How to Negotiate a Business Associate Agreement

When a vendor sends a BAA for signature, the typical small clinic response is to forward it to whoever manages vendor paperwork and sign it without reading it carefully. For many low-PHI-volume relationships, the difference between this approach and a proper review is small. For major vendor relationships — EHR, billing clearinghouse, cloud infrastructure, transcription services — that gap creates real exposure.

Required elements: the baseline check

Before analyzing any commercial terms, confirm that the BAA contains all six required elements under 45 CFR § 164.504(e). A BAA missing any of these elements does not satisfy the HIPAA contract requirement, regardless of how it is labeled.

Required element	Common failure mode
Permitted uses and disclosures	Overly broad authorization (“all purposes related to providing services”) without specific use cases
Prohibition on unauthorized use	Missing or incorporated by reference to a separate document the clinic does not have
Safeguard requirement	Vague (“industry standard practices”) with no specificity
Breach and violation reporting	Timeline not specified, or notification conditioned on vendor’s own investigation completion
Subcontractor flow-down	Missing entirely in older agreements predating the 2013 Omnibus Rule
Return or destruction at termination	Describes only one option (typically return) without addressing destruction or infeasibility carve-out

HHS provides sample BAA provisions at its website that represent a compliant baseline. Compare any agreement you receive against that baseline before reviewing the commercial terms.

Five clauses that create clinic risk

1. Breach notification timeline

HIPAA requires a covered entity to notify affected individuals, HHS, and in some cases the media within 60 days of discovering a breach. The clock starts when the covered entity — your clinic — discovers the breach. Under the business associate rule, your discovery is triggered when your business associate notifies you.

This creates a timing dependency. If your billing vendor’s BAA says they have 60 days from their own discovery to notify you, and then you have 60 days from your discovery to notify individuals, some breach notifications may arrive at patients more than 120 days after the vendor first discovered the problem. That violates the spirit of the Breach Notification Rule.

What to look for: The notification timeline clause. HIPAA’s own standard is “without unreasonable delay.” Many vendor BAAs specify 30, 45, or 60 days from vendor discovery. The shorter the better.

What to request: Notification within 15 days of the vendor’s discovery that a breach or potential breach has occurred — even if the investigation is not yet complete. You need preliminary notice to begin your own response, not a fully packaged incident report.

Note: The vendor’s obligation under 45 CFR § 164.410 is to notify the covered entity “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach.” However, a vendor BAA may impose a stricter timeline, and many clinics negotiate for one.

2. Subprocessor notice

Most cloud-based vendors pass data through third-party infrastructure providers, analytics platforms, monitoring tools, and support systems. Under the HIPAA rules, the business associate is required to have a BAA with its own subcontractors who handle PHI, but the rules do not require the business associate to notify the covered entity every time they add a new subprocessor.

A vendor may add a subprocessor — say, an AI document processing service — that materially changes how PHI is handled, without any notice to the clinic. The vendor’s BAA with the clinic may not have anticipated this use, and the clinic has no visibility into the change.

What to look for: Whether the BAA allows the vendor to add subprocessors without notice, or whether there is a notice or consent requirement for material changes to the subprocessor chain.

What to request: A requirement that the vendor maintain a current subprocessor list and notify the clinic at least 30 days before adding any subprocessor that will handle PHI — with a right for the clinic to object before the change takes effect.

Practical note: Large vendors rarely give a single customer veto power over subprocessor additions. A 30-day notice requirement with a right to terminate if you object is realistic to ask for.

3. Return or destruction at termination

When the clinic terminates a vendor relationship, the vendor retains copies of PHI — in production databases, backups, audit logs, and potentially archived exports. The BAA should specify what happens to all of this PHI after termination.

What to look for: Whether the BAA requires the vendor to destroy or return PHI, on what timeline, in what format, and whether a certificate of destruction is provided. Also look for how long backups are retained — some BAAs require destruction of production data promptly but allow backup retention for an additional period.

What to request:

• Destruction of all PHI within 60–90 days of contract termination
• Certificate of destruction provided to the clinic in writing
• Clear description of the destruction method (secure deletion for electronic PHI, shredding for paper)
• Explicit statement that backups will be overwritten within a defined window (typically 90–180 days for standard backup rotation)

Common gap: Some vendor BAAs address return but not destruction, or offer destruction “upon request” without specifying a timeline. Ask for the timeline to be explicit.

4. Right to audit

Some BAAs include a right for the covered entity to audit the business associate’s security controls. Many do not. For major vendors handling significant volumes of PHI, the right to audit — even if rarely exercised — provides leverage and demonstrates a meaningful compliance program.

What to look for: Whether there is any audit right language.

What to request: The right to conduct (or commission) an audit of the vendor’s security controls, with reasonable notice. Vendors typically negotiate this heavily, but many will accept a provision that allows the clinic to review the vendor’s most recent third-party audit report (SOC 2 Type II or HITRUST assessment) in lieu of a direct audit.

5. Indemnification and liability allocation

When a breach is caused by the vendor’s failure to maintain adequate security controls, who bears the cost — notification, credit monitoring, regulatory fines, legal defense?

What to look for: Whether the BAA includes any indemnification clause, and if so, in which direction it runs. Many vendor BAAs include mutual indemnification (each party indemnifies the other for breaches they cause), but some include liability caps that may not be adequate for a significant incident.

What to request: Indemnification by the vendor for breaches caused by the vendor’s failure to maintain the security controls required by the BAA, without a liability cap so low as to be meaningless in a realistic breach scenario.

Practical note: Indemnification terms have real financial consequences, particularly with clearinghouses or cloud storage providers handling tens of thousands of patient records. This is where legal counsel earns its fee.

When to involve HIPAA legal counsel

The decision is proportional to risk:

Involve counsel for:

• Any vendor who will handle more than a few thousand patients’ PHI
• EHR vendors, billing clearinghouses, cloud storage providers
• Any vendor relationship where the BAA contains unusual limitation of liability terms
• Any vendor adding AI processing to the relationship for the first time
• Any situation where the vendor’s BAA is meaningfully inconsistent with your template

Handle administratively for:

• Smaller vendors with limited PHI exposure (scheduling confirmations, answering services with no chart access)
• Vendors who are willing to use your standard BAA template without modification
• Renewals of existing agreements with no material changes

When a large vendor’s BAA is non-negotiable

Many clinic administrators encounter this situation: a major EHR vendor or cloud provider presents a standard BAA and states that its terms are non-negotiable — the same agreement applies to all customers.

This is common and does not automatically disqualify the vendor. The correct response is to conduct the review anyway, accept what is acceptable, document what is not, and make a documented decision about whether the risk is acceptable.

Practically, that means:

1. Run the required elements checklist. If elements are missing, that is not a commercial term — it is a legal deficiency. Push back on any missing required element regardless of what the vendor says about negotiability.
2. Review the five commercial risk areas above and document your assessment for each.
3. Note any terms that fall outside your preferred position. Confirm in writing with the vendor what their position is.
4. Make a documented decision: the relationship continues, with identified gaps noted and accepted; or the relationship does not continue.

For most large healthcare vendors, the standard BAA is substantively compliant even if it is not calibrated exactly to your preferences. The documentation of the review — even one that concludes “accepted as presented” — transforms a passive signature into a defensible compliance record.