1. Home
  2. About TMA
  3. TMA Publications

What to Do If EHR Vendors Prevent Access to Patient Information
By Alisa Pierce

Jan_21_TM_PracticeMgt

Patient records can get put in limbo when electronic health record (EHR) vendors go out of business or refuse to transfer records when a physician switches systems.

In an informational paper, “Accessing Electronic Information: Know Your Rights,” the Texas Medical Association has compiled steps physicians can take to maintain access to critical data.

Step one: Know your rights under HIPAA.

The U.S. Department of Health and Human Services confirms it is a violation for an EHR vendor to block access, including terminating access privileges, to protected health information (PHI) that the vendor maintains on behalf of the physician. The HIPAA Privacy Rule also states it is generally impermissible for an EHR vendor to block access during any payment disputes.

Even when an agreement between a physician and vendor is terminated, HIPAA still requires the vendor to maintain the confidentiality and availability of PHI it handled for the physician when it is not feasible to return or destroy all PHI it maintained for the physician.

Step two: Thoroughly review and utilize a business associate agreement (BAA). TMA offers its members a free BAA sample they can use to draft their own agreements.

According to TMA’s Department of Health Information Technology, BAAs are a means of accountability to authorities by outlining the duties of the business associate, in this case an EHR vendor. BAAs describe how both parties will handle, store, and disclose patients’ data; uphold security measures; delegate breach notification; and the return or destruction of protected health information and in accordance with the HIPAA Privacy and Security Rule, including specific BAA requirements laid out in the Privacy Rule.

Physicians must provide patients, too, with access to their health information. HHS notes practices are not in compliance with HIPAA rules if contractual terms in a BAA they’ve entered into prevent patients’ ability or their own ability to access PHI whether in paper or electronic form.

Additionally, before signing, physicians should review all EHR contract obligations with an attorney who specializes in technology contracts and document all vendor emails and other correspondence to verify all attempts to resolve any patient data issues.

Step three: When appropriate, physicians can file complaints and reports with these state and federal agencies:  

Find additional HIPAA informational papers and tools in TMA’s HIPAA Resource Center. For more information about health information technology, see TMA’s related webpage.

Last Updated On

February 25, 2026

Originally Published On

February 25, 2026

Related Content

EHRs

Alisa Pierce

Reporter, Division of Communications and Marketing

(512) 370-1469
alisa.pierce[at]texmed[dot]org  
Alisa Pierce

Alisa Pierce is a reporter for Texas Medicine. After graduating from Texas State University, she worked in local news, covering state politics, public health, and education. Alongside her news writing, Alisa covered up-and-coming artists in Central Texas and abroad as a music journalist. As a Texas native, she enjoys capturing the landscape on her film camera while hiking her way across the Lonestar State.

More stories by Alisa Pierce  

TMA Membership

What could a TMA Membership mean for you, your practice, and your patients?

Join TMA Now

Texas Medicine

TMA analyzes the One Big Beautiful Bill Act provisions and their potential impact on Medicaid, the Children’s Health Insurance Program, Affordable Care Act marketplace coverage, rural and primary care, and other federal programs.   

Dec_24_TM_Cover

Get the latest issue.