Epic EHR and SAFe Agile: How Health Systems Run Epic Programs Inside PI Planning and ART Delivery
Most healthcare organizations that run Epic programs inside SAFe structures do so with a fundamental mismatch between how SAFe was designed to work and how Epic implementations actually deliver. The Epic module build cycle, the compliance requirements that govern every Epic configuration change, and the vendor-driven upgrade calendar do not map cleanly onto a generic 12-week PI. This article covers how large health systems structure Epic programs inside SAFe, what SAFe concepts translate well to Epic delivery and which do not, what analysts and product owners working on Epic ART teams must understand to be effective, and the adaptations that make the combination work in practice.
- Why Large Health Systems Use SAFe for Epic Programs
- How Epic ART Teams Are Structured
- PI Planning for Epic: What Works and What Requires Adaptation
- Translating Epic Work into SAFe Features and Stories
- Managing Cross-Team Dependencies in Epic ART Delivery
- HIPAA and Compliance Work Inside a SAFe Structure
- What Analysts and Product Owners Do on Epic ART Teams
- Measuring ART Performance for Epic Programs
- Common Failures When Applying SAFe to Epic Programs
- Downloads
Why Large Health Systems Use SAFe for Epic Programs
Large health systems that operate multiple Epic modules across multiple facilities face a coordination problem that small-team agile methods cannot solve. A 14-module Epic implementation involving 180 analysts, dozens of clinical super-users, IT security, compliance, integration teams, and external vendors cannot run in a single product backlog with a single product owner. SAFe (Scaled Agile Framework) provides the coordination layer that aligns multiple teams working on the same Epic program toward shared Program Increment objectives.
SAFe’s ART (Agile Release Train) model is particularly relevant for Epic because it is built around the concept of a persistent cross-functional team structure that delivers value in Program Increments (PIs) of 8-12 weeks. An Epic implementation or a post-go-live optimization program delivers on a defined timeline with defined module milestones – a natural fit for PI-based planning. The alternative – running 14 separate module teams with no coordination layer – produces the dependency conflicts, integration failures, and conflicting release schedules that derail Epic programs.
SAFe for Epic is not a clean off-the-shelf application. The Epic delivery cycle has characteristics that require deliberate adaptation of the standard SAFe model. Understanding which SAFe practices translate directly and which require modification is the prerequisite for running an effective Epic ART. The broader Epic implementation context where SAFe is applied is covered in the Epic EHR Learning Hub.
How Epic ART Teams Are Structured
A well-structured Epic ART organizes teams around clinical and operational domains rather than around Epic module names. A module-centric structure (one team per Epic module) produces silos that make cross-module feature delivery difficult. A domain-centric structure groups modules by the clinical or operational capability they support – inpatient clinical (ClinDoc, Willow, Orders, Beaker), ambulatory clinical (Ambulatory, MyChart, CPOE), revenue cycle (Resolute, Prelude, Claims), and infrastructure (Bridges, Security, Cogito). This grouping aligns with how clinical stakeholders think about the system and makes feature ownership cleaner.
Core ART Roles for Epic Programs
Team Size and Composition for Epic Agile Teams
SAFe recommends team sizes of 5-11 members. Epic teams that follow this guidance tend to organize with: 3-5 build analysts who own specific Epic module configurations, 1 QA analyst who owns testing methodology and test execution (ISTQB-aligned practices apply here), 1 product owner who manages the team backlog and acceptance criteria, 1 integration analyst who handles interface and Bridges work, and 1 super-user or clinical SME who serves as the team’s clinical context reference. This composition keeps the team small enough to be agile while covering the range of skills that Epic build requires.
A common mistake is composing Epic agile teams entirely of build analysts with no dedicated QA presence. Epic build work generates configuration artifacts that must be tested before they reach production. Without a QA analyst on the team, testing becomes an afterthought that is compressed at the end of each sprint when the team runs out of build time – exactly the pattern that SAFe’s built-in quality practices are designed to prevent.
PI Planning for Epic: What Works and What Requires Adaptation
SAFe PI Planning is a 2-day event where all ART teams plan their work for the next 12 weeks. For standard software product teams, PI planning produces team iteration plans and a set of PI objectives. For Epic programs, the same event produces these outputs – but the planning inputs and constraints are different in ways that the RTE and product managers must understand and prepare for.
