Own Your Stack

Telehealth Data Portability: Can You Actually Take Your Patients With You?

Can you export your patient data when you leave a telehealth platform? Here's what to demand in your contract — and how to make portability a non-issue from day one.

The neolife editorial desk·Published Jun 18, 2026·Updated Jul 4, 2026·9 min read

Quick answer

Yes — but only if your contract says so before you sign. Most telehealth platforms give you some export capability, but formats vary, and PHI handling creates compliance wrinkles. The safest approach: own the system of record yourself from day one, so leaving any vendor is a config change, not a data-hostage negotiation.

Key takeaways

  • Most telehealth platforms hold your patient records on infrastructure they control — you are a tenant, not an owner.
  • Data portability clauses are rarely included by default. You have to demand them before you sign.
  • HIPAA permits patients to request their records, but it does not obligate your vendor to export your entire database in a usable format.
  • The safest portability strategy is architectural: be the system of record yourself so no vendor holds your data hostage.
  • Check for four contract terms before signing: export format, export timeline, deletion confirmation, and BAA continuity post-termination.
  • Clinic breadth matters — build on TRT, HRT, hair, ED, skin, peptides and weight management, not a single category that can disappear overnight.

Can I export and keep my patient data if I leave a telehealth platform? Yes — but only if your contract says so before you sign. Most telehealth platforms give you some export capability, but formats vary, and PHI handling creates compliance wrinkles. The safest approach: own the system of record yourself from day one, so leaving any vendor is a config change, not a data-hostage negotiation.

You built the brand, ran the ads, earned the patient relationships. Then you signed a platform agreement and handed all of it to someone else's database. If that ever becomes a problem — a pricing change, a feature that disappears, a policy shift — you will find out exactly what your data portability rights are worth.

Most operators find out too late.


Why data portability is a telehealth-specific problem

Every B2B SaaS company locks in customers to some degree. Telehealth is different for three reasons.

First, the stakes are clinical. Patient records are not just business data. They include protected health information (PHI) governed by HIPAA. Moving that data — or just accessing it — triggers compliance obligations that do not apply when you are migrating your Shopify product catalog or your email list.

Second, the data is deeply entangled. A patient's record in a telehealth platform typically spans: intake form responses, provider consultation notes, prescription history, lab results, order history, and payment records. These live in different database tables, sometimes different systems entirely. "Exporting your data" is not a single action — it is a multi-system extraction problem.

Third, the market is young and consolidating. The platforms that exist today will not all exist in five years. Some will be acquired. Some will pivot. Some will raise prices by 40% and you will have no leverage because your patient data is sitting in their database.

This is not hypothetical. The GLP-1 compounding cliff — where FDA enforcement changes wiped out entire product lines almost overnight — showed how fast the ground can shift in DTC Rx. Operators who had diversified across TRT, HRT, hair, ED, tretinoin, LDN, peptides, and oral weight-management categories weathered it better than those who had built their entire clinic on a single category. The same logic applies to infrastructure: concentration risk is real.


What "your data" actually means inside a platform

Before you can extract anything, you need to know what exists and where.

In a typical telehealth-in-a-box platform, your data lives across roughly four categories:

  • Patient demographics — name, DOB, contact info, shipping address. Usually the easiest to export; often available as a CSV from the admin panel.
  • Clinical records — intake forms, provider notes, consultation transcripts, prescription history. Governed by HIPAA. Export format and availability vary significantly by platform. Some will give you HL7 FHIR or CCD/CDA files; others offer PDFs only, which are human-readable but not machine-importable.
  • Order history — what was prescribed, when, the pharmacy it went to, fulfillment status. Typically lives in an order management system, sometimes separate from the EHR layer. Format is often proprietary.
  • Provider records — which licensed provider approved which order. Critical for compliance; you need this if you are ever audited.

What you almost never own outright: the database itself. You are a tenant. The platform controls the schema, the backup, and the access controls. What you can extract is determined by what they have chosen to make exportable — which is usually whatever serves their interests, not yours.


What HIPAA actually says about portability (and what it does not say)

This is where operators get tripped up.

