MyChartCentral & Lucy Privacy Policy

Effective Date: July 1, 2020


MyChartCentral is a free service provided by Epic Systems Corporation (“Epic”) that allows you to access multiple patient access and service accounts that you’ve created at healthcare organizations where you receive medical care (your “MyChart Accounts”). By linking your MyChart Accounts to MyChartCentral, you can sign in just once to MyChartCentral to see consolidated information from all of your linked accounts. MyChartCentral also helps you receive notifications from each of your linked accounts, including updates about new lab results and new messages from your healthcare providers.

Lucy is another free service provided by Epic that allows you to create and maintain your own personal health record, in which you can record and store information about your health, such as allergies, immunization records, and lists of medications you are currently taking or have taken. If you have a MyChart Account through your healthcare organization, then you have the option of quickly and conveniently downloading certain information from that MyChart Account into your Lucy personal health record.

In order to provide you with access to MyChartCentral and Lucy (the “Services”) and the ability to use the Services, Epic may collect and process your personal information as described in this MyChartCentral & Lucy Privacy Policy (“Privacy Policy”). This Privacy Policy is designed to inform you about how Epic collects and uses information you provide when you create an account with MyChartCentral and Lucy (“Service Account”), visit the Epic-owned web sites through which Epic provides the Services (“Service Portal”), and use the Services. Epic may update this Privacy Policy, or other privacy notices established for other Epic websites, at any time, and future updates to the Privacy Policy will be effective as soon as they are published. If you are interested, you should check back from time to time and make sure that you have reviewed the most current version of this Privacy Policy.

Information You Provide to MyChartCentral and Lucy

Information That You Give to Us

When you create a Service Account, you are asked to provide certain personal information, including your name, date of birth, and a valid email address. You will select a username and password for the Service Account and provide other information (such as answers to security questions and a security phrase). We use the information you provide to us to confirm your eligibility for a Service Account, to protect against unauthorized access to your Service Account, to provide the Services to you, to communicate with you, and to provide assistance or technical support in connection with your use of the Services. For example, when we send you emails, we will include the security phrase that you provided. Note that if you receive an email purporting to be from MyChartCentral that does not contain the security phrase you set on your Service Account, you should not trust that the email was sent by MyChartCentral.

Additionally, you will need to provide the username and password you use for each MyChart Account that you wish to link to your Services Account. We do not store or retain any of your MyChart Account usernames or passwords. We use the information you provide to securely link your MyChart Accounts to MyChartCentral and to provide the Services to you.

Other Information you can provide to take advantage of the Services

You can use Lucy to enter, upload, and transfer a wide variety of other personal information from other locations to your Service Account for storage, maintenance, editing, organizing, and sharing with others as you choose. That personal information might include health information from your non-Epic healthcare providers that you want to organize or share as part of your personal health record as well as X-rays, other electronic images, healthcare documents, and information from medical monitoring devices (such as blood pressure or blood glucose monitors).

Our Website and Servers, Your Use of Browsers

We also collect and record certain information from your browser each time you connect to our Service Portal, such as:

  • IP address;
  • Browser type;
  • Preferred language;
  • The date, time, and duration of your connection; and
  • The actions that you perform while on the Service Portal.
We use this information in order to provide the Services, monitor the performance of the Services, and offer any technical support or assistance you might request in connection with your use of the Services or our websites.


Some web browsers and operating systems include a Do-Not-Track (DNT) setting that you can activate to signal your preference not to have information about your online activities monitored. There is currently no uniform standard for recognizing and implementing DNT signals. As a result, the Services do not respond to DNT signals. If a standard for recognizing DNT signals is adopted in the future and we follow that standard, we will inform you about our approach in an update to this Privacy Policy.


We use cookies to collect information about access to and use of the Services and the Service Portal. The Service Portal plants a session cookie in your browser that logs data in order to maintain your logged in state, track which Service Portal content you view, and analyze and improve the usage of the Service Portal and the Services. Our collection of this information may include:

  • Your IP address;
  • The pages of our site that you visit;
  • The time and date of your visit;
  • The time you spend on certain pages on our site; and
  • Various other statistics.
You may adjust cookie usage in your browser settings. Adjusting your cookie settings may prevent you from accessing the Service Portal and/or utilizing the functionality of the Services.

How Do We Use Your Information?

The information that you provide us when you use the Services is retained and processed for as long as you use the Services and after you cease using the Services, as described in this Privacy Policy. We will use your information for purposes such as:

  • To provide the Services to you;
  • To communicate with you;
  • To provide assistance or technical support in connection with your use of the Services;
  • To audit, monitor, and further develop the Services; and
  • To investigate violations of the MyChartCentral & Lucy Terms of Service and protect Epic.
By creating a Service Account, you consent to our use of your information in accordance with this Privacy Policy.

Epic will not sell or license any information that it may collect from you from using the Services.

Who Has Access to Your Information?

