Epic Software is a leading platform in healthcare interoperability, exchanging over 8.4 billion patient records annually and supporting 2,343 live apps. It’s built on HL7 FHIR standards, offering free public documentation, sandboxes, and self-service tools for developers. With its federated model, each healthcare organization manages its own instance, requiring individual connections for app integration. Here’s how you can create a secure, HIPAA-compliant medical app using Epic Software:
- Set Up Your Developer Account: Register for free at open.epic.com to access resources and sandboxes. For marketplace distribution, request a Vendor Services account.
- Learn FHIR Standards: Epic relies on FHIR R4 for data exchange. Use SMART on FHIR with OAuth 2.0 for secure integration.
- Plan Data and APIs: Map your app’s features to specific FHIR resources, like Patient, Condition, or Observation, and define workflows.
- Integrate APIs: Connect directly to each healthcare organization’s Epic instance. Use production endpoints and follow best practices for token management and data handling.
- Ensure Compliance: Follow HIPAA guidelines with encryption, access controls, and audit logging. Consider TEFCA IAS for broader data access.
Epic’s ecosystem supports billions of transactions annually, making it a powerful foundation for building medical apps. With the right tools and careful planning, you can create a secure, patient-centric application. Adalo simplifies deployment by letting you build once and launch as a PWA or native app for iOS and Android.
Quickly Build SMART-on-FHIR Patient App That Connects to Epic
sbb-itb-d4116c7
What You Need Before You Start
Before diving into development, you’ll need to gather some key prerequisites. Epic operates on a federated connection model, meaning there’s no central server. Instead, each healthcare organization manages its own Epic instance. This setup allows developers to access public documentation and self-service sandboxes without prior agreements or approvals. However, it also means you’ll need to connect individually with multiple healthcare organizations rather than relying on a single Epic endpoint. Planning for these multiple connections is essential.
Another critical step is defining your data sharing design. You’ll need to decide what types of data your app will handle - such as RxNorm codes for medications or dosage details - and whether your app will read, write, or do both. Additionally, think through what will trigger your app’s workflows, whether it’s an event like a patient discharge or an on-demand launch. These decisions will guide your development process and help you determine which APIs to register.
Setting Up Your Epic App Orchard Account
Once you’ve outlined your development plan, the next step is setting up your Epic App Orchard account. Start by registering for a free Epic on FHIR account at open.epic.com. This gives you access to testing sandboxes, documentation, and tools for client registration. If you plan to sell apps through Epic’s marketplace, you’ll need to request a Vendor Services account (formerly App Orchard). Simply click "I’m Interested" on the portal and wait for the registration email. As of early 2026, App Orchard hosts around 790 apps, with 344 new entries added since 2024.
After registration, you’ll receive a Client ID through self-service tools at open.epic.com. This ID specifies the data scopes your app can access. You’ll need both production and non-production identifiers, and you’ll have to list the exact APIs your app will use. Including only the necessary APIs helps healthcare organizations evaluate your app’s security and licensing requirements.
Epic offers three sandbox environments for testing: R4, STU3, and DSTU2. The R4 sandbox, found at https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/, is the current standard. You can use the "Try It" feature within API specifications to test no-code API calls against sample patient data. This hands-on approach helps you understand data flow before committing to your development strategy.
Learning FHIR Standards and APIs
Epic relies on FHIR R4 (Fast Healthcare Interoperability Resources), a standardized format for exchanging healthcare data. With over 1,160 FHIR R4 production endpoints across healthcare organizations, understanding this standard is crucial. Think of FHIR as a universal language that allows different systems to communicate seamlessly.
Your app should use SMART on FHIR with OAuth 2.0 for authentication and authorization. This approach is ideal for user-interactive apps, enabling them to integrate directly into Epic’s interface for a smooth experience. Additionally, your app must align with U.S. Core Data for Interoperability (USCDI) standards to meet federal guidelines.
Since access tokens are short-lived, you’ll need to implement automated refresh mechanisms to maintain uninterrupted access, especially if your app is cloud-based. Avoid performing runtime queries for endpoint data on open.epic; instead, download this information weekly and host it on your infrastructure to ensure stability.
Meeting Healthcare Regulations
Handling healthcare data comes with serious responsibilities. Your app must prioritize privacy, security, and data integrity. Compliance with HIPAA is mandatory, requiring encryption, access controls, and audit logging throughout your app’s design.