What PI Planning Works Well for Epic
PI planning’s dependency identification process is particularly valuable for Epic programs. Cross-module dependencies – where the CPOE team’s order routing configuration depends on the Bridges team’s interface build, which depends on the external lab system’s acceptance testing schedule – are exactly the type of dependency that PI planning’s team board visualization makes visible. Without a structured dependency identification exercise, these inter-team dependencies are managed through informal communication that breaks down under schedule pressure.
The PI objective commitment process also transfers well. Each Epic team defines its PI objectives – the specific outcomes it commits to delivering by the end of the PI – and rates each objective’s confidence level. For Epic build teams, a PI objective might be: “Complete IVT Cycle 2 for the Inpatient Clinical module with zero open Critical defects and Clinical SME sign-off.” This is a meaningful, testable objective with a clear acceptance standard.
What Requires Adaptation
Standard SAFe PI planning assumes that teams can commit to delivering working software at the end of every sprint (typically every 2 weeks). Epic build teams do not always produce “working software” at that cadence – they produce build configurations that are not testable until the test environment is refreshed, interfaces that cannot be validated until a connected system is ready, or clinical workflows that cannot be evaluated until super-users are available for testing. The PI planning template must be adapted to account for these dependencies on external readiness factors that are outside the team’s control.
Epic’s annual upgrade calendar is an external constraint that must be factored into PI planning explicitly. If the annual Epic upgrade falls in PI 3, the PI 3 plan must reserve capacity for Upgrade Companion review, regression testing, and cutover preparation. This is not recoverable in the innovation sprint – it is planned work that requires dedicated team capacity. Epic ART teams that do not reserve this capacity during PI planning will sacrifice PI objectives to upgrade work, which looks like underperformance on PI metrics but is actually a planning failure.
A 6-hospital health system implemented SAFe for their Epic post-go-live optimization program. The ART had four Epic domain teams (Inpatient Clinical, Ambulatory, Revenue Cycle, Infrastructure). During PI 2 planning, each team committed to 5 PI objectives. Three weeks into PI 2, Epic released a notice that a critical security patch required deployment within 30 days. The Infrastructure team was required to deploy and validate the patch – work that had not been anticipated in the PI plan. The Infrastructure team pulled 40% of their capacity from committed PI objectives to complete the mandatory patch deployment. At the PI 2 retrospective, the Infrastructure team’s PI predictability score (completed objectives vs committed objectives) dropped to 60% – which the program management office flagged as an ART performance problem. The issue was not underperformance. It was the absence of a handling rule for mandatory non-PI work. The ART’s working agreement was updated after PI 2 to include: mandatory Epic security patches are classified as ART-level emergencies, handled outside the PI plan, and do not count against the team’s PI predictability score. A capacity buffer of 10% was also added to Infrastructure team sprint plans to absorb mandatory maintenance work that arrives mid-PI.
Translating Epic Work into SAFe Features and Stories
The most common breakdown in SAFe-for-Epic programs is the failure to correctly define Features and Stories at the right level of granularity. Teams either write Features that are too large (a single Feature that encompasses an entire Epic module build) or write Stories that are too technical (a Story for each individual Epic configuration record rather than for the workflow step it enables).
What Makes a Good Epic Feature in SAFe
A SAFe Feature is a deliverable of business value that can be completed within one PI. For Epic programs, a Feature is a clinical or operational capability that a defined user role can perform after the Feature is complete. “Configure Sepsis Order Set” is not a Feature – it is a build task. “Enable hospitalists to place the org’s evidence-based sepsis bundle orders from a single order set within 60 seconds of sepsis identification” is a Feature. It has a who (hospitalists), a what (place sepsis bundle orders), a how good (within 60 seconds), and a why (evidence-based sepsis bundle compliance).
