If your EMR vendor just shut down, your patient records don’t disappear with them — but your access to them might. Acting in the next 48 hours is the difference between a compliant transition and a HIPAA crisis.
Export Your Data
Request C-CDA or HL7 before access is cut off
Store Securely
HIPAA-compliant storage with a signed BAA
Transfer RecordsMigrate active patients. Archive the rest.
Stay Compliant
HIPAA obligations don’t pause for vendor failures
Document Everything
Every step, dated and in writing
In This Article
- Why EMR Vendors Go Out of Business — and What It Means for You
- The First 48 Hours: Immediate Steps to Take
- How to Export Your Data from a Shutting-Down EMR
- What Data Formats to Request and Why They Matter
- Where to Store Exported Records: HIPAA-Compliant Options
- How to Transfer Data to a New EHR System
- HIPAA and State Retention Requirements You Cannot Ignore
- Do You Need to Notify Patients?
- What Changed in 2026: New Data Portability Rules
- Frequently Asked Questions
Why EMR Vendors Go Out of Business — and What It Means for You
The healthcare IT market is intensely competitive and consolidating. Maintaining ONC certification alone costs vendors hundreds of thousands of dollars annually in testing, auditing, and regulatory compliance. According to ONC data, more than 50 EHR vendors have exited the certified health IT market since 2016, leaving practices scrambling to recover data with little warning.
When your vendor shuts down, several things happen simultaneously:
- System access may be cut off on a fixed date — often with as little as 30 days’ notice before servers go dark.
- Support disappears on announcement day — staff who understood the export process are typically laid off immediately.
- Your data does not automatically transfer anywhere — records in a proprietary database are not portable by default.
- HIPAA obligations do not pause — you remain the covered entity legally responsible for every patient record.
- Contract enforcement becomes time-sensitive — data return clauses are only enforceable while the vendor still exists.
50+
EHR vendors exited the ONC-certified market since 2016
6 yrs
Minimum HIPAA retention requirement under 45 CFR §164.530
$1.9M
Maximum HIPAA fine per violation category per year
30 days
Typical shutdown notice window before access is cut off
The First 48 Hours: Immediate Steps to Take
1. Document everything immediately. Save every email, notice, and vendor communication. Note exact dates, the announced shutdown date, and any export instructions. These records are your legal foundation if you face an audit later.
2. Send a formal written export request today. Request: (a) a complete export of all patient records, (b) available export formats, (c) a delivery timeline, (d) confirmation the BAA remains in effect through the transition, and (e) a named technical contact for the export process.
3. Alert your HIPAA Privacy Officer and legal counsel. Under 45 CFR §164.530(a), covered entities must designate a Privacy Officer. If you don’t have one, engage a healthcare attorney with HIPAA experience within 24 hours.
4. Begin evaluating new EHR systems immediately. Look specifically for vendors with documented experience migrating data from discontinued systems. Confirm they will sign a BAA before any PHI is shared.
5. Communicate with your staff. Uncertainty leads to workarounds — and workarounds create additional compliance risk during an already vulnerable period.
How to Export Your Data from a Shutting-Down EMR
Scenario A — The Vendor Provides a Self-Service Export
ONC-certified systems are required under 45 CFR §170.315(b)(1) to provide data portability tools. If your vendor offers a self-service export portal, use it immediately. Export all patients, all date ranges, all record types. Cross-reference patient counts to verify completeness. Download to at least two separate storage locations as soon as the export completes.
Scenario B — You Must Request a Manual Export
Submit a formal written request specifying: all patient demographics, clinical notes, medication histories, lab results, imaging references, and billing records. Request delivery via encrypted SFTP or secure cloud share. Specify C-CDA or HL7 as your preferred formats.
Scenario C — The Vendor Is Unresponsive or Already Closed
Contact the parent company, acquiring entity, or bankruptcy trustee. Engage a healthcare IT data recovery firm. Review your contract for data return clauses. Cite ONC information-blocking regulations — violations carry penalties up to $1 million per incident. Document every attempt exhaustively.
What Data Formats to Request and Why They Matter
| Format | Best For | EHR Import Support | Long-Term Readability |
|---|---|---|---|
| C-CDA | Structured clinical summaries | ✓ High — most modern EHRs | ✓ Excellent — open HL7 standard |
| HL7 FHIR | Modern API-based exchange | ✓ High — current federal standard | ✓ Excellent |
| PDF/A | Document archiving | ⚠ Low — not machine-readable | ✓ Excellent — ISO archival standard |
| CSV / Excel | Demographics, billing data | ⚠ Medium — structure-dependent | ✓ Good — universally readable |
| Proprietary Format | Native system backup only | ✗ None — vendor-specific only | ✗ Poor — requires vendor software |
Where to Store Exported Records: HIPAA-Compliant Options
Under HIPAA’s Security Rule (45 CFR §164.312), all PHI must be encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Do not store PHI on a personal hard drive, a consumer cloud service, or any unencrypted local device.
Option 1 — Import Into Your New EHR (Preferred)
Records are searchable in your active system, historical context is preserved at the point of care, and your new vendor’s BAA covers the storage. Not all records may import cleanly — scanned documents and unstructured notes often require supplemental handling.
Option 2 — Dedicated Healthcare Archive Platform
Purpose-built healthcare archiving platforms provide HIPAA-compliant long-term storage with encrypted storage, role-based access controls, audit logging, and on-demand retrieval. This is the preferred option for large volumes of legacy records from a discontinued vendor.
Option 3 — HIPAA-Eligible Cloud Storage
AWS, Microsoft Azure, and Google Cloud offer HIPAA-eligible storage and will sign BAAs. This requires deliberate configuration — encryption, access controls, and audit logging must be set up explicitly. Generic cloud storage out of the box is not HIPAA compliant.