By 2025, Epic recommends utilizing TEFCA Individual Access Services (IAS), a national framework for secure, patient-authorized data exchange. TEFCA expands your app’s capabilities, allowing it to retrieve records from multiple health systems through a single trusted connection. In 2025 alone, over 500 patient-authorized health apps connected to Epic’s network.
If your app writes data back to Epic - such as lab results or orders - you’ll need to ensure accuracy and associate the data with the correct patient to avoid safety risks. Writing data requires stricter validation and safety checks compared to reading data. Epic provides detailed guidelines on security, privacy, and scalability to help you build a secure and reliable app. Following these measures will set the foundation for a robust and compliant application.
How to Build a Medical App with Epic Software
5-Step Process to Build a Medical App with Epic Software
Now that you’re familiar with the prerequisites, let’s dive into the process of building a medical app using Epic software. This process builds on your work with Epic App Orchard and your understanding of FHIR standards. Developing a medical app with Epic involves five main steps - from setting up your account to deploying the app. Each phase requires careful attention to technical details and compliance with regulations.
Step 1: Create Your Epic Developer Account
Start by setting up your Epic developer account. Head over to https://open.epic.com to register for a free account. This will give you access to FHIR resources, sandboxes, and documentation. Once you’ve registered, verify your email to complete the process. If you’re part of an organization, additional approvals might be required.
After verification, log in using either a Vendor Services account or a UserWeb account if you’re an Epic community member. The next step is registering your product to get a Client ID. This ID determines the scope of data your app can access. You’ll receive identifiers for both production and sandbox environments during registration.
"Using Open.Epic's standards-based tech, developers can use public documentation, sandbox, self-service tools to register apps, connect to customer systems, and go live – all without needing Epic's involvement." – Epic
When registering your Client ID, only include the APIs your app will use in production. This keeps security and privacy reviews straightforward. The R4 environment (https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/) is the current standard. Use the "Try It" feature on API specification pages to test no-code calls with sample patient data.
Step 2: Connect App Features to FHIR Resources
Before diving into API integration, map your app’s features to specific FHIR resources. Start by identifying the types of data your app needs (like medications) and the specific elements within them (such as dosage details or RxNorm codes). Next, determine whether your app will read data, write data, or handle both.
Think about when data exchange should occur. Will it happen when a clinician places an order, on a schedule, or when the app launches? For scheduling features, use resources like Appointment, Schedule, and Slot. For clinical records, rely on Condition (diagnoses), AllergyIntolerance, and Immunization. Diagnostics can be handled using ServiceRequest for orders and Observation or DiagnosticReport for results. For demographic and insurance data, use Patient and Coverage resources.
Consult Epic’s technical specifications and Data Sharing Playbooks to confirm that each resource supports the interactions your app needs, such as Read, Search, Create, or Update. Proper planning here will save you time and effort later.
Step 3: Integrate Epic FHIR APIs
Once you’ve mapped your app’s features, it’s time to integrate the necessary APIs. Epic uses a federated connection model, meaning you’ll connect directly to each healthcare organization’s Epic instance rather than a central endpoint. Your app must implement SMART on FHIR with OAuth 2.0, supporting EHR launch, standalone launch, and backend services. For mobile apps, use the Authorization Code flow with PKCE (Proof Key for Code Exchange) for added security.
To manage endpoints, avoid querying open.epic.com at runtime. Instead, download and host endpoint data weekly. Use the "User-access Brands Bundle" for production endpoints, which complies with SMART App Launch standards and includes branding and facility identifiers.
Pagination is key to efficient data handling - stick to a default page size of 20 to 50 resources for faster loading. Use date range filters to limit payloads and request only the minimal data scope your app needs to pass security reviews. Robust token management is also crucial for handling clock skew and token expiration.
Stick to standard coding systems like UCUM for units, SNOMED CT for diagnoses, and RxNorm for medications. Since patient records may not always include every field (like structured allergies or dosage details), design your app to handle missing data gracefully. Use the OperationOutcome resource to parse errors and provide user-friendly messages.
Step 4: Build and Test Your App
With APIs integrated, shift your focus to building the app’s user interface and backend logic. Design a UI that aligns seamlessly with healthcare workflows. Include provenance data, such as the source system and last updated date, to ensure users trust the data’s origin.
Epic’s Launchpad tool can help you simulate launching your app from within an Epic EHR session. Test your app in the R4 sandbox with sample patient data. Organize your data into canonical fields, optional fields, and extensions to account for the variability in clinical records.
For better performance, implement server-side sorting when possible, or create stable client-side alternatives. Test edge cases, like patients with no allergy records or incomplete medication histories, to ensure your app performs well in real-world scenarios.
