Own Your Stack
Who Owns Your Patient Data on a Telehealth Platform? (Spoiler: Probably Not You)
On most telehealth platforms, your patient data belongs to the vendor — not you. Here's what that means legally, and how to fix it before you're locked in.
Quick answer
In most telehealth businesses, patient data is legally owned by the platform you operate on — not you. The vendor controls the EHR, defines data-return rights in their contract, and can hold records hostage at termination. To own your data, you must be the covered entity with a signed BAA and the system of record for every patient interaction.
Key takeaways
- On most all-in-one telehealth platforms, the vendor is the de facto system of record — your patient data lives in their EHR, and your data rights at termination are defined entirely by their contract terms, not yours.
- A Business Associate Agreement (BAA) does not give you data ownership. It assigns HIPAA liability. Ownership lives in the data-return-on-termination clause — read it before you sign.
- Being a tenant inside a vendor's EHR means patients are their records, not yours. If you leave, you may get a CSV export (or nothing structured at all), not a live system you control.
- The system-of-record decision is highest-leverage at the beginning: switching costs grow every month as more orders, consults, and Rx histories accumulate on the vendor's stack.
- The fix is architectural: route orders through infrastructure you control, keep the EHR or CRM on your side, and sign agreements that guarantee structured data return — before you have a negotiating problem.
On most telehealth platforms, patient data is legally owned by the platform you operate on — not you. The vendor controls the EHR, defines data-return rights in their contract, and can hold records hostage at termination. To own your data, you must be the covered entity with a signed BAA and the system of record for every patient interaction.
Most operators discover this eighteen months in, when they want to switch pharmacy networks, rebrand, or move off a platform that just raised prices 40%. Then they read the termination clause.
The Question Nobody Asks at Signup
When you onboard with Bask Health, OpenLoop, Wheel, SteadyMD, or any of the all-in-one telehealth infrastructure vendors, you are making a data architecture decision. Most operators don't realize this because it's buried inside a vendor relationship that looks like a software purchase.
The question is simple: after you sign, who is the system of record for your patients?
If the answer is "the platform" — and it usually is — you are a tenant. You can read the data, work with the data, and build a business on top of it. But the database belongs to the vendor, the schema belongs to the vendor, and the terms of your exit belong entirely to whatever their standard agreement says about data return.
This is the highest-leverage ownership decision in your business, and the window to get it right closes the day you go live.
What "System of Record" Actually Means
A system of record is the authoritative source of truth for a set of data. In telehealth, that means:
- Patient intake and demographics
- Consultation notes and provider decisions
- Prescriptions written, sent, and filled
- Lab results, photos, and clinical attachments
- Order history and fulfillment status
- Communications between patient and provider
If that system lives inside a vendor's platform, you are renting access to your own business.
The vendor controls the schema. They control the API. They control the retention policy, the backup infrastructure, and the export format. And when the relationship ends — voluntarily or otherwise — they control what you get back and when.
This is not a hypothetical. It is the default state of nearly every all-in-one telehealth platform on the market today.
What a BAA Does (and Doesn't) Do
This is where most operators get confused. They see "Business Associate Agreement" in the vendor contract, they have their lawyer review it, and they come away thinking they've handled the data ownership question. They haven't.
A BAA is a HIPAA-required document. Its job is to:
- Establish that the vendor handles Protected Health Information (PHI) on your behalf
- Define what the vendor is permitted to do with that PHI
- Assign HIPAA liability — who is responsible for a breach, and how
- Set minimum safeguards the vendor must maintain
A BAA does not transfer data ownership. It is a liability instrument, not a property instrument.
Data ownership — specifically, what you get when you leave — is determined by a different clause: the data-return-on-termination provision. This is the one to read, negotiate, and get right before you sign anything.
What Data-Return-on-Termination Clauses Actually Say
Pull your vendor contract and look for language around termination, data export, or data destruction. Here is what you will typically find in the market:
The standard-bad version:
"Following termination, Customer may export data via the platform interface for a period of thirty (30) days. Following such period, Company may delete all Customer data from its systems."
Translation: you get thirty days to pull whatever the platform UI lets you export, in whatever format they support, and then it's gone. If your export is a folder of PDFs and a CSV with no relational structure, that is your migration package.
The negotiated version (what you want):
"Upon termination, Company will provide Customer with a complete structured export of all Customer data in [JSON / HL7 FHIR / CSV with schema documentation] within fifteen (15) business days of termination request, at no additional charge. Company will retain data for ninety (90) days post-export and destroy thereafter with written confirmation."
The difference between these two clauses is the difference between a clean migration and starting your patient records from scratch.
Most operators never negotiate this. The platform's sales team is not going to surface it. And once you have 3,000 patients on the system, your leverage to renegotiate approaches zero.
