I've posted a link to the exact, specific HIPAA subsection in previous threads, don't have the time to look for it again. Do a Google on "HIPAA outsourcing" and poke around, you'll find it.
HIPAA specifically and by statute allows "Covered Entities" (e.g., HMOs) to outsource medical records (for example), and the "Covered Entity" is thereafter not liable for privacy or security breaches made by the outsourcing vendor.