HIPAA & BAA · EHR / practice management (enterprise)
Is Epic HIPAA compliant?
Yes. As an EHR vendor that creates, receives, maintains, and transmits PHI on behalf of provider organizations, Epic acts as a business associate and executes a BAA as part of its enterprise contracting.
Key facts
- BAA available: Yes — with a signed BAA
- What it takes: Enterprise license agreement (negotiated)
- Official source: Epic Systems official website — https://www.epic.com/ (verified 2026-06)
How to use Epic in a HIPAA-compliant way
- Engage Epic through your organization's enterprise sales/legal contact and request the BAA as part of the master agreement.
- Confirm the BAA enumerates every Epic module and hosting arrangement (self-hosted vs. Epic-hosted/cloud) that touches PHI.
- Have your privacy officer and legal counsel review and execute the BAA before loading production PHI.
- Configure access controls, audit logging, and encryption per Epic's security guidance and your own risk analysis.
- Retain the fully countersigned BAA and re-review it on contract renewal.
Important caveats
- Epic does not publish its BAA publicly; exact terms are negotiated per customer, so confirm details directly with Epic.
- Epic is typically deployed by hospitals/health systems; smaller practices usually access it via a hosting partner who may be the contracting business associate.
- A signed BAA does not make a deployment compliant by itself—compliance depends on configuration and the practice's own administrative, physical, and technical safeguards.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Epic correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Epic.
Frequently asked questions
Does Epic sign a BAA?
Yes. Enterprise license agreement (negotiated) A signed BAA is required before any PHI is involved.
Is Epic HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Epic offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Epic with PHI?
Epic does not publish its BAA publicly; exact terms are negotiated per customer, so confirm details directly with Epic.
