Healthcare EHR + Microsoft Integration: Epic, Oracle Health, MEDITECH, NextGen + Microsoft 365 + Power BI + Fabric + Copilot

Epic remains the dominant electronic health record vendor in academic medical centers and large integrated delivery networks. The Hyperdrive web client has replaced Hyperspace as the production user interface. Caboodle is the enterprise data warehouse layer; Clarity is the relational reporting database. App Orchard and Epic on FHIR APIs are the sanctioned external integration surfaces, and Cosmos is the de-identified multi-organization research dataset. Storm is the Epic-side grounding surface for Microsoft Copilot.

Oracle Health is the post-acquisition brand for Cerner Millennium, HealtheLife, and HealtheIntent. Millennium is the clinical electronic health record. HealtheLife is the patient portal. HealtheIntent is the population-health analytics platform. Oracle Code is the code-set governance surface for terminology, value sets, and clinical content. Oracle is publicly committed to running the Millennium back-end on Oracle Cloud Infrastructure (OCI) with progressive AI feature parity through 2026 and beyond.

MEDITECH serves community hospitals, regional health systems, and a sizeable international footprint. The platform spans the modern Expanse web client, the older Magic and Client/Server (6.x) generations still running in many community hospitals, and the MEDITECH-supported business intelligence connector layer used for analytics and FHIR-based interoperability.

NextGen Healthcare serves ambulatory specialty practices, federally qualified health centers, behavioral health organizations, and a significant share of the multi-specialty ambulatory market. The product line covers NextGen Enterprise (electronic health record + practice management) and NextGen Office (cloud-native ambulatory). FHIR APIs are the sanctioned integration surface for downstream analytics and Microsoft platform integration.

The most common EHR-to-Microsoft integration pattern in the field today. The clinical data warehouse — Epic Caboodle, Cerner DataLake, MEDITECH Data Repository, or the NextGen FHIR resource set — is mirrored, read-only, into a Microsoft Fabric Lakehouse following a bronze, silver, gold medallion architecture. Microsoft Purview enforces sensitivity labels at the OneLake storage layer and propagates them to every Power BI dataset, every Copilot grounding surface, and every downstream Microsoft 365 surface. This pattern is HIPAA-compatible, audit-ready, and CMS-acceptable when the BAA scope and sub-processor chain are documented end-to-end.

When the operational use case requires near-real-time clinical data — emergency department throughput, operating room turnover, bed occupancy, infusion-chair utilization, length-of-stay alerts — the batch mirror in Pattern A is too slow. Pattern B streams FHIR resource updates from the EHR FHIR endpoint into Microsoft Fabric event streams, lands the stream in a Fabric KQL or Eventhouse database, and surfaces it to Power BI in real-time. The same Purview sensitivity-label and Sentinel audit-log discipline applies — the cadence changes, the regulatory control plane does not.

Microsoft 365 Copilot is the most-requested AI surface in healthcare enterprises today, and it is also the easiest surface on which to accidentally leak protected health information. The EPC pattern is conservative by design. Copilot is never grounded directly on identified clinical records. Copilot is grounded on a curated, de-identified gold-layer extract that lives behind a Microsoft Purview sensitivity label. Sensitivity labels are enforced at the OneLake storage layer, at the Power BI dataset layer, at the SharePoint document-library layer, and at the Copilot prompt-context layer. Re-identification risk is documented and signed by the responsible Information System Security Officer before the surface goes to general availability.

A bidirectional pattern. The physician portal lives in SharePoint Online as a Communication Site, integrated into Microsoft 365 with Entra ID single sign-on and Conditional Access. The portal carries clinical reference content, departmental policy, on-call schedules, and contextual links into the production electronic health record using context-aware launch — Epic Hyperdrive, Oracle Health Millennium, MEDITECH Expanse, or NextGen Enterprise opens at the right patient record and the right encounter. The reverse direction is supported through EHR-hosted SmartLinks or context-passing launches back into SharePoint pages. The pattern keeps clinical data inside the regulated electronic health record while keeping reference content, policy, and collaboration inside Microsoft 365.

