Navigation
InfrastructureUpdated July 3, 2026

Azure Resource Tagging Strategy

azuretagginggovernanceepiccompliancecost-management

Azure Resource Tagging Strategy

Comprehensive tagging strategy for Epic on Azure deployments ensuring governance, compliance, and operational excellence.


๐ŸŽฏ Overview

Azure resource tagging provides the foundation for healthcare infrastructure governance, enabling precise cost allocation, compliance tracking, and operational management across Epic clinical systems.

Strategic Benefits

  • Financial Accountability: Precise cost allocation to clinical departments and Epic environments
  • Compliance Auditing: HIPAA and SOX audit trail validation through consistent tagging
  • Operational Excellence: Automated resource lifecycle management and incident response
  • Epic Environment Management: Clear identification of production vs. training systems

๐Ÿ“‹ Tagging Classification

Tag Categories

CategoryScopePurposeGovernance Level
Standard TagsAll Resource GroupsOrganizational governance and complianceMandatory
VM Level TagsVirtual Machines and related resourcesOperational management and Epic integrationRequired for compute
Application TagsEpic-specific resourcesClinical workflow and Epic certificationEpic environments only

๐Ÿท๏ธ Standard Tags (Required on All Resource Groups)

Organizational Governance

Tag NameDescriptionAllowed ValuesExample
aide-idAIDE ID for service catalogaide_0077877, aide_0085665, aide_0085666, aide_0088164aide_0085665 (Epic West). Validation: ^(aide_\d+|uhgwm_[a-z]+)$
itsm-assignment-groupServiceNow assignment groupEPIC NATIONAL INSTANCE โ€“ SPT, USS_Virtual_WorkspaceEPIC NATIONAL INSTANCE โ€“ SPT
DivisionOptum Health division identifierOptum HealthOptum Health
ProductHealthcare product classificationEpic EMREpic EMR
gl-codeGeneral ledger financial tracking. Auto-resolved by workload ร— environment.44770-01530-USASS800-XXXXXX (80 codes, see resource-tags.md)44770-01530-USASS800-169950 (epic/dev)

Environment and Classification

Tag NameDescriptionAllowed ValuesHealthcare Impact
environmentEnvironment tier classificationdev, qa, int, stg, tst, prf, uat, dmo, prdClinical vs. training system identification
DataClassificationData sensitivity classification (Azure Policy tag, distinct from data-classification operational tag)PHI, NONPHIHIPAA compliance and access control
DRDisaster recovery designationYes, NoBusiness continuity planning
service-tierService level classificationp1, p2, p3SLA and support escalation
platform-managedPlatform team managementtrue, falseSupport responsibility
workspaceWorkspace identifier for deploymentLowercase alphanumeric with hyphens. Validation: ^[a-z0-9][a-z0-9-]*[a-z0-9]$Deployment source identification
workloadWorkload type for GL code mappingepic, citrix, connectivity, network, storage, monitoring, security, sharedCost allocation and GL code resolution
regionAzure region for deploymentcentralus, eastus, westus3, etc.Geographic location tracking
data-classificationData classification level (module-level operational tag)public, internal, confidential, restrictedOperational data sensitivity classification
backup-requiredWhether backup is requiredtrue, falseBackup policy management
managed-byManagement tool usedterraformOperational metadata

๐Ÿ–ฅ๏ธ VM Level Tags (Required for Virtual Machines)

Epic Application Identification

Tag NameDescriptionAllowed ValuesClinical Purpose
solution-nameHigh-level solution categoryepic-app, epic-stamp, epic-cogito, epic-shared-infrastructureEpic component grouping
epic-appSpecific Epic applicationarr, bca, bcaweb, hyperspace, mychart, sts, welcomeweb, sharedinfraClinical workflow identification
epic-stampEpic environment designationproduction, alternate-production, build, training, read-only, shared-infrastructureClinical vs. training separation
ComponentInfrastructure component typeEpic ODB, Epic ECSA, Cogito, Citrix NetscalerTechnical role identification
ComponentVersionVersion trackingMarketplace versions or version 1Legacy โ€” remove. Covered by tagging.tf