HIPAA's right of access — codified in the Privacy Rule at 45 CFR §164.524 — gives patients the right to access and obtain copies of their own health records. It does not give operators a statutory right to export their entire patient database from a platform vendor.

Your rights as an operator are governed by your Business Associate Agreement (BAA) and the terms of your master services agreement. Those are contracts, not regulations — meaning they are negotiable, but only before you sign.

The FTC's Health Breach Notification Rule and state-level digital health privacy laws (California, Texas, Washington, and others are worth checking with your counsel) add additional layers, but none of them straightforwardly require a platform vendor to hand you a complete, structured export of your data on demand.

The practical implication: HIPAA protects patients, not your business continuity. Data portability as an operator right has to be negotiated.

[See our full HIPAA and BAA compliance guide for operators →]


The four contract clauses to demand before you sign

If you are evaluating a telehealth platform, or renegotiating an existing agreement, these are the terms that determine whether you can actually leave.

1. Export format and scope

The clause should specify exactly what data you can export and in what format. Push for:

  • Patient demographics: CSV or JSON
  • Clinical records: HL7 FHIR R4 or CCD/CDA (structured, machine-readable)
  • Order history: CSV or JSON with a defined schema
  • Provider approval records: included in the export, not archived separately

A clause that says "we will provide an export of your data upon request" means nothing without format and scope defined. Confirm what your receiving system — your new platform, your EHR, your pharmacy integration — can actually ingest before you specify a format.

2. Export timeline

Reasonable is 15 to 30 days after a termination notice. Some platforms write in 60 or 90 days. Know this before you give notice — if you are switching platforms and your old vendor has 90 days to deliver your export, your migration timeline just got a lot longer.

3. Post-export deletion confirmation

Your BAA should require the vendor to either return or destroy all PHI after termination, and to provide written confirmation that destruction has occurred, including the method used. Without this, you have PHI sitting on infrastructure you no longer control, with no audit trail.

4. BAA continuity during transition

The BAA needs to remain in force through the export and deletion process — not terminate the moment your contract ends. If the BAA ends before the PHI is gone, you have a potential gap in compliance coverage. Make sure the termination provisions address this explicitly.

These four terms are not exotic. A platform that refuses to negotiate any of them is telling you something about how they view your relationship.


What you can realistically export from major platforms (platform-dependent)

Specific capabilities change, so treat this as directional. Verify with each vendor before you sign or before you give notice.

Platforms built on standard EHR infrastructure (those using HL7-compliant systems underneath) generally have better structured-export options. Clinical records in FHIR format are more common in this category.

Purpose-built telehealth-in-a-box platforms (where the EHR, order management, and pharmacy routing are all proprietary) tend to have more limited export tooling. You may get CSVs for patient demographics and order history, and PDFs for clinical notes. Machine-readable clinical exports are less common and may require a custom data request.

Platforms with Shopify integrations introduce a split: some patient/order data may live in Shopify (which you do own and can export freely) while clinical and prescription data lives on the platform side. Know where each data type actually lives.

The important question to ask any vendor: "Can I run a complete migration to a new system using only what you will give me?" Get the answer in writing, then test it with a sample export before you are locked in.


The architectural answer: be the system of record

Contract clauses reduce lock-in. They do not eliminate it. The reason is structural: as long as your patient data's authoritative copy lives in someone else's infrastructure, you are always negotiating from a weaker position.

The cleanest solution is architectural: become the system of record yourself.

What this means in practice: your infrastructure holds the source of truth for every patient interaction, every order, every provider approval, and every fulfillment event. Vendors — your pharmacy, your prescribing platform, your lab network — connect to you. They are your downstream, not your upstream.

When you are the system of record:

  • Changing pharmacies is a routing change, not a migration
  • Changing fulfillment software is a config change, not a data-extraction project
  • Audits and compliance reviews start from your records, not a vendor's portal
  • You are never in a data-hostage negotiation

[Read more about why being the system of record changes the economics of telehealth operations →]

This is the architectural difference between owning your telehealth business and renting it. The platforms that pitch you "everything in one place" are offering convenience at the cost of control. For operators who are building something durable — across TRT, HRT, hair, ED, skin, peptides, and weight management categories — that trade-off compounds against you over time.

