Search here!

Patient Privacy & Security

Protecting your health and financial data


At Epion Health, we understand that trust is essential to giving and getting care. That’s why we take your data security and protection to heart. 

We hold ourselves accountable to the highest industry standards, so you can have peace of mind, knowing your personal information are safe and compliant. If you have any questions regarding privacy and security, please email privacy@epionhealth.com and we will respond within two business days. 

HITRUST Certification

We work with outside experts to ensure we maintain the highest standards and security practices. Epion has earned the CSF certification for information security from HITRUST. This achievement places Epion in an elite group of organizations worldwide and validates our comprehensive, prescriptive and scalable framework to manage risk and data security. Learn more about our HITRUST certification

Privacy & Security 

Epion is held to the same data protection and privacy standards as your provider and is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and other federal and state standards for keeping your information safe and secure. 

Epion is not a healthcare provider. Under HIPAA, Epion is defined as a “business associate” – a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a healthcare provider (covered entity). Examples of business associate activities include claims processing or administration; data analysis, processing or administration; and billing — to name a few.  

Our mobile check-in platform helps patients check in to an appointment, update their health records, communicate with their healthcare provider or a member of their staff, along with other services and activities, such as conducting surveys. If your provider uses Epion, we will collect, receive, maintain use and disclose protected health information solely as permitted by your healthcare provider and as required/permitted by applicable law as described here and in our privacy policy. Epion also provides patients with an opportunity to receive personalized information about health-related products and services from third parties that may be interesting to them. These third parties must meet privacy and security requirements to safeguard your confidential information.   

Epion Health’s privacy and security procedures include the following: 

  • We do not sell, disclose or use protected health information without express patient authorization or unless permitted or required by law.
  • We comply with all HIPAA requirements, including signing a Business Associate Agreement (BAA) with all our partners.
  • Employee laptops are centrally managed, encrypted and protected with state-of-the-art anti-malware.
  • Employee hard drives are securely erased before being reused or recycled.
  • Portable storage media is generally not allowed and must be encrypted when it is.
  • All patient data is encrypted — whether stored on servers or moving on the network.
  • Epion has documented policies and procedures for managing encryption keys.

Incident Management & Response

Epion Health has incident management and response plans and processes in place in the event of a security breach. This includes notifying users of potentially compromised health and financial data. We  test our plans and practice responses across disciplines at least twice a year.

Risk Management

We have a formal risk management process that includes annual risk assessment, testing and mitigation to find and remediate any vulnerabilities that could pose a threat to our platform or data. 

Vendor Management

Epion Health operates a comprehensive vendor management program that includes risk and security assessments. To further ensure all service providers who touch patient data meet our rigorous standards, they are required to sign a Business Associate Agreement. Epion has formal processes for starting and ending our relationships with vendors to ensure patient data is properly transferred and not kept.

Disaster Management & Business Continuity

We have a robust disaster management and recovery plan that supports business continuity. We test our plans and practice responses to scenarios at least twice a year.

Secure Software Development

At Epion, our mission is to provide innovative solutions that improve how healthcare works — without jeopardizing security or compliance. Our platform provides a safe, secure and scalable way to exchange healthcare data. To ensure the highest level of security, we follow strict policies and procedures, including: 

  • Utilizing a standard, agile software development methodology
  • Requiring all changes to be documented, approved and reviewed by at least two engineers
  • Leveraging an extensive suite of automated tests and a robust QA process
  • Restricting access to production environments 

For more information, please see: 

Privacy Policy

Terms of Use