Operational Management

Tag NameDescriptionPurposeExample
tech-ownerTechnical owner teamEpic integration accountability[email protected]
account-ownerBusiness owner teamClinical department accountability[email protected]
PatchScheduleUpdate management classification. Enforced by Azure Policy with 50+ allowed values.Examples: ALL_DO_NOT_PATCH, ZWW0D6H02, ZEPCDWS102AMClinical impact-based maintenance
dr-tierDisaster recovery tieractive, standby, restorationRTO/RPO classification

Deployment Tracking

Tag NameDescriptionPurposeExample
workspace-idTerraform workspace identifierDeployment source trackingohemr-epic-pro-001
working-directoryRepository working directoryChange managementwestepicpro/cogitowestus3
source-code-repoSource code repositoryAudit trail and change trackingLink to GitHub repo
risk-recordAssociated risk recordsCompliance and risk managementComma-separated risk IDs

๐Ÿฅ Healthcare-Specific Tagging Examples

Epic Production Environment

# Epic Hyperspace Production VDA
tags = {
  # Standard organizational tags
  aide-id               = "aide_0085665"
  itsm-assignment-group = "EPIC NATIONAL INSTANCE โ€“ SPT"
  Division              = "Optum Health"
  Product               = "Epic EMR"
  environment           = "prd"
  gl-code               = "44770-01530-USASS800-169953"
  service-tier          = "p1"
  platform-managed      = "true"

  # Healthcare compliance
  DataClassification    = "PHI"
  DR                    = "Yes"

  # Epic-specific identification
  solution-name         = "epic-app"
  epic-app              = "hyperspace"
  epic-stamp            = "production"
  Component             = "Epic VDA"
  ComponentVersion      = "version-2024.1"

  # Operational management
  tech-owner            = "[email protected]"
  account-owner         = "[email protected]"
  PatchSchedule         = "Critical"
  dr-tier               = "active"

  # Deployment tracking
  workspace-id          = "ohemr-epic-pro-001"
  working-directory     = "westepicpro/hyperspacewestus3"
  source-code-repo      = "https://github.com/optum-tech-compute/ohemr-epic-pro-001"
}

Epic Training Environment

# Epic Training System
tags = {
  # Standard tags with training designation
  environment           = "tst"
  DataClassification    = "NONPHI"
  DR                    = "No"
  service-tier          = "p2"

  # Epic training identification
  epic-app              = "hyperspace"
  epic-stamp            = "training"
  Component             = "Epic Training VDA"

  # Training-specific management
  tech-owner            = "[email protected]"
  account-owner         = "[email protected]"
  PatchSchedule         = "Standard"
  dr-tier               = "restoration"
}

Citrix Infrastructure Supporting Epic

# Citrix NetScaler for Epic Access
tags = {
  # Infrastructure support tags
  solution-name         = "epic-shared-infrastructure"
  Component             = "Citrix Netscaler"
  ComponentVersion      = "13.1-48.47"

  # Epic dependency tracking
  epic-app              = "infrastructure"
  epic-stamp            = "production"

  # High availability classification
  service-tier          = "p1"
  dr-tier               = "active"
  PatchSchedule         = "Critical"
}

๐Ÿ”ง Implementation Guidelines

Terraform Tag Implementation

Global Tag Variables:

# terraform/variables.tf
variable "global_tags" {
  description = "Global tags applied to all resources"
  type        = map(string)
  default = {
    aide-id               = "aide_0085665"
    itsm-assignment-group = "EPIC NATIONAL INSTANCE โ€“ SPT"
    Division              = "Optum Health"
    Product               = "Epic EMR"
    platform-managed      = "true"
    gl-code               = "44770-01530-USASS800-169950"
  }
}

variable "environment_tags" {
  description = "Environment-specific tags"
  type        = map(string)
}

variable "epic_tags" {
  description = "Epic application-specific tags"
  type        = map(string)
}

Resource Group Tagging:

# Resource group with required standard tags
resource "azurerm_resource_group" "epic_app" {
  name     = "rg-epic-app-prod-westus3"
  location = "West US 3"

  tags = merge(
    var.global_tags,
    var.environment_tags,
    {
      environment        = "prd"
      DataClassification = "PHI"
      DR                 = "Yes"
      service-tier       = "p1"
    }
  )
}

