Modernizing Epic data for federal health agencies.

Most people hear "federal health IT" and think VA. The VA story is messier than that: a three-year deployment pause just ended in April 2026, with full rollout to Oracle Health targeted for 2031. The Indian Health Service is on the same path. The Defense Health Agency is already there. All three federal health agencies are converging on Oracle Health, not Epic. But Epic still lives in a lot of federally-funded healthcare, and that is where the modernization opportunity is hiding. This is the honest map.

Where Epic actually lives in federally-funded healthcare

The short version: not where most people assume.

The Veterans Health Administration is in the middle of a long, troubled migration from its legacy VistA system to Oracle Health (formerly Cerner Millennium). After a three-year pause, deployments restarted in April 2026 with four Michigan sites (Ann Arbor, Battle Creek, Detroit, Saginaw). About ten VA medical centers are live as of mid-2026, with the full rollout to roughly 170 sites now targeted for 2031. The Defense Health Agency runs MHS Genesis, also Cerner-based, across military healthcare. The Indian Health Service still runs RPMS today, but is replacing it with PATH EHR (Patients At The Heart), built on Oracle Health, with the first pilot at the Lawton Service Unit in Oklahoma scheduled for August 2026. None of those three are Epic shops at the agency level, and all three are converging on the same Oracle Health platform.

What is Epic, and federally-funded enough to land inside federal data constraints:

• Federally qualified health centers (FQHCs) running Epic under HRSA funding
• Public hospitals carrying large Medicare and Medicaid populations (Cook County Health, Harris Health, NYC Health + Hospitals)
• Academic medical centers receiving NIH research funding (UCSF, Penn, Hopkins, Michigan, many more)
• State Medicaid managed-care plans delivered through Epic-backed health systems
• Public health departments running federally-funded surveillance or research programs
• Tribal health organizations operating outside RPMS

None of these are "the federal government" the way an agency is. All of them sit in a federal-adjacent compliance layer that commercial-only consulting firms tend to underestimate. The procurement is different. The audit posture is different. The cloud you can put the data on is different. The lineage you have to produce on demand is different.

What modernization means under federal constraints

The technical work is the same shape as commercial. Move Clarity off Oracle. Land Cogito and Caboodle data in a governed lakehouse. Serve dashboards in seconds instead of overnight. Retire fragile multi-stage ETL chains. Document lineage. Hand off to the team.

The constraints are not the same.

Commercial cloud strategy: pick Azure, AWS, or GCP and ship.
Federal-adjacent cloud strategy: pick a FedRAMP-authorized cloud at the data classification you actually have, and document the boundary.

Commercial audit posture: SOC 2 if you are lucky.
Federal-adjacent audit posture: NIST SP 800-171 for any controlled unclassified information (Revision 3 was finalized in May 2024 and adds three new control families; Department of Defense contractors still operate under Revision 2 via DFARS until DoD updates the clause, while civilian agencies may adopt Revision 3 selectively). FISMA Moderate for federal data, plus an Authority to Operate process that does not move quickly.

Commercial data residency: usually does not matter.
Federal-adjacent data residency: US-only, often US government region only, sometimes with FIPS 140-2 validated cryptography in the path.

The technical implementation patterns work. The compliance scaffolding around them is what stretches a six-month engagement into eighteen if the team does not know what they are doing.

The Clarity migration question applies here too

Epic Clarity, the relational reporting database many health systems rely on, has historically run on either Oracle or Microsoft SQL Server. The strategic direction has been toward SQL Server and the Caboodle dimensional warehouse that pairs with it. Health systems still running Clarity on Oracle face the same architectural question their commercial peers do: stay on Oracle, migrate to SQL Server, or skip ahead to a governed cloud lakehouse with Caboodle alongside Clarity. Federally-funded Epic shops face that question too. They face it with a slower clock and a stricter audit posture.

What changes for them: the federal-adjacent procurement cycle is slower. The cloud migration that takes a commercial health system twelve to eighteen months takes a federally-funded one eighteen to thirty months once you account for:

• Federal cloud authorization paperwork for the chosen platform
• Authority to Operate renewal under the new boundary
• Documenting the change to the relevant authorizing official
• Re-certifying downstream reporting that touches federal data
• Updating subcontractor agreements for primes who handle any piece of the work

The end-of-decade Oracle deadline is closer than it looks for these organizations. The teams that start scoping in 2026 will land cleanly. The teams that wait will burn 2029 on dual-run pain.