When you provide your personal information directly to Epic via the Service Portal, your information may be shared with and accessible to Epic staff, including with staff who provide technical support for the Services. In addition, Epic may at times engage other companies or individuals to perform certain activities on our behalf and related to our provision of the Services, such as assistance in correcting hardware problems, off-site storage of information for disaster recovery, web site hosting, or technical assistance regarding operating systems, web browsers, or other non-Epic software with which the Services might interact. Epic will provide such third parties access to your personal information (i) when such access is intended to accomplish the activity for which we have engaged the third party; and (ii) when the third party has agreed to use the information for activity for which they’ve been engaged and protect the confidentiality and security of the information.

The Services allow you to grant access to your information to third parties, such as hospitals, healthcare providers, and others, as you see fit.

We will make good faith efforts to provide you access to your personal information through the Service Portal, including through features available to you on the Service Portal. While the Services allow you to delete documents that you have pulled, pushed, or uploaded into Lucy, you are not able to correct or delete inaccuracies in your MyChart Accounts in the Service Portal. To make such corrections or deletions, you should work directly with the healthcare organizations through which you have MyChart Accounts.

How We Protect Your Information

Epic employs a wide variety of administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your personal information. When you provide your information to us, it is encrypted and transmitted in a secure way. You can verify this by looking for a closed lock icon at the top or bottom of your web browser or looking for “https” at the beginning of the URL address of the web page if you navigated to the Service Portal from a web browser. We have internal policies and processes directed towards limiting access to your information to those members of the Epic team and others who need to know such information to perform their jobs and develop or improve our websites, products, and services. Please remember that no method of transmission over the Internet or method of storage can keep your data 100% secure against unauthorized access, use, or disclosure.

Please note, however, that when the Services re-direct you to web sites operated by other organizations (such as a healthcare organization at which you have an active MyChart Account), you no longer are connected to our Service Portal. At that point, the nature of your connection is governed and controlled by the technology adopted and put into place by the organization operating the other website.

How you control the sharing of your personal information and the limited circumstances in which we may disclose it to others

The Services allow you to transfer your personal information to and from your Service Account. You control those transfers through the features provided within the Services. For instance, you can authorize healthcare providers at the organizations where you have MyChart Accounts to pull designated portions of your personal information from your Service Account for inclusion in your electronic medical record at those organizations. Only those provider organizations that you authorize will be able to initiate such transfers, and they will be able to transfer only the personal information from your Service Account that you choose to make available to them. To enable this functionality, the Services make the fact that you are a Service Account holder known to those organizations where you have linked MyChart Accounts.

You also will be able to download your personal information to your local computer or portable storage devices or send such personal information to other entities. All such transfers of your personal information will be solely in your control, as directed by you through your use of the Services.

Please note that Epic cannot control and is not responsible for the privacy and security of your personal information once it has left Epic’s servers in accordance with your requests and directives when using the Services. We cannot retrieve that information after you have shared it, and we cannot control or restrict the use of personal information by other organizations. For example, if you designate within your Service Account that portions of your personal information are not to be shared, you have restricted only the transfer of the personal information via the Services. Those restrictions are not extended to organizations to which you have sent that information or organizations from which your Service Account has received that information, such as a healthcare organization where you have a MyChart Account. How such organizations treat your personal information is determined by their privacy practices.

There are very few instances in which your personal information ever will be disclosed by us other than as directed by you through your use of the Services. We may disclose your personal information to:

  • Comply with any applicable law, legal process served on us, or request of a law enforcement or government regulatory agency;
  • Protect the personal safety or health of the public or users of the Services; and
  • Protect our rights and property and address fraud or security breaches.
How Long Does Epic Keep Your Information?

Epic will retain your information for as long as you have a Service Account. By creating a Service Account, you agree to allow us to retain your information in accordance with this Privacy Policy.

You can choose to close a Service Account at any time. If you choose to do so, we will offer you the opportunity to have us retain your personal information and Service Account information for a 90-day grace period during which you can easily re-activate the account. If you do not opt for the grace period, we will deactivate your Service Account and delete all your personal information from Epic’s servers. If you do opt for the grace period, then the deletion of your personal information from Epic’s servers will occur after the grace period. Please note that closing a Service Account affects only your personal information that is stored on Epic’s servers. It does not affect, alter, or delete any personal information that is stored or maintained on other systems, such as those of your healthcare providers or the organizations at which you have MyChart Accounts.

Your personal information may persist in Epic’s servers’ backup files and in our activity logs for periods of time based upon government agency and private organization guidelines and recommendations that pertain to analogous categories of data and information. Our backup files and activity logs are never stored on computers connected to the Internet and the data in such files is not readily or easily accessible.

Ways in which you can further protect your personal information

You should be careful with your personal information, and there are steps you can take to prevent unauthorized access to or disclosure of the information in your Service Account. For example, never share your username and password with anybody, immediately change your password if you believe any unauthorized access to your Service Account has occurred, and install appropriate security products on the computers from which you access your Service Account.

Your California Privacy Rights

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit our CCPA privacy notice for California residents.

Contact Epic

If you have questions or concerns about MyChartCentral, Lucy, or this Privacy Policy, please contact Epic at Help@MyChartCentral.com. In any correspondence, please include the website or reason that led you to contact us.