What Your EHR Vendor Covers — and What Your Practice Still Owns Under HIPAA

5 min read Brian Berge · Independent insurance agent in Arden Hills, MN
Healthcare Cyber Liability

Q: Does my EHR vendor cover a HIPAA breach, or is my practice still responsible? A: Vendor contracts may restore software, but HIPAA notification, forensics, downtime, and breach response costs stay yours.

Start here: Cyber & Modern Operational Risk

In the Twin Cities, small practices often rely on a single MSP or office manager to coordinate vendors, so downtime decisions and breach-response timing get expensive fast.

The Confusing Part

The software screen comes back on. That part feels like the problem is over.

Then the real work starts.

A dental office using Dentrix, Eaglesoft, ChiroTouch, or any other cloud-based system can have the vendor restore access and still be left holding the harder part: figuring out what happened, who has to be told, how long the office will run half-blind, and what it costs to clean up a mess that is now very much the practice’s problem.

If you want the broader frame first, start with Healthcare Practices and Cyber & Modern Operational Risk. This article is the narrow version of that conversation.

What’s really going on

Most vendor contracts are built around the vendor’s platform, not your liability.

That means the vendor may owe you things like:

  • platform uptime commitments
  • technical support
  • restoration of their own hosted environment
  • maybe some limited indemnity if the breach is clearly their fault and clearly inside the contract

That is not the same as covering the practice’s response.

The practice still owns the patient relationship. The practice still owns whether appointments can run, whether charts can be trusted, whether claims can be billed, whether PHI was exposed, and whether a regulator or patient lawyer comes asking questions later.

That is the gap people miss. They hear “the vendor has cyber” and translate it into “we are covered.” Those are not the same sentence.

Where the vendor usually stops

This is the cleanest way to think about it:

  • The vendor covers their system.
    Their obligation is usually tied to the service they sold you.
  • You cover your practice.
    Your obligation is tied to what happened to your patients, your operations, and your legal duties.

If a hosted EHR goes down for a day, the vendor may focus on restoring the environment.

You are the one dealing with:

  • rescheduled patients
  • front-desk chaos
  • payroll for a day that got less done
  • claim submission delays
  • outside IT or forensics brought in to confirm what happened
  • breach counsel telling you whether notice is required
  • the cost of letters, monitoring, and patient communication if it is

That division is pretty common. Not universal, but common enough that it should be your default assumption until the contract proves otherwise.

Where the practice bill starts to stack

This is where the math gets real.

Say a small practice has 1,500 affected patient records. If mailing, address cleanup, call-center help, and credit monitoring average even $8 to $15 per affected person, that is roughly $12,000 to $22,500 before you touch downtime.

Now add the technical side.

Outside forensics and breach counsel can turn a small event into a $15,000 to $40,000 decision in a hurry, depending on how messy the facts are. Then layer in lost production if the office is down or charting is unreliable for two or three business days.

You do not need a giant hospital event to get to a painful number. You just need:

  • enough records
  • enough confusion
  • enough downtime

That is why “the vendor handles that” is not a complete answer.

What people get wrong

The first mistake is focusing only on whether the vendor got hacked.

Phishing is still the more ordinary problem for a small practice. An attacker gets into an inbox, resets access, pivots into a cloud app, and now the event touches billing, scheduling, attachments, and patient data. That is not always the vendor’s breach. It is often your credential problem inside the vendor’s system.

The second mistake is assuming HIPAA cost means only fines.

Sometimes fines do happen. Often the first dollars are much more boring:

  • counsel
  • forensics
  • notification
  • patient communication
  • system cleanup
  • lost production while the office limps along

The third mistake is assuming a property or package policy will quietly take care of the rest. Sometimes there is a cyber endorsement. Sometimes it helps. Sometimes it is a small sublimit with very short legs. That is why Standalone Cyber vs. BOP Cyber Endorsements for Small Healthcare Practices matters.

Simple decision rule

If the vendor agreement talks mostly about restoring software, support response, or service credits, do not treat that as practice-level cyber protection.

Treat it as vendor protection.

Then ask a different question: what policy is paying for your forensics, your counsel, your patient notice, and your downtime?

That question usually tells you very quickly whether there is a real gap.

Next step

Pull the vendor agreement and your cyber coverage summary side by side. The missing piece tends to show itself pretty fast. If you want the policy-structure version, read Standalone Cyber vs. BOP Cyber Endorsements for Small Healthcare Practices next.

Minnesota note: in smaller Twin Cities practices, one outage can tie up the person who handles phones, billing, and vendor coordination all at once. That is part of the loss, even if the software vendor restores the platform by the next day.

Related articles