The Lock-In Math
Here is what the switching cost looks like in practice (estimates, directional):
- Average active patient file in a telehealth business: 40–80 data points across intake, consults, and Rx history
- Average time to manually re-intake a patient from a PDF export: 8–12 minutes
- At 2,000 active patients: 267–400 staff-hours to migrate
- At a contract pharmacy's average labor rate: $35–50/hour burdened
- Migration cost estimate: $9,000–$20,000, not counting the 30–60 days of operational disruption
That is the invisible tax you pay every year you operate on someone else's system of record. It accrues silently until the day you want to leave.
And that is before you factor in the clinical risk. A disorganized migration of Rx histories is not just an operational headache. In a regulated prescribing context, gaps in patient records have real consequences.
The Covered Entity Question
HIPAA distinguishes between covered entities (CE) — healthcare providers, health plans, clearinghouses — and business associates (BA) who handle PHI on their behalf.
Most telehealth platforms are structured as BAs. Your clinic entity is the covered entity. This sounds right, because it means the platform is working for you, not the other way around.
But here's the catch: being the covered entity does not automatically make you the system of record. You can be the CE and still have zero portability if the BA controls the infrastructure and the data is sitting in their database with no structured export path.
The combination you need:
- Your entity is the covered entity
- You have a proper BAA with every vendor who touches PHI
- Your BAA includes a structured data-return clause with a defined format and timeline
- The fulfillment and order layer routes through infrastructure you can independently access
Without all four, you are the covered entity for compliance purposes and a tenant for operational purposes. The liability is yours; the leverage is theirs.
Why This Gets Worse as You Scale
The first 100 patients on a new telehealth platform, switching is annoying. At 500 patients, it is expensive. At 2,000 patients, it becomes a business risk you will defer indefinitely because the disruption cost exceeds the monthly frustration of staying.
Platform vendors know this. The pricing, feature gating, and pharmacy routing decisions that feel arbitrary in month eighteen are not arbitrary. They reflect the leverage that accrues to whoever holds your data.
This is not unique to telehealth. It is the standard SaaS lock-in playbook, applied to a context where the switching friction is elevated by clinical complexity and regulatory requirements. The playbook works better in healthcare than almost anywhere else.
What Owning Your Stack Actually Looks Like
There are two models for telehealth operators who want to be the system of record:
Model 1: Full build. Your technology team builds or licenses every layer — intake, EHR, provider workflow, Rx routing, fulfillment tracking, patient comms. You own the infrastructure. You are unambiguously the system of record.
The cost: 9–18 months of development time (estimated), $300K–$1.2M in upfront engineering (estimated), ongoing compliance overhead. Viable for well-capitalized operators with technical teams. Not the right call for most.
Model 2: Owned-stack with operational overlay. You own the system of record — your EHR, your CRM, your patient data in infrastructure you control — and you use purpose-built operational tools that sit on top of your stack without replacing it.
The overlay handles order routing, pharmacy connectivity, provider workflow, and fulfillment status. But the data flows through your infrastructure, not theirs. When the overlay contract ends, your records stay where they always were: with you.
This is the model that makes sense for operators who need to move in months, not years. See how this compares to the build-vs-buy calculus in our guide to telehealth infrastructure.
The Questions to Ask Before You Sign Anything
If you are evaluating any telehealth platform, EHR, or operational vendor, get written answers to these before you sign:
- Who is the custodian of patient records at the database level?
- What is the exact format and timeline for data return at termination?
- Is there a charge for data export? If so, how is it calculated?
- What happens to data after the export window closes?
- Does the BAA include data-return provisions, or is that in a separate clause?
- Can I access my data via API at any time during the contract, or only at termination?
A vendor who resists answering these questions clearly is telling you something important about what the answer is.
A Note on Provider Approval
Ownership of your data infrastructure does not change one thing: nothing in a compliant telehealth business ships without a licensed provider reviewing and approving it. The system-of-record decision is an operational and legal question. Provider oversight is a clinical and regulatory requirement that sits above it.
Any infrastructure configuration you choose must preserve a clean, auditable record of provider approval for every Rx that moves. That record needs to be in your system of record, not a vendor's black box, precisely because audit requests and compliance reviews arrive without notice.
Key Takeaways
- On most all-in-one telehealth platforms, the vendor is the de facto system of record. Your data rights at termination are defined by their standard contract, not yours.
- A BAA assigns HIPAA liability — it does not transfer data ownership. Read the data-return-on-termination clause.
- Being a tenant inside a vendor's EHR means your records are on their infrastructure. Migration may mean a CSV export and 400 hours of manual re-intake.
- The system-of-record decision is highest-leverage at signing. Switching costs compound every month.
