Epic Security Recommendations Using the Integrated Workgroup Security Model

Insights 01
Sep 24, 2014

Epic Security Recommendations Using the Integrated Workgroup Security Model

Sandy Pierson 1 scaled e1623784559137 300x300 1

Written by Sandy Pierson

Category: EHR - Security

Having the greatest Epic system in the world won’t provide value if users are unable to access it properly and efficiently. The following recommendations will help smooth the process of working in Epic’s Security module.

Summary of Model
Each module (Orders, Clinical Documentation, etc.) should have at least one team member as primary security workgroup member and usually a secondary team member. These individuals are responsible for the security specific to their set of users. The Security team is built to work together to create templates that cross over into more than one module; for example, a nurse who will be using Clinical Documentation and Orders modules.

The integrated workgroup Team Lead should act as mentor and help build the security for each team. It is his/her responsibility to ensure the team integrates the security templates the integrated workgroup members build across job functions and security doesn’t overlap.


1) The Security Team Lead should be someone who knows Epic Security well and is able to mentor the integrated work group team members.

2) The integrated work group members are usually only trained in their respective modules. It is very helpful at the beginning of the project to have them go through the Security online training and obtain an Epic Security proficiency certificate.

3) Epic’s Model Security templates may give too much access to functions users’ shouldn’t have. Be sure end users only have access to information required to do their job.

4) When copying model templates/security classes, make sure the security team members remove “model” from the name so site specific templates are easily identified. Start documenting immediately in the notes of templates what they are for and revised differences over model templates. It is especially important to document on sub-templates so those responsible for provisioning know when to apply sub-templates to users. A good format is to have the following in sub-templates notes:
Application Owner:
Created by:
What the sub-template does:
What templates the sub-template is usually applied to:
Security sign off:

5) Team members tend to work in silos instead of working together for the security items that cross over. This causes duplicate security classes and templates to be generated. It is important to hold weekly meetings where problems can be discussed and resolved, training conducted, and security builders can discuss crossover items. The Team Lead should ensure disparate teams are working together on Security build.

6) Start working early in the implementation with Human Resources on the list of employees who will need access to Epic. Where possible, use standard items (department code/job code) to assign Epic security. Find a source to identify contract workers who will need access, for instance, temporary coders and float nurses.

7) Most institutions require all users go to module-specific training even if they have worked on Epic at a different institution. It is imperative that the Security Lead establish a process with the training department so it is known when a user completes training and what Epic Security should be assigned.

8) The Team Lead is responsible for working with Compliance to ensure security is compliant with all federal, state, and site-specific regulations and policies. This includes audits and reports to verify compliance. It’s important to start this relationship at the beginning of the implementation.

9) Ensure Security build performed by Epic employees is well-communicated to hospital Security team members to ensure knowledge transfer and long term success.