Too many times people in EMR acquisition mode have made the assumption that hosted solutions automatically insulate the customer provider from liability for data breach or unauthorized disclosure of patient information, which is unsettling because it is simply not true.
Health care providers are always responsible to patients for these unfortunate situations and nothing in HIPAA or the HITECH Act shifts that responsibility to the vendor of the hosted software solution. While HITECH does extend compliance requirements and potential penalties to vendors that provide services to providers involving patient information, this does not mean that the provider is not responsible to the patient.
All that gloom aside, it is completely possible to protect the provider organization through indemnification language in the software agreement with the vendor. In situations where the fault (violation of HIPAA) lies with the vendor that is hosting the software, and controlling and possessing patient data, if no indemnification provision exists, then any award for damages in a patient lawsuit would have to be paid by the provider without any contribution from the vendor. Think of the indemnification in that manner. It basically means that if there is a violation, and it is caused in part by the vendor, then the vendor will contribute to the payment of damages to the extent it was at fault.
See on www.emrandhipaa.com