Azure Policy Enforcement

Tag Inheritance Policy:

{
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Compute/virtualMachines"
    },
    "then": {
      "effect": "modify",
      "details": {
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "tags['environment']",
            "value": "[resourceGroup().tags['environment']]"
          },
          {
            "operation": "addOrReplace",
            "field": "tags['DataClassification']",
            "value": "[resourceGroup().tags['DataClassification']]"
          }
        ]
      }
    }
  }
}

๐Ÿ“Š Cost Management & Reporting

Epic Department Cost Allocation

DepartmentFilter TagsCost CenterEpic Environment
Cardiologyepic-app=arr + AccountOwner=cardiology*CC-CARDIOLOGY-001Production
Emergencyepic-app=hyperspace + AccountOwner=emergency*CC-EMERGENCY-002Production + Training
Pharmacyepic-app=sts + AccountOwner=pharmacy*CC-PHARMACY-003Production
IT Trainingepic-stamp=trainingCC-TRAINING-004Training only

Automated Cost Reporting

# PowerShell script for Epic cost allocation
$CostQuery = @{
    Type = "Usage"
    Timeframe = "MonthToDate"
    Dataset = @{
        Granularity = "Daily"
        Aggregation = @{
            totalCost = @{
                name = "Cost"
                function = "Sum"
            }
        }
        Grouping = @(
            @{
                type = "Tag"
                name = "epic-app"
            },
            @{
                type = "Tag"
                name = "environment"
            }
        )
    }
}

# Generate Epic cost allocation report
$EpicCosts = Invoke-AzRestMethod -Uri "/subscriptions/$SubscriptionId/providers/Microsoft.CostManagement/query" -Method POST -Payload ($CostQuery | ConvertTo-Json -Depth 10)

๐Ÿ” Compliance Validation

HIPAA Audit Support

PHI Data Classification Validation:

# Azure CLI query for PHI resource audit
az resource list \
  --tag DataClassification=PHI \

  --query "[].{Name:name, ResourceGroup:resourceGroup, Type:type, Location:location, Tags:tags}" \
  --output table

Epic Environment Verification:

# Verify Epic production resources are properly classified
az resource list \
  --tag epic-stamp=production \
  --tag DataClassification=PHI \
  --query "[?tags.DR != 'Yes']" \

  --output table

SOX Financial Controls

GL Code Compliance Check:

# Verify all resources have required financial tags
$Resources = Get-AzResource | Where-Object {
    -not $_.Tags.ContainsKey("gl-code") -or
    -not $_.Tags.ContainsKey("account-owner")
}

if ($Resources) {
    Write-Warning "Resources missing required financial tags:"
    $Resources | Select-Object Name, ResourceGroupName, ResourceType | Format-Table
}

๐Ÿšจ Troubleshooting Guide

Common Tagging Issues

Problem: Resource deployment blocked due to missing required tags

Diagnosis: Azure Policy enforcement blocking non-compliant resources

Resolution:

  1. Review required tag list for resource type
  2. Update Terraform configuration with missing tags
  3. Ensure tag inheritance from resource group

Problem: Epic cost allocation reporting inaccurate

Diagnosis: Inconsistent or missing Epic-specific tags Resolution:

  1. Audit all Epic resources for required tags (epic-app, epic-stamp)
  2. Update missing tags through Terraform or Azure CLI
  3. Re-run cost allocation reports

Problem: HIPAA audit findings related to resource classification

Diagnosis: Inconsistent DataClassification tagging Resolution:

  1. Identify all resources handling PHI data

  2. Apply DataClassification=PHI tag

  3. Verify DR=Yes for all PHI resources


๐Ÿ”— Related Documentation


๐Ÿ“ž Support & Contacts

Tagging Governance

DomainContactResponsibility
Epic Tags[email protected]Epic application and environment tags
Financial Tags[email protected]GL codes and cost allocation
Compliance Tags[email protected]HIPAA and SOX tag validation
Technical Tags[email protected]Operational and deployment tags

Emergency Contacts


๐Ÿท๏ธ Tagging Excellence: Comprehensive resource tagging enables precise governance, cost allocation, and compliance validation for Epic healthcare infrastructure.