They get patients to sign something permitting them to share PHI with other entities like e.g. the lab that runs blood work, not to disclaim liability for leaking it unintentionally.