- The practical fix is an owned-stack model: keep the system of record on your infrastructure, use operational tools that overlay without replacing it, and negotiate structured data return into every vendor contract.
Frequently Asked Questions
Who legally owns patient data in a telehealth business?
The entity that acts as the covered entity under HIPAA and controls the EHR where records are stored. On most all-in-one platforms, database-level control belongs to the vendor. You access data as a tenant; they control it at the infrastructure level. To own it, your entity must be the covered entity and must hold the system of record — not the platform.
What is a Business Associate Agreement (BAA) and does it give me data ownership?
A BAA is a HIPAA-required contract between a covered entity and a vendor that handles protected health information on their behalf. It assigns liability and defines permissible data uses — but it does not transfer ownership. Data ownership at exit is determined by your data-return-on-termination clause, which is a separate provision.
What happens to my patient data if I leave a telehealth platform?
It depends entirely on your contract. Most platforms offer a limited export window (commonly 30–90 days after termination), in formats that may or may not be structured for migration. Some contracts include a data destruction clause: the vendor deletes records after the window closes. Without a structured data-return clause negotiated upfront, a clean migration may not be possible.
What does "system of record" mean for a telehealth operator?
The system of record is the authoritative source of truth for patient interactions — consults, Rx orders, lab results, communications, and fulfillment status. If that system lives inside a vendor's platform, you are a tenant: you can read the data, but the vendor controls the schema, the API, the retention policy, and the exit terms. If your own infrastructure is the system of record, you control all of that.
How do I become the system of record for my telehealth business?
Architecture determines this. At minimum: your entity must be the covered entity under HIPAA; patient intake, consults, and Rx data must flow through infrastructure you control or can export on your own terms; and vendor contracts (pharmacy, EHR, fulfillment) must include structured data-return provisions. Tools that operate as a layer on top of your stack — rather than replacing it — preserve your system-of-record position. See our data portability guide for specifics on what structured export looks like.
Own Your Stack, Own Your Business
The system-of-record question is not a technology question. It is a business ownership question dressed in technical language.
Every patient who comes through your clinic is a relationship you built. Every consult, every Rx decision, every message thread is operational value you created. Whether you retain that value or surrender it to a vendor on exit is determined by decisions you make in month one, in contracts most operators never read closely enough.
Get the architecture right at the start. Negotiate data return before you need it. Use infrastructure that works for you — not instead of you.
neolife connects your Shopify store to your pharmacy without becoming your system of record. Your patient data stays yours — in your stack, under your BAA, on your terms. See how the fulfillment rail works, or talk to someone who has shipped this before.
Nothing in this article constitutes legal or medical advice. Consult qualified legal counsel and your pharmacy partner for guidance specific to your jurisdiction and clinical context.
Frequently asked questions
Who legally owns patient data in a telehealth business?
The entity that acts as the covered entity (or business associate) under HIPAA and controls the EHR where records are stored. On most all-in-one platforms, that entity is the vendor. You access the data as a tenant; they control it at the database level. To own it, your entity must be the covered entity and must hold the system of record — not the platform.
What is a Business Associate Agreement (BAA) and does it give me ownership of patient data?
A BAA is a HIPAA-required contract between a covered entity and a vendor that handles protected health information (PHI) on their behalf. It assigns liability and sets rules for data handling — but it does not transfer ownership. Data ownership is determined by your data-return-on-termination clause, not the BAA itself.
What happens to my patient data if I leave a telehealth platform?
It depends entirely on your contract. Most all-in-one platforms offer a time-limited export window (commonly 30–90 days after termination), often in formats like CSV or PDF that are not interoperable. Some contracts include a data destruction clause, meaning the vendor deletes your records after the window closes. Without a structured data-return clause negotiated upfront, you may not be able to migrate cleanly.
What does 'system of record' mean for a telehealth operator?
The system of record is the authoritative source of truth for patient interactions — consults, Rx orders, lab results, communications, and fulfillment status. If that system lives inside a vendor's platform, you are a tenant: you can read the data, but the vendor controls the schema, the API, the retention policy, and the terms of exit. If your own infrastructure is the system of record, you control all of that.
How do I become the system of record for my telehealth business?
Architectural choices determine this. At minimum: your entity must be the covered entity under HIPAA; patient intake, consults, and Rx data must flow through infrastructure you control or can export on your own terms; and your vendor contracts (pharmacy, EHR, fulfillment) must include structured data-return provisions. Operational tools that sit on top of your stack — rather than replacing it — preserve your system-of-record position.
This article is operator education, not medical, legal, or tax advice. Telehealth and pharmacy regulation vary by state and product and change frequently. Verify the specifics for your business with qualified counsel and your pharmacy partner.