BAA Process Guide

How to Negotiate a HIPAA Business Associate Agreement

Q: Can a BAA be negotiated?

Yes — many BAA provisions are negotiable, including breach notification timelines, permitted uses scope, subcontractor disclosure requirements, and PHI return/destruction terms. Some provisions are non-negotiable because HIPAA mandates them. Large vendors (Google, AWS, Salesforce) typically use standard BAAs they will not customize, but smaller vendors often accept reasonable modifications.

Q: What is the minimum breach notification timeline in a BAA?

HIPAA requires business associates to notify covered entities of a breach without unreasonable delay and no later than 60 days after discovery per 45 CFR § 164.410. This is the statutory maximum — not the target. BAAs can (and should) specify a shorter timeline. Many well-negotiated BAAs require 15–30 day notification, which gives the covered entity more time to manage its own downstream notification obligations.

Q: Should I