top of page
Search

Thinking About Epic Cosmos? What to Ask Before You Plug In

  • Writer: Jessica Zeff
    Jessica Zeff
  • Jan 30
  • 3 min read
Epic Cosmos compliance illustration showing a checklist and pause icon on one side and a disconnected data network on the other, representing governance review, risk assessment, and decision-making before connecting to Epic Cosmos and sharing de-identified clinical data.

Epic’s Cosmos is a powerful tool, bringing together real-world clinical data from participating health systems to enable large-scale research, pattern recognition, and potentially life-saving insights. But for compliance professionals? It raises important questions about privacy, transparency, and patient trust.


If your organization is considering Cosmos—or already live—there are a few critical compliance considerations to keep front and center.


What Is Cosmos?

Cosmos is Epic's collaborative data network—a national, de-identified data set built from clinical records contributed by Epic customers. It’s designed to support research, comparative effectiveness studies, and population health.


Participating organizations contribute data from their Epic systems, and in return, can query Cosmos to identify trends, patterns, and outliers across tens of millions of patients.


Opting Out: What Are Organizations Doing?

One of the biggest questions that comes up in Cosmos implementation is patient choice.


Even if the data sent to Cosmos is de-identified, many organizations are choosing to be transparent and even provide an opt-out mechanism.


Here’s what I’m hearing from the field:


  • Some organizations add an opt-out question to their patient intake forms or patient portal


  • Others build a flag in Epic to exclude a patient’s data if they’ve expressed concerns


  • A few rely entirely on the argument that “this is de-identified data, therefore no patient choice is needed”


Regardless of the legal necessity, consider the ethical and reputational implications of not allowing an opt-out. Patients who find out their data is being used—albeit de-identified—for research without their knowledge may feel blindsided. Trust is hard to win and easy to lose.


Patient Privacy Notices: Time for a Rewrite?

If you’re participating in Cosmos, your Notice of Privacy Practices (NPP) and other patient-facing communications may need to change.


Questions to consider:


  • Does your NPP explain that de-identified data may be used for research?


  • Have you updated your privacy web page or intake scripts to address Cosmos participation?


  • Do your clinicians and front desk staff know how to answer patient questions about Cosmos?


Pros and Cons of Joining Cosmos

Let’s be honest—there’s a lot to love about Cosmos. But from a compliance standpoint, it’s not all smooth sailing.


Pros

  • Data is de-identified according to HIPAA Safe Harbor or Expert Determination

  • No PHI is shared, so HIPAA authorization is not required

  • Enables large-scale research that can benefit patients and clinicians

  • Epic provides filtering of sensitive data (e.g., HIV, substance use)


Cons

  • De-identification doesn’t eliminate all risk—especially re-identification in small populations

  • Patients may still feel exposed if they’re unaware their data is included

  • Your organization remains responsible for validating de-identification methods

  • Participating requires ongoing risk assessment and training investment


Risk Assessment

If your organization is considering Cosmos, build time and resources for a thoughtful risk assessment. Here's what to include:


  1. Data Mapping: What data elements are being sent? Are identifiers fully removed or masked?


  2. De-identification Validation: Do you trust Epic’s methodology? Do you need internal review or expert determination?


  3. State Law Review: Does your state impose stricter rules than HIPAA?


  4. Opt-Out Policy: Will you offer it? If so, how will it be operationalized?


  5. Transparency Strategy: How will you update your privacy notices, consent forms, and website?


  6. Training Plan: Who needs to understand Cosmos—from IT to front desk—and how will you keep them up to date?


A Thought to End On

Epic Cosmos is an incredible tool. But even tools built “for good” come with obligations. Compliance isn’t about saying “no”—it’s about asking the right questions.


Does our use of Cosmos reflect our values, our privacy commitments, and our legal obligations?


If the answer is yes—and if your processes, notices, and people are ready—then Cosmos can be a powerful asset in your mission to improve patient care.


Do you have questions about this blog? Please contact jessicazeff@simplycomplianceconsulting.com.

 

Comments

bottom of page