Key Takeaways
- Epic Community Connect lets smaller healthcare organizations share a larger health system’s Epic environment, reducing costs and simplifying data exchange.
- Security in Community Connect is a shared responsibility, with participating organizations responsible for their own connected systems and processes.
- Payment data often moves outside the Epic environment, creating security risks that expand PCI scope and lead to complex compliance and audit requirements.
- PCI-validated P2PE, tokenization, and semi-integrated payment architectures help keep cardholder data out of Epic-connected systems and limit PCI scope.
For hospitals and clinics that work together, sharing electronic health records (EHRs) through Epic Community Connect can reduce costs and support better care coordination. However, these arrangements can also introduce new security and compliance challenges when payment data is involved.
A key concern is PCI scope – the systems, people, and processes subject to Payment Card Industry Data Security Standard (PCI DSS) requirements when cardholder data is present. As PCI scope expands, security obligations increase and compliance becomes more burdensome. The good news is that, with the right approach, healthcare organizations can reduce payment risk and contain PCI scope while still benefiting from the interconnected nature of Epic Community Connect environments.
What Is Epic Community Connect?
Epic Community Connect is a sharing model that lets smaller health organizations use Epic by connecting to a larger health system that already has an Epic EHR platform.
How the Community Connect Model Works
Within the Community Connect model, the larger organization, or host, owns and operates the Epic infrastructure, while the smaller affiliated organizations – known as recipients – plug in to use the platform for their clinical and operational workflows.
Why Health Systems Use Community Connect
For the smaller, affiliated health care organizations, plugging into the larger system’s EHR reduces the expense and complexity of implementing and maintaining their own. It also gives them access to enterprise-grade EHR capabilities that might otherwise be difficult to afford.
The model also centralizes upgrades and much operational governance, making them easier to manage across participating organizations. In addition, because organizations operate within the same EHR environment, they can securely share patient records and other data more easily to improve care coordination and workflows.
The Shared Responsibility Model in Epic Community Connect
Because Epic Community Connect is a shared model, the host and recipients must secure their part of the environment to reduce risk.
What Epic and the Host System Secure
While Epic provides the software, the host health system is usually responsible for operating and securing the EHR environment and managing access to shared clinical data.
What Hospitals and Affiliates Are Responsible For
Organizations that connect to the host are responsible for their own operational and administrative processes, such as managing payment workflows and integrations. They are also responsible for any data that is stored, shared, or processed through local systems and workflows outside of the core Epic environment.
Why Responsibility Gaps Create Risk
Responsibility gaps can emerge in Community Connect environments because security, compliance, and risk management are shared across multiple organizations. Each party plays a role in protecting the environment, but not all have the same level of visibility or control. When participating organizations have different security practices or approaches to managing risk, those gaps can expose the network.
Where Payment Data Creates Risk in Epic Community Connect
Payment Data Is Not Fully Secured by Epic
Controls protecting data within Epic’s environment don’t automatically extend to patient payments that pass through systems outside of Epic’s environment, such as third-party payment processors, portals, devices, gateways, and integrations. Each of these external touchpoints must be secured independently.
The PHI + PAN Intersection
Healthcare organizations frequently handle both protected health information (PHI) and payment card data, or primary account numbers (PANs), during the same patient interactions. A single compromise can mean not only payment fraud but also privacy violations and regulatory exposure.
How PCI Scope Expands in Shared Environments
In Community Connect environments, payment data often moves across multiple systems and organizations. As more systems interact with cardholder data, more of the environment can fall within PCI scope, increasing compliance requirements and security risk.
Common Security Risks in Epic Community Connect Environments
Front Desk and In-Workflow Payments
If cardholder data enters Epic-connected systems during payment workflows, the scope of PCI compliance can expand to include those systems and processes.
Call Centers and Payment Capture
When call center agents handle payment information directly, organizations must secure both the people and systems that interact with, record, or store cardholder data.
Patient Portal and Online Payments
Web-based payments that flow through the Epic environment increase healthcare’s payment attack surface.
Stored Payment Methods and Recurring Billing
Long-term storage of cardholder data can expand compliance and breach risk to storage systems and additional workflows far beyond the initial payment transaction.
Distributed Affiliates and Satellite Clinics
Different payment systems and processes across affiliated organizations can create gaps in security controls and governance across the network.
Governance Challenges in Community Connect Models
Community Connect centralizes many aspects of EHR management, but participating organizations still retain some important governance responsibilities.