Step 5: Deploy Your App
Before deployment, confirm your app meets all compliance requirements outlined during the planning phase. If you intend to distribute your app through Epic’s marketplace, you’ll need a Vendor Services account. This costs $1,900 annually and grants access to private APIs, expanded testing tools, and dedicated support.
Prepare for submission by documenting your app’s API scopes, security protocols, and data-handling practices. These materials will be reviewed by healthcare organizations before approving your app for integration.
For internal use within a single healthcare organization, collaborate with their IT team to configure access and conduct production-level testing. After launch, monitor your app’s performance by tracking API response times, error rates, and user feedback. With Epic supporting 219 billion annual web service transactions and over 2,300 live apps, you’ll be joining a thriving ecosystem.
Keeping Your App Secure and Compliant
Security and compliance are the cornerstones of any reliable medical app. Once your app is live, safeguarding patient data and adhering to regulations should be a continuous effort. Consider this: as of February 2024, healthcare organizations in the U.S. paid over $137 million in penalties for HIPAA violations. Additionally, between January and September 2024, there were 491 major data breaches in U.S. healthcare, each involving over 500 compromised records. Clearly, maintaining security and compliance after deployment is not optional - it’s essential. Here's how to design a secure system, meet HIPAA and GDPR requirements, and ensure ongoing protection for your app.
Designing a Secure Data System
The backbone of any secure app lies in its backend architecture. For starters, store Protected Health Information (PHI) in a separate database from general app data. This not only strengthens your security perimeter but also reduces encryption overhead. Encrypt all data - whether stored or in transit - and establish secure connections to each organization’s Epic instance.
To enhance access control, implement multi-factor authentication (MFA) using options like biometrics or two-factor authentication. Add automatic session timeouts and avoid caching or transmitting PHI through mobile devices or notifications. Assign unique user IDs to log every action involving PHI, creating a tamper-proof audit trail.
"OAuth 2.0 is the preferred method of security for apps in which Epic users interact with data."
– Epic Systems Corporation
Token management is another critical aspect. Use a backend component to exchange authorization codes and securely store refresh tokens. Sensitive endpoints should never be exposed directly to client-side browsers. Also, limit permissions to the minimum necessary. For instance, request patient/Observation.read instead of broader access to reduce your app’s vulnerability and simplify security reviews.
Meeting HIPAA and GDPR Requirements
Beyond securing data, your app must comply with regulations like HIPAA and GDPR. For HIPAA, this involves a mix of administrative, technical, and physical safeguards. Administratively, appoint a privacy officer, provide regular workforce training, and maintain clear, written privacy policies. Technically, encryption, MFA, and digital signatures are key to preventing unauthorized data access or tampering.
If your app works with third-party vendors handling PHI, ensure you have Business Associate Agreements (BAAs) in place. Apps acting as Business Associates for healthcare providers must also execute BAAs with Epic customers.
For patient-facing apps, Epic requires a detailed questionnaire covering funding sources, data-sharing practices with third parties, and whether users can delete their records. This information is shared with patients during the "Allow Access" phase in MyChart, and patients can manage or revoke access via the "Manage My Linked Apps and Devices" page.
Establish a breach notification protocol to comply with HIPAA rules. Notify affected individuals within 60 days of discovering a breach. If more than 500 individuals are affected, report it immediately to the Department of Health and Human Services (HHS) and issue a public notification. In 2023 alone, over 540 organizations reported health data breaches, impacting more than 112 million individuals.
Maintaining and Updating Your App
Security isn’t a one-and-done deal - it’s an ongoing process. Conduct annual security audits and penetration tests, especially after major updates. Costs for third-party audits typically range from $1,000 to $5,000 for smaller assessments. Stay up-to-date with Epic’s technical specifications, including updates to FHIR versions, and adjust your app accordingly.
Aligning with the Trusted Exchange Framework and Common Agreement (TEFCA) is also crucial for secure, large-scale data sharing. By 2025, over 500 patient-authorized health apps had successfully connected to the Epic community using modern FHIR APIs and OAuth 2.0. Regularly monitor API response times, error rates, and user feedback to catch potential security issues early.
"As between you and Epic, you are solely responsible for your products and services... and for all liability and consequences (e.g., privacy breaches and security vulnerabilities) that arise from or relate to the use of your products."
