Section 164.306(a) requires that
“covered entities” must:
(1) Ensure the confidentiality
, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, Marketing to Patients Journal of Academic and Business Ethics 74 or transmits;
(2) Protect against any reasonably anticipated threats or hazards
to the security or integrity of such information;
(3) Protect against any reasonably anticipated uses or disclosures
of such information that are not permitted or required under subpart E of this part;
(4) Ensure compliance with this subpart by its workforce.
The strongest argument you have is with respect to your intent, and that no third party gained access to actual PHI by virtue of your action (which is the purpose of HIPAA). From your description, you already had access to the EMR prior to your separation from the sublessor (please correct me if I am wrong on this). Moreover, what you did is not considered marketing in violation of HIPAA. See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/marketing.html
Please let me know if you have any follow up questions.