[See how neolife approaches the system-of-record question for Shopify-native operators →]


Before your next renewal: a practical checklist

If you are currently on a telehealth platform and your agreement is coming up for renewal, work through these before you sign again:

  • Request a sample data export right now — not when you are leaving. Know what format it comes in and whether it is actually importable.
  • Pull your current BAA and read the termination and PHI disposition clauses.
  • Ask your account rep in writing: what is the export timeline upon termination? Get it on record.
  • Map where each data type lives — patient records, clinical notes, order history, provider approvals. If any of it is in a system you do not control, flag it.
  • Confirm your new platform or EHR can ingest the export format your current vendor provides.
  • Talk to your attorney before you rely on any HIPAA interpretation for your specific situation. Verify state-level privacy law applicability with counsel — requirements vary and evolve.

[Get the full dependency audit checklist for telehealth operators →]


The honest summary

Data portability in telehealth is not a product feature. It is a legal and architectural question that most operators do not ask until they want to leave — which is exactly when the leverage has shifted to the platform.

You can reduce risk with contract terms. You can reduce it further by choosing infrastructure that gives you structured, machine-readable exports by default. And you can eliminate it almost entirely by being your own system of record — where the question of "can I take my patients with me" never arises, because they were never anyone else's to hold.

Nothing about this is regulatory speculation. It is basic business architecture. The operators who will own the next decade of DTC telehealth are the ones who treat infrastructure as a strategic asset, not a subscription.


Nothing in this post constitutes legal or medical advice. Data export capabilities, contract terms, and applicable privacy laws vary by platform, state, and circumstance. Verify specifics with qualified legal counsel and your pharmacy partners before making infrastructure decisions.


neolife is fulfillment and operations infrastructure for telehealth operators and DTC Rx brands. Every order ships only after a licensed provider approves it. Your Shopify store stays the storefront; you own the system of record. [Talk to us about how it works →]

Frequently asked questions

Does HIPAA give me the right to export all my patient data from a telehealth platform?

HIPAA's right of access belongs to patients, not operators. It requires covered entities to provide patients with copies of their own records. It does not require your platform vendor to hand over your entire database in a portable, machine-readable format. That right has to be negotiated into your business agreement.

What data formats should I ask for in a portability clause?

Demand structured exports — CSV or JSON for patient demographics and order history, HL7 FHIR or CCD/CDA for clinical records where your pharmacy or EHR needs them. Avoid clauses that only promise a PDF export, which is human-readable but not machine-importable. Always verify what your receiving system can actually ingest before you specify a format.

What happens to my BAA when I terminate a telehealth platform contract?

Your BAA with the platform should survive termination long enough to cover secure deletion or return of PHI. Confirm the vendor will provide written confirmation of deletion or data return, and set a specific timeline — 30 days is typical. Without this, you may have PHI sitting on their infrastructure with no governance.

How long does it typically take to migrate off a telehealth platform?

Timelines vary widely based on record volume and how cooperative the vendor is. Simple CSV exports for a clinic with under 1,000 patients can take days. Full clinical record migrations for larger practices — with pharmacy integrations and order history — routinely take 60 to 90 days (estimated), and that is before accounting for staff retraining.

What is the difference between being a telehealth platform tenant and owning the system of record?

As a tenant, your data lives in infrastructure the platform controls. Export rights depend on their goodwill and contract terms. As the system of record, your infrastructure holds the authoritative copy of every order, patient record, and transaction. Vendors plug into you — not the other way around. Leaving any one vendor is a config change, not a migration project.

This article is operator education, not medical, legal, or tax advice. Telehealth and pharmacy regulation vary by state and product and change frequently. Verify the specifics for your business with qualified counsel and your pharmacy partner.

Keep reading

Get early access.

Join the waitlist — referrals move you up the queue.

No spam. One email when your wave opens.