A new report from the Department of Homeland Security’s Office of Inspector General (OIG) says that the U.S. Coast Guard holds plenty of personally identifiable health information in its servers but lacks a strong approach to dealing with privacy issues.

The report grew from a DHS audit that focused on practices and procedures for protecting the data of Coast Guard employees and on the service’s compliance with the Health Insurance Portability and Accountability Act (HIPAA).

The DHS’s major complaints include poor communication among Coast Guard privacy officials, lack of instructions to staff members for handling health data, lack of contingency planning in case of a breach, and poor physical protection for health data.

The Coast Guard contracted to with Epic to build a new EHR system in 2010, raising the question of whether Epic’s patient records system is part of the problem addressed by the OIG.

Epic says definitely no, and indeed the report does not identify Epic as having done anything wrong.

“The fine print of the report’s audit section says the following: ‘Of the authorized IT systems containing privacy data, USCG has only two IT systems that contain PHI. These are the CHCS and MMLD,'” the report reads. “Both of these are legacy systems, not Epic,” Kiesau says.

The new Epic system isn’t live yet, Epic points out.

This is a very important distinction for Epic. The Wisconsin-based company — the nation’s largest EHR provider — is a front runner in the bidding to build a new $11 billion EHR system for the Department of Defense. The system will eventually contain medical records of members of all branches of the service, and replace the military’s current EHR, which has been widely criticized. Effective health data privacy controls will, of course, be a selection criterion.

The new EHR system is supposed to enable information sharing between the Department of Defense, the Department of Veterans Affairs, and private-sector healthcare providers that contract to take care of service personnel.