Features must have Acceptance Criteria that confirm the Feature is done. For an Epic Feature, acceptance criteria typically include: the clinical workflow can be completed end-to-end in the test environment by a super-user without analyst assistance, all integration touchpoints are confirmed working, any associated regulatory or compliance requirements are met, and the clinical SME has signed off that the Feature meets the clinical need that drove the request.
| Work Item Type | SAFe Level | Epic Program Example | Acceptance Level | Delivery Window |
|---|---|---|---|---|
| Epic (SAFe) | Portfolio | “Enable HIPAA-compliant electronic prior authorization for all CMS-regulated payers by Q4 2026” | Portfolio leadership + Compliance officer | Multiple PIs |
| Feature | Program (ART) | “Enable prior auth submission to BCBS via FHIR Da Vinci PAS endpoint from Epic CPOE” | Product Manager + Clinical SME | One PI |
| Story | Team | “As a hospitalist, when I place an order requiring PA, the system retrieves coverage requirements from BCBS in real time so I can see PA status before I submit the order” | Product Owner + Super-user demo | One sprint (2 weeks) |
| Task / Enabler | Team | “Configure Epic Interconnect endpoint for BCBS FHIR CRD server URL in preproduction environment” | Build analyst self-verify | Within sprint |
How to Write Epic Stories in User Story Format
The standard SAFe User Story format – “As a [role], I want [capability] so that [benefit]” – transfers directly to Epic build stories with one important adaptation. Epic stories must specify the Epic module and workflow context in the story description, not just the role and capability. A story that says “As a nurse, I want to document medication administration so that the record is complete” is too vague for an Epic team. It does not tell the analyst which Epic module (Willow BCMA), which workflow step (scan and document administration), or what “complete” means in clinical terms.
A correctly written Epic Story looks like: “As an inpatient nurse using Epic Willow BCMA, when I scan a patient wristband and then scan a medication barcode, I want the system to confirm the 5 rights and allow me to document administration in one screen so that bedside documentation takes less than 60 seconds and the eMAR is updated in real time.” This story contains enough specificity for a build analyst to identify the Epic configuration objects, for a QA analyst to write a test case, and for a clinical super-user to validate the result.
Managing Cross-Team Dependencies in Epic ART Delivery
Dependencies in Epic programs are more complex and more consequential than in typical software product development. An Epic interface dependency – where the CPOE team cannot complete lab order routing testing until the Beaker team has configured the receiving lab queue – is not just a scheduling inconvenience. If the Beaker team misses their commitment, the CPOE team cannot demonstrate a working Feature at the end of the PI, and the sprint demo is meaningless.
The System Demo as the Integration Gate
SAFe’s System Demo – a demonstration of integrated working software at the end of each sprint – is the mechanism that makes cross-team dependency management actionable rather than theoretical. For Epic ART teams, the System Demo should demonstrate end-to-end clinical workflows that cross module boundaries, not isolated module-level configurations. A System Demo that shows a lab order placed in CPOE, transmitted through Bridges as an ORM message, received in Beaker, resulted, and returned as an ORU to the provider’s in-basket demonstrates that four teams’ work actually integrates. A System Demo that shows only the CPOE order entry form (because the Bridges and Beaker teams are not ready) is not a System Demo – it is a partial build walkthrough.
Teams on an Epic ART that cannot demonstrate integrated workflows at the System Demo have a dependency problem that must be escalated to the RTE. The RTE’s role is to resolve ART-level impediments – including cross-team dependency failures – before they become PI objective failures. The build defect triage process that supports this inter-team quality gate is described in the Epic Build Defects troubleshooting guide.
Dependency Board Management
The PI planning dependency board – where teams draw dependency arrows between their plans – is often treated as a planning exercise that ends when PI planning ends. For Epic ART teams, the dependency board must be a living artifact reviewed weekly in the ART sync meeting. Epic dependencies change mid-PI when interfaces are delayed, when super-users are unavailable for testing, or when the test environment is not refreshed on schedule. A dependency that was green at PI planning can become a critical blocker by Sprint 4 if nobody is tracking it.
A multi-facility health system was running its Epic post-go-live FHIR integration program on a SAFe ART. During PI 3, the Infrastructure team had a dependency on an external payer (Blue Cross) to activate their FHIR sandbox environment before the Integration team could test the prior authorization API connection. The Blue Cross sandbox activation was expected by Sprint 2 of the PI. It was not activated until Sprint 5. The dependency was on the PI planning board but was not reviewed in the weekly ART sync. The Integration team spent Sprints 2 through 4 building integration configuration that could not be tested. In Sprint 5, when the sandbox was finally activated, a field format mismatch was discovered in the Coverage resource that required 3 days of rework. The PI ended with the FHIR PA Feature incomplete – classified as a PI objective miss. A root cause analysis after the PI identified that the payer sandbox dependency had been raised as a risk by the integration analyst at Sprint 2 review, but there was no escalation protocol for external dependency risks at the ART level. The ART’s working agreement was updated to require that any external dependency not met by its committed date triggers an immediate RTE escalation and a PI objective risk flag.
