MyChart is governed by HIPAA, but that doesn't prevent extensive data sharing within Epic's Care Everywhere network. Your records may be accessed by any health system in the Epic network for treatment purposes, and de-identified data feeds research and analytics. The scale of Epic's network makes this one of the largest health data sharing arrangements in existence.
| Data Type | Collected | Shared | Sold |
|---|---|---|---|
| Medical Records | Yes (complete) | Epic Network | No (HIPAA protected) |
| Diagnoses & Conditions | Yes | Care Everywhere | De-identified to research |
| Prescription History | Yes | Pharmacies, Insurers | De-identified to pharma |
| Lab Results | Yes | Treating Providers | De-identified to research |
| Portal Usage | Yes | Health System Analytics | No |
Epic's Care Everywhere connects over 250 million patient records across thousands of health systems. Your data can be accessed by any provider in this network, creating one of the largest de facto health information exchanges.
HIPAA's de-identification standard allows significant data sharing for research. Medical records are notoriously difficult to truly anonymize—conditions, demographics, and treatment patterns can identify individuals.
Health systems regularly contribute de-identified MyChart data to research databases, clinical studies, and Epic's own research initiatives. Consent is typically buried in health system terms.
MyChart allows connections to third-party health apps via Apple Health and other integrations. Once data leaves MyChart, it may no longer have HIPAA protection.
Unlike consumer health apps, MyChart data is protected by HIPAA, which restricts certain commercial uses and requires security safeguards.
HIPAA gives you strong rights to access and download your own records. MyChart generally makes this easier than paper-based systems.
Understanding the Epic ecosystem: