Data and security on Epic

Our new electronic health record system

Epic is the name of our new electronic health record system for patients. Epic has replaced multiple different systems, allowing us to securely store and access all the information about your care in one place.

Epic will make your experience as a patient with us smoother, safer and more convenient. Staff will be able to access your information quickly and more easily, and patients will also be able to see information about their own health record using MyChart, our new app and website for patients and carers.

While Epic is a company based in the United States, the systems and applications Epic owns and operates are fully compliant with UK laws relating to privacy.

Protecting your data

We take great care to ensure that health information is kept private and secure.

Epic does not store patient data or Protected Health Information (PHI).
Epic does not sell or provide patient data to third parties.
Epic collects non-identifying data such as the mobile device ID, carrier, OS version, connection type (wi-fi vs mobile) for the purposes of troubleshooting errors and for development of improvements to the MyChart app.

Compliance with UK regulations

Under the UK General Data Protection Regulations (GDPR) 2021 and Data Protection Act 2018 we are required to keep your health records secure and confidential. We require all our partner organisations to apply the same strict security to your records as we do, and we make sure that those restrictions are in place before sharing any information. We only share your information in strict accordance with the law.

MyChart is owned and operated by Epic and is fully compliant with UK laws relating to privacy. Names and email addresses will be treated with the same care and privacy given to health records and will never be sold or leased by MyChart, Epic, Guy’s and St Thomas’ NHS Foundation Trust, or King’s College Hospital NHS Foundation Trust.

Security on MyChart, our patient app

MyChart uses the latest encryption technology and passwords and two-step authentication to keep your information safe. We always recommend using a personal email address to sign up to MyChart and avoid shared email addresses. Keep your log in details safe and do not share them.

If you do not agree to the mobile app agreement, you can choose to use the web version of MyChart which is hosted by Guy’s and St Thomas’ NHS Foundation Trust, and not Epic.

Our commitment to cyber security

Both Guy’s and St Thomas’ and Epic take cyber security very seriously and guard against attacks and threats in a number of ways. Most breaches can be prevented by simple steps, like making sure all users use strong passwords and deploying software updates automatically.

We also employ robust IT processes, such as using the Data Security and Protection Toolkit (DSPT) as a self-assessment against National Standards, and have strong procedures in place to detect and eliminate malware within our systems.

Data sharing and confidentiality

The launch of Epic means that your health record will be accessible by health and care staff at Guy's and St Thomas' NHS Foundation Trust and King's College Hospital NHS Foundation Trust.

Your health record will be stored securely and will only be accessed when needed, and to support your care. Your personal information will remain secure and will not be used inappropriately.

If you do not want your health record to be accessible to both trusts, you can contact the Data Protection Officer. Write to:

Information governance, St Thomas' Hospital, Westminster Bridge Road, London SE1 7EH

Or email: [email protected]

Please include:

which hospital you receive care at (e.g. King’s College Hospital)
your hospital number, also known as your NHS number
confirmation that you understand the implications of your request to limit access to your health record

If you decide to limit access, this will prevent staff from seeing clinical activity displayed on your record. Demographic information (names, address, and date of birth) will still be available to view. The only exception to limiting access to your record is if there is a clinical need to view your health record, for instance if you require emergency care at one of our hospitals.

Please note that limiting access across our two organisations will not prevent sharing of your health record to the London Care Record which already shares patient data with other health and care organisations across London.