HIPAA and Compliance Work Inside a SAFe Structure
HIPAA compliance requirements do not pause for sprint boundaries. A security template change, a FHIR API access grant, or a clinical documentation configuration that touches PHI must go through the organization’s privacy and security review process regardless of which sprint it falls in. SAFe programs running Epic must integrate compliance review into the Definition of Done rather than treating it as an external gate that is consulted after development is complete.
The Definition of Done for Epic build Stories should include compliance checkpoints explicitly. A Story that involves a security template change must not be marked Done until the privacy officer has reviewed the access grant for HIPAA minimum necessary compliance. A Story that involves a new FHIR API connection must not be marked Done until the BAA status for the connected application has been confirmed. These checks are not optional gates that slow down delivery – they are part of what “done” means for healthcare IT delivery under HIPAA.
Some compliance work does not fit into a Story or Feature at all – it is enabling infrastructure that makes compliant delivery possible. Security architecture review, audit log monitoring program setup, and HIPAA risk assessment updates are examples of work that should be classified as SAFe Enablers and managed in the team backlog alongside functional Stories. Treating compliance work as non-backlogged overhead makes it invisible in planning and allows it to be de-prioritized under schedule pressure – which is how HIPAA gaps accumulate in Epic programs.
What Analysts and Product Owners Do on Epic ART Teams
The analyst role in an Epic SAFe program is more expansive than in a traditional Epic waterfall program – and more demanding. In a waterfall Epic implementation, analysts build to a design document and hand off to testers. In a SAFe program, analysts own Story definition, acceptance criteria, build, and demonstration within the same sprint. The analyst is simultaneously the builder and the first validator of the work they produce.
| Activity | Waterfall Epic Program | SAFe Epic ART Team | Analyst Adjustment Required |
|---|---|---|---|
| Requirements definition | Detailed build specification document, reviewed and approved before build begins | User Stories with acceptance criteria, refined just-in-time each sprint | Write Stories, not specs. Accept that requirements evolve through the PI. |
| Build delivery | Module build completed in a defined build phase; handed off to testing team | Story-level build completed within 2-week sprint; analyst demos to PO | Commit only to sprint-sized work. Raise blockers in daily standup, not at sprint end. |
| Testing | Separate test cycle (IVT, UAT) after full module build is complete | Story-level acceptance testing within the sprint before Done is declared | Test as you build. Do not accumulate untested Stories for a later test sprint. |
| Stakeholder feedback | Clinical review at predefined milestones (design review, UAT sign-off) | Sprint review demo to product owner and super-users every 2 weeks | Bring clinical stakeholders to sprint reviews. Incorporate feedback before next sprint. |
| Impediment handling | Escalated through project manager when they affect the project schedule | Raised in daily standup; resolved by Scrum Master or RTE within same sprint | Surface blockers immediately – not at end of sprint when nothing can be done. |
Product Owners on Epic ART teams must have enough Epic domain knowledge to write meaningful acceptance criteria and to evaluate whether a completed build actually meets the Story’s clinical intent. A product owner who cannot open Epic’s test environment and verify that a build analyst’s completed configuration produces the correct clinical workflow outcome is not able to perform the PO’s core function. For Epic programs, PO roles are often filled by senior analysts or clinical informatics professionals rather than by general Agile practitioners without Epic experience. The BAT vs UAT methodology that the PO uses to verify Epic Stories before marking them Done is described in the BAT vs UAT guide.