Shared System, Shared Responsibility
While affiliates operate within a host-managed Epic environment, they remain responsible for securing the payment systems and processes they control.
Shared Infrastructure, Distributed Risk
A security gap in one organization’s payment processes or controls can introduce risk that affects all connected organizations.
Why Governance Must Extend Beyond Epic
Epic helps govern clinical workflows, but payment data often moves through systems and processes outside the EHR, requiring consistent oversight across the organization.
How to Reduce Payment Risk in Epic Community Connect
Reducing payment risk in Community Connect environments starts with limiting cardholder data across the network.
Keep Cardholder Data Out of Epic-Connected Systems
Prevent raw PAN from entering EHR-connected systems altogether so fewer systems need to be protected and included in PCI compliance efforts.
Separate Payments from Epic Workflows
Handle payment processing independently from clinical systems whenever possible to reduce the risk of payment data entering the clinical environment.
Avoid Storing Raw Card Data
Instead of storing raw cardholder data, store secure substitutes that support recurring payments and other payment workflows.
Standardize Payment Security Across Affiliates
Use a consistent approach to payment security so all entities are protected to the same standard for simplified compliance.
Why PCI Scope Containment Matters in Community Connect
The more systems and organizations that handle cardholder data, the more systems and entities that fall under PCI scope. This can significantly increase compliance obligations and make audits more complex, particularly across multiple affiliated organizations. By limiting where payment data lives or moves, healthcare organizations can keep more systems out of scope and make PCI compliance easier to manage and demonstrate.
How Bluefin Secures Epic Community Connect Payment Workflows
Bluefin helps healthcare organizations contain payment data to reduce PCI scope and simplify compliance across the network.
PCI-Validated P2PE Prevents PAN from Entering Epic
Point-to-point encryption (P2PE) converts card information into unreadable data as soon as a payment is made so sensitive payment data never enters Epic-connected environments in a usable form. With a PCI-validated P2PE solution, the encryption technology and processes have been independently assessed against standards established by the PCI Security Standards Council, dramatically simplifying compliance.
Semi-Integrated Architecture Keeps Payments Decoupled
A semi-integrated payment architecture allows Epic and payment processing systems to work together without passing cardholder data through the EHR itself. Staff can still accept and manage payments within their normal workflows, but the sensitive payment data is handled separately to reduce risk and limit PCI scope.
Tokenization Reduces Stored Payment Risk
Tokenization replaces payment card data with a randomly generated substitute value, called a token, that can be stored and used in its place. This helps reduce PCI scope in hospitals by supporting recurring billing and other payment workflows without retaining sensitive cardholder data. Vaultless tokenization further reduces risk by eliminating the need to store card data in a centralized token vault, removing another potential target for attackers.
Reduced PCI Scope Across the Entire Network
Together, PCI-validated P2PE, semi-integration, and vaultless tokenization help limit the number of systems and organizations that handle cardholder data and keep them out of PCI scope.
Secure Epic Community Connect Payment Workflows with Bluefin
Epic Community Connect improves interoperability and access, but payment workflows that span Epic-connected and third-party systems can create additional security and PCI compliance concerns. Bluefin’s PCI-validated P2PE, tokenization, and HSA/FSA solutions for Epic users is designed to keep sensitive cardholder data out of Epic-connected systems whenever possible to provide a hassle-free payment experience for staff and patients while reducing risk and PCI scope.
Secure your Epic Community Connect payment workflows today with Bluefin.
Epic Community Connect FAQs
What does Epic Community Connect enable?
Epic Community Connect allows hospitals, clinics, and physician groups to access Epic by connecting to a larger health system that already operates the platform.
Who is responsible for security in Community Connect?
Security is a shared responsibility, with Epic, the host health system, and connected organizations each responsible for securing the systems, workflows, and data under their control.
Does Epic secure payment data?
Epic helps secure the EHR environment, but payment data often moves through separate payment systems, devices, portals, and workflows that require their own security controls.
How does PCI scope expand in shared EHR environments?
PCI scope expands when cardholder data enters additional systems or workflows unrelated to payment, bringing them under PCI compliance requirements.
How can hospitals reduce risk in Community Connect models?
Hospitals can limit where payment data is stored and transmitted using technologies such as PCI-validated P2PE, vaultless tokenization, and semi-integrated payment architectures.