Three things primes keep getting wrong

Commercial-first consulting firms that pick up a federal Epic data engagement and treat it like a commercial one tend to fail in the same three places.

1. Wrong cloud

They pick the platform their firm has the deepest bench on, not the one that holds the data's classification. Six months in, the architecture has to be redone on a FedRAMP-authorized environment because the original choice was not eligible. The client carries the cost of the rework.

2. Underbudgeted compliance documentation

The technical work ships and then the team realizes nobody scoped the System Security Plan, the Privacy Impact Assessment, or the Plan of Action and Milestones the ATO requires. Three more months get added to the engagement. The prime eats the overrun or the client does. Either way the relationship sours.

3. Lineage treated as optional

In commercial work, data lineage is a nice-to-have that often gets cut for time. In federal-adjacent audit posture, lineage is not optional. If you cannot answer "where did this number on this report come from, end to end" in an audit, the report gets thrown out and the work loses its credibility with the agency.

Patterns that actually work

A short list of what we see deliver cleanly in this space.

A FedRAMP-authorized lakehouse. The three lakehouse platforms most relevant to Epic-anchored federal-adjacent work now all carry FedRAMP High authorization in specific regions. Microsoft Fabric: FedRAMP High via Azure Commercial (P-ATO from the FedRAMP JAB, December 2024). Databricks: FedRAMP High via AWS GovCloud (PMO authorization, February 2025). Snowflake: FedRAMP High via AWS GovCloud US-West and US-East (December 2023). Pick the one that matches the data classification and authorization boundary of the engagement, not the one your bench is most comfortable with.

Zero-trust data architecture. Service-to-service authentication. Least-privilege access. Encryption at rest and in transit using FIPS-validated algorithms. No shared service accounts. No "the analyst team logs in as one user." Every access tied to a real identity.

Audit-friendly lineage. Every report ties back to its source tables. Every transformation is documented. Every refresh is logged with timestamps and operator identity. The auditor never has to take your word for it because the system can produce the trail.

MFA on everything that touches the data. Not just Epic. The lakehouse. The BI tool. The pipeline orchestration. The cloud admin console. The CI/CD that deploys the pipelines. The whole chain.

Documented control inheritance. When you build on a FedRAMP-authorized cloud, you inherit hundreds of compliance controls from the platform. Document which controls are inherited, where the inheritance boundary sits, and which controls you implement yourself. Do this from day one and the ATO package writes itself.

The opportunity right now

Three trends are converging.

One: the federal health agencies (VA, DHA, IHS) are all moving onto Oracle Health. That means the federally-funded Epic landscape is no longer overlapping with federal-agency Epic work. It is a distinct architectural niche: academic medical centers, FQHCs, public hospitals, state Medicaid health systems, and the academic affiliates that share patients with VA medical centers. A specialty market with its own characteristics.

Two: the underlying Clarity-on-Oracle question is real for any health system that has historically run Clarity that way. Whether the timeline is forced by Epic, the cloud cost of maintaining the on-prem Oracle estate, or the audit pressure of running unsupported infrastructure, the migration is on the horizon. The federally-funded shops have less time to ignore it than commercial ones because their procurement and ATO cycles consume eighteen to thirty months.

Three: federal data security expectations keep tightening. NIST SP 800-171 Revision 3, successive executive orders on federal cybersecurity, CMMC for defense contractors, and continued FedRAMP authorization growth all push the same direction: the cloud you put federal-adjacent healthcare data on has to carry the right authorization, and the audit story has to be airtight.

The primes who can deliver Epic-native data architecture under federal compliance posture will pick up multi-year engagements through 2028 and beyond. The ones who cannot will lose the bids to firms that can. For health systems carrying federal funding, starting the planning now means landing on the new platform with the audit story intact. Waiting means a fire drill where the migration, the auditors, the cloud authorization timeline, and the federal compliance cycle all collide.

The bottom line

The federal-funded Epic landscape is smaller than the commercial one. It is not zero. And as the federal agencies themselves move onto Oracle Health, the federally-funded Epic shops become a distinct niche with its own modernization story.

The teams that move now will build the next generation of federal-adjacent health data infrastructure. The teams that wait will be the ones explaining why the audit failed.