The scenario is this: A private health clinic (PHC) signs up online to use a web-based EHR application to create patient charts, schedule patients, provide a patient portal, etc. - classic practice management tasks. The EHR vendor has a BAA with a company which hosts its web application and the encrypted database. My question is, what happens to the PHC's electronically stored ePHI if the PHC's account is cancelled and/or the EHR vendor has exhausted all confirmed methods of contact with the PHC (email, text). Is it possible to have Terms of Service which include destroying the PHC's stored patient data if the PHC is unreachable? Do other laws (ie. state laws about holding onto patient data for a certain number of years) apply to the EHR vendor and their web host company? The EHR vendor can't possibly be required to pay to store the PHC's patient data for 7-10 years or whatever, right?