Measuring ART Performance for Epic Programs
Standard SAFe ART metrics apply to Epic programs but require healthcare-specific calibration. PI Predictability – the ratio of completed PI objectives to committed PI objectives – is the primary ART-level performance metric. Feature completion rate by sprint tracks whether teams are delivering Features at a sustainable pace. Business Value delivered per PI is the metric that clinical and operational leadership care about most and that connects ART output to health system outcomes.
| SAFe Metric | Standard Definition | Epic Program Adaptation | Target |
|---|---|---|---|
| PI Predictability | % of committed PI objectives completed at PI end | Exclude mandatory patch/upgrade work from denominator when it arrives mid-PI | 80%+ (SAFe standard) |
| Feature Completion Rate | Features completed per PI vs Features planned | Count only Features with clinical SME sign-off – not just technical build complete | 75%+ per PI |
| Business Value Delivered | Sum of business value ratings for completed PI objectives | Rate value in clinical or operational terms: patients affected, time saved, revenue impact | Above committed at PI start |
| Team Velocity | Story points completed per sprint, stabilizing after 3 PIs | Normalize for upgrade sprints – velocity will drop in upgrade PIs by design | Stable or improving trend |
| Defect Escape Rate | Defects found in production vs defects caught in team testing | Track post-release Epic production defects specifically from enhancement releases, not from Epic’s own software | Less than 10% of Stories produce a post-release defect |
The post-go-live optimization program where these ART metrics apply over time is described in the Epic Post-Go-Live Optimization guide. The go-live support phase that the ART’s early PIs support is covered in the Epic EHR Go-Live Support framework.
Common Failures When Applying SAFe to Epic Programs
| Failure Pattern | What Happens | Prevention |
|---|---|---|
| Waterfall in agile clothing | Teams use SAFe ceremonies (PI planning, standups, retrospectives) but still build sequentially. Stories are not testable until all Stories in a Feature are complete. No continuous integration. | Define and enforce Story-level DoD that requires acceptance testing within the sprint. Require System Demo to show integrated workflows at every sprint review. |
| Ignoring Epic’s non-PI constraints | Annual upgrade calendar, mandatory patches, and Epic release windows are not factored into PI planning. Capacity is consumed mid-PI by mandatory work. PI objectives are not met. | Map the Epic vendor calendar to the PI calendar before PI planning begins. Reserve capacity for upgrade work. Define handling rules for mandatory mid-PI work. |
| Features defined at the wrong granularity | Features are too large (entire modules) or too small (individual configuration records). Teams cannot demonstrate working value at sprint reviews. | Apply the “clinically demonstrable in one sprint” test: if the feature can be demo’d as a working clinical workflow in 2 weeks, it is sized correctly. |
| Product owners without Epic domain knowledge | PO cannot write meaningful Epic Story acceptance criteria or validate completed Epic build. “Done” is declared based on build task completion, not clinical workflow validation. | PO roles on Epic ART teams must have Epic module knowledge or a clinical informatics background. Pair a general agile-certified PO with a clinical SME if domain knowledge is insufficient. |
| Compliance work excluded from backlog | HIPAA reviews, security template audits, and audit log monitoring setup are treated as overhead. They accumulate and surface as compliance gaps during audits. | Create SAFe Enablers for compliance work. Include HIPAA review checkpoints in the DoD. Assign compliance items to sprint capacity like any other backlog item. |
| Untracked external dependencies | Payer sandboxes, external lab systems, and Epic’s own service response times are not tracked as dependencies. Teams blocked mid-PI with no escalation protocol. | Add external dependency tracking to weekly ART sync agenda. Define escalation trigger: any external dependency more than 5 business days past its committed date triggers RTE escalation. |
Map the Epic vendor calendar – annual upgrade dates, monthly patch windows, and known Epic service availability constraints – to your PI calendar before PI 1 planning begins, and update it at the start of every PI. Then reserve explicit sprint capacity for mandatory vendor-driven work in each affected PI. This single practice prevents the most common cause of Epic ART PI objective failure: mandatory work that arrives mid-PI and consumes capacity that was committed to PI objectives. The mapping takes less than 2 hours. The PI objective failures it prevents save weeks of rework and rebuild stakeholder confidence faster than any metric improvement.
Authoritative References
- Scaled Agile Framework (SAFe) – ART Structure, PI Planning, Feature and Story Definition, and ART Performance Metrics
- IIBA BABOK v3 – Stakeholder Engagement, Requirements Life Cycle Management, and Solution Evaluation in Agile Contexts