– open.epic Terms of Use
Keep your security measures fresh by updating TLS/SSL certificates and reviewing access logs for suspicious activity. Collect only the PHI necessary for your app’s core functionality. This not only reduces your compliance workload but also limits the damage in case of a breach. Regular updates and audits are key to preserving the integrity and trustworthiness of your medical app.
Conclusion
Creating a secure and compliant app with Epic integration requires careful attention to detail and precise execution. The process starts with obtaining your Client ID from open.epic.com, mapping out data flows using Epic's Playbooks, and connecting FHIR APIs through sandbox testing. Epic's federated model also means working closely with each healthcare organization's IT team to ensure smooth integration.
Protecting user data and meeting compliance standards hinges on implementing OAuth 2.0 and other industry-standard security measures. While the technical aspects of Epic integration can be challenging, tools like robust APIs and the free Sandbox environment make development more manageable. However, the financial investment is substantial, with costs ranging from $1 million to $5 million for data migration and exceeding $10 million for enterprise-level integration. Given that 63% of U.S. adults now use health apps to track their health and receive remote medical advice, the potential rewards for a well-executed application are significant.
Epic's ecosystem is vast, handling 8.40 billion patient records annually and supporting 2,343 live apps as of 2026. In such a critical environment, reliability and compliance are essential. Regular audits, staying updated with FHIR advancements, and closely monitoring API performance are all necessary to keep your app functioning smoothly. Once deployed, continuous monitoring ensures your app remains dependable and responsive over time.
To simplify deployment, consider using Adalo's platform to manage your app as a Progressive Web App or a native application for iOS and Android. With a single build, you can deliver a seamless, production-ready experience to your users.
FAQs
How can I make sure my medical app built with Epic Software complies with HIPAA regulations?
To make your medical app HIPAA-compliant while integrating with Epic Software, start by leveraging Epic’s developer tools, such as FHIR and HL7 v2 APIs. These tools support secure data management through OAuth 2.0 authentication and encrypted connections. You’ll need to register your app through the Open Epic portal and follow their detailed guidelines, including implementing role-based permissions and audit logging, both of which align with HIPAA’s privacy and security standards.
It’s also crucial to put additional safeguards in place. These include encrypting Protected Health Information (PHI) both at rest and during transmission, maintaining thorough audit trails, and enforcing strong authentication protocols. Before deployment, take advantage of Epic’s sandbox environment to rigorously test your app’s functionality and security. Collaborate with healthcare organizations that use Epic to secure the necessary approvals and agreements, including Business Associate Agreements (BAAs), which are mandatory under HIPAA.
To maintain compliance over time, conduct regular risk assessments, provide HIPAA training for your team, and stay informed about regulatory changes. By adhering to both Epic’s guidelines and federal requirements, you can create a secure, compliant app that meets the needs of patients and healthcare providers alike.
How do I integrate FHIR APIs into my medical app using Epic Software?
To connect FHIR APIs to your medical app using Epic Software, the first step is creating a developer account on Epic's FHIR portal. This account gives you access to their sandbox environment and essential development tools. Once registered, you'll need to set up your app to generate a client ID and secret for OAuth 2.0 authentication.
For development, work with the sandbox endpoints that align with the FHIR version you plan to use. Configure OAuth 2.0 to obtain an access token, which your app will include in API requests. This token allows your app to make RESTful API calls (like GET or POST) to interact with key resources such as patients, observations, or medications.
After completing sandbox testing, validate your app's functionality and collaborate with the target Epic customer to gain production access. Throughout this process, make sure your app complies with healthcare regulations, including HIPAA, to ensure data security and privacy.
How do I connect my medical app to multiple healthcare organizations using Epic’s federated model?
To integrate your app with multiple healthcare organizations within Epic's federated model, you'll need to approach each organization as a distinct integration point. This is because every health system runs its own Epic instance and independently manages app access.
Start by registering your app on the Open.Epic portal. This will provide you with a reusable client ID and secret. Next, for each organization you plan to connect with, download its specific endpoint bundle and save the base FHIR URL in your configuration settings. When implementing the OAuth 2.0 SMART on FHIR flow, make sure to use the organization-specific authorization and token URLs. Also, manage access tokens separately for each health system to ensure they remain scoped to individual organizations and can be refreshed independently.
To simplify development, take advantage of Epic's self-service tools and adhere to established standards like FHIR and HL7. Always test your app in a sandbox environment that closely replicates the settings of the target organization before moving to production. Additionally, keep endpoint bundles updated regularly to ensure your app remains compliant and functional. By treating each health system as a unique endpoint and automating updates where possible, you can scale your app efficiently across various organizations.
Related Blog Posts
