screen-shot functionality by default for Android devices, and allow Android users to choose if they want to enable the function. We cannot disable this functionality in iOS.
- We maintain internal policies and processes that limit access to your information to our staff who need to know the information to perform their jobs.
- We maintain internal data retention and deletion policies to help us ensure we only store information about your use of our mobile apps as we describe in this policy.
Each healthcare organization you connect to through our mobile apps also uses safeguards to protect your information. Contact them if you have any questions about their safeguards.
You can take other steps to protect your information:
- Do not share the username and password you use with our mobile apps.
- Change your password immediately if you believe any unauthorized access has occurred.
- Use the security tools on devices you use with our mobile apps.
- Do not root or jailbreak devices you use with our mobile apps. Doing so can create security risks by removing your devices’ built-in security measures and exposing sensitive information on your device.
Links to External Websites
Our mobile apps contain links to external websites and may contain embedded media hosted by third parties, such as YouTube videos. Epic is not responsible for the content or privacy practices of external websites. We encourage you to be aware when you leave our mobile apps or engage with media hosted by third parties and to read the privacy statements of any external website that collects your information.
Your Privacy Rights
GDPR and UK GDPR Privacy Questions
If you need to contact our Data Protection Officer or EU Representative, please email EUPrivacyInquiries@epic.com or call +1 608-271-9000. If you are a Data Subject as defined by GDPR, you should reach out to your healthcare organization for requests related to your personal data accessed through our mobile apps.
California Privacy Questions
Please visit our Privacy Notice for California Residents .
Contact Epic
If you have questions about your medical information in an account with a healthcare organization using Epic’s software, please reach out to your healthcare organization using the contact information in their privacy policy.
If you have any questions about this policy, contact us at +1 608-271-9000 or at PrivacyInquiries@epic.com.
Security
Report a Potential Security Vulnerability or Concern →