Every storage vendor must provide before you send any PHI:
- A signed Business Associate Agreement (BAA) — required under 45 CFR §164.308(b)
- Encryption at rest (AES-256) and in transit (TLS 1.2 or higher)
- Role-based access controls limiting PHI access to authorized personnel only
- Comprehensive audit logging of every access event
- Ability to retrieve specific records within a defined and documented timeframe
How to Transfer Data to a New EHR System
Step 1: Validate the export before migrating. Cross-reference patient counts between the export and your known patient panel. Spot-check 20–30 individual records for completeness — demographics, visit history, medication lists, and clinical notes must all be present.
Step 2: Engage your new EHR vendor’s migration team. Reputable EHR vendors have data migration specialists who regularly handle imports from discontinued systems. Confirm upfront which data elements migrate cleanly and which require manual entry.
Step 3: Prioritize active patients. Migrate records for patients seen in the last 2–3 years first. Archive historical records for inactive patients separately and make them retrievable on demand.
Step 4: Run a parallel period if timing allows. Access archived records alongside your new EHR before fully decommissioning the legacy data source. This lets staff flag record issues while the original data is still available.
Step 5: Document everything. Record the migration date, formats used, migration team, what was migrated versus archived, and the results of all validation checks.
HIPAA and State Retention Requirements You Cannot Ignore
HIPAA’s Privacy Rule (45 CFR §164.530(j)) requires covered entities to retain documentation of their policies and procedures for at least 6 years. Most states have separate clinical record retention laws that exceed that federal floor — and the stricter rule always applies
| State | Adult Records | Minor Records | Notable Notes |
|---|---|---|---|
| New Jersey | 10 years | Until age 23 | One of the stricter state requirements |
| New York | 6 years | 3 years after majority | Hospital records: 6 years from discharge |
| California | 7 years | 3 years after majority | Whichever date is later applies |
| Florida | 5 years | 7 years or until age 18 | Obstetrical records: 7 years |
| Texas | 10 years | Until age 21 | From the date of last treatment |
| Illinois | 10 years | Until age 22 | From the date of last treatment |
| Pennsylvania | 7 years | Until age 20 | From date of last professional service |
Do You Need to Notify Patients?
If your data is safely exported and transferred: A routine transition of records from one secure system to another generally does not trigger HIPAA’s Breach Notification Rule (45 CFR §§164.400–414). Proactive patient communication is best practice but not legally required.
If data is lost or improperly accessed: This triggers notification to affected individuals within 60 days, notification to HHS, and — if the breach affects 500 or more individuals in a state — media notification. Maximum penalty: $1.9 million per violation category per calendar year.
If you are uncertain: Conduct a documented risk assessment under 45 CFR §164.402 before making any notification decision. This is a legal analysis — perform it with qualified professionals.
What Changed in 2026: New Rules Affecting EMR Data Portability
ONC HTI-1 Final Rule (effective January 2024) expanded information-blocking prohibitions and strengthened data portability requirements. Certified EHR vendors who obstruct or delay data export now face penalties up to $1 million per information-blocking violation. If a vendor refuses to export your records, cite this regulation explicitly in all written communications.
TEFCA, fully operational 2024 established a national framework for health information exchange. Practices connected to a Qualified Health Information Network (QHIN) have additional pathways for accessing and transferring patient data when a primary system becomes unavailable — including during vendor shutdowns.
CMS Interoperability and Prior Authorization Final Rule (2024) expanded patient data access rights and required payers to maintain records accessible via FHIR APIs — meaning payer-held records may supplement data lost in an EMR shutdown.
Navigating an EMR Shutdown? We Can Help.
Medi-EHR builds around your workflows — not the other way around.
Schedule a personalized demo and see the difference customization makes.
Frequently Asked Questions
EHR customization means tailoring your electronic health record software — its workflows, templates, modules, portals, and integrations — to match how your specific practice operates, rather than forcing your staff to adapt to rigid, generic software. Every practice has unique specialty needs, billing structures, patient populations, and documentation requirements. A customized EHR reduces clicks, eliminates redundant steps, and helps clinicians spend more time on patient care. Learn more: What to Look for in an EHR/EMR and Practice Management Software.
At Medi-EHR, custom modules and features can often be scoped, developed, and deployed in days to weeks rather than the months or years typical of large EHR vendors. Our in-house development team works directly with practice administrators to deliver exactly what is needed, without bureaucratic handoffs or public roadmap queues.
Not necessarily. Medi-EHR offers transparent, flexible pricing that scales with your practice. Rather than paying for a bundled enterprise license full of features you never use, you pay for what your practice actually needs. Custom modules, APIs, and data exports are each priced individually, so practices of any size can build a cost-effective configuration.
Yes. Medi-EHR includes AI-assisted note creation and other automated workflow tools built directly into the platform — not as a third-party add-on. These features help reduce the documentation burden for clinical staff without requiring them to learn a separate application. See a practical example: AI note creation in behavioral health.
White-glove service means a dedicated, hands-on support relationship — not a chatbot or a ticket queue. It includes personalized onboarding, custom training built around your specific workflows, direct access to support staff who know your practice, proactive check-ins, and responsive help when issues arise. For Medi-EHR clients, this level of service is standard, not a premium tier. Learn about our support model.
Yes. Medi-EHR offers custom API development, custom modules, vendor portals, custom exports, and direct integrations with labs, radiology systems, and HIEs.
Yes. Medi-EHR is ONC Certified Health IT, certified by an ONC-Authorized Certification Body in accordance with applicable criteria adopted by the Secretary of Health and Human Services. View our ONC Certification details and transparency disclosures.