A patient-facing pattern. The patient portal — Epic MyChart, Oracle Health HealtheLife, MEDITECH Patient and Consumer Health Portal, NextGen Patient Portal — federates patient identity through Microsoft Entra External ID (formerly Entra B2C). The hospital owns the identity layer, the patient owns the identity object, and the consumer-facing identity provider chain is governed by the hospital security baseline. Multi-factor authentication, social-identity sign-in, account recovery, and privacy notice are all controlled in Entra External ID. The pattern collapses the proliferation of disconnected patient portals across an integrated delivery network into one consumer identity surface, which is the precondition for any meaningful patient-facing AI service.

• Microsoft Entra ID single sign-on into the EHR clinician surface with Conditional Access policies tied to device compliance, named locations, and risk-based MFA
• Privileged Identity Management (PIM) for every administrative role in the EHR-to-Microsoft data path, with just-in-time elevation and approval workflow
• Microsoft Entra External ID for the patient-facing identity layer, with HIPAA-aligned account-recovery and MFA policy

• Microsoft Purview sensitivity-label taxonomy specific to the regulated boundary — PHI, de-identified clinical, business-confidential, public
• Sensitivity labels applied at the OneLake storage layer and propagated automatically to every downstream Power BI dataset, SharePoint library, and Copilot grounding surface
• Row-level security inherited from the EHR security matrix where the EHR matrix is the named source of truth

• OneLake access logs, Power BI activity logs, Fabric eventhouse logs, and Purview audit logs piped into Microsoft Sentinel with seven-year retention by default
• Immutable audit-log storage on the Sentinel back-end with named retention policy and named legal-hold workflow
• Quarterly audit-log review evidence package signed by the responsible Information System Security Officer

• Named BAA scope covering Microsoft Fabric, Microsoft 365, Microsoft Purview, Microsoft Sentinel, Microsoft Entra External ID, and any EHR vendor sub-processor in the data flow
• Sub-processor disclosure addendum signed at the start of every engagement and refreshed at every architecture change
• Microsoft HIPAA BAA on file as the foundational document, with EPC Group acting as the downstream Business Associate to the Covered Entity

• Where 42 CFR Part 2 substance-use disorder records are in scope, an additional segregation layer is applied at the Fabric silver layer with a separate sensitivity-label family and a separate access-approval workflow
• State-specific privacy frameworks — California CMIA, Texas HB 300, New York SHIELD Act, Washington My Health My Data Act — are mapped to the Purview taxonomy at engagement kick-off, not retrofitted at go-live
• Cross-border data-residency constraints (Canadian PHIPA, EU GDPR Article 9 health data) are addressed through Fabric capacity placement and tenant-region pinning

Every audit log in the EHR-to-Microsoft data path — OneLake access logs, Power BI activity logs, Fabric eventhouse logs, Purview audit logs, Sentinel detection logs — is retained for seven years by default, indexed by user, action, resource, and timestamp, and held under immutable storage. Retention shorter than seven years is documented as a named exception signed by the responsible Information System Security Officer.

The administrator who provisions the Fabric workspace is not the administrator who approves the BAA scope, who is not the administrator who runs the quarterly audit-log review. Privileged Identity Management enforces the boundary, and the named role separation is reviewed annually at the audit-readiness assessment.

For any clinical use case where a delay in access would cause patient harm, a documented break-glass procedure overrides the Conditional Access baseline. Every break-glass invocation is logged, alerted in real time to Sentinel, and reviewed within 24 hours by the responsible clinical informatics officer and the responsible Information System Security Officer.

The named incident response playbook covers the seven HIPAA breach-notification timelines (60 days to affected individuals, 60 days to the HHS Secretary, contemporaneous to media for breaches over 500 individuals in a state), the named role responsibilities (privacy officer, security officer, communications, general counsel), and the named evidence package — Sentinel detection log, Purview audit log, EHR access log — that supports the breach risk assessment.

For Joint Commission accreditation, CMS Conditions of Participation, and CMS Promoting Interoperability requirements, the audit-readiness package documents the EHR-to-Microsoft data path end-to-end — BAA scope, sub-processor list, sensitivity-label taxonomy, log-retention policy, segregation of duties, break-glass procedure, and incident response playbook — in one signed binder that the surveyor can read in the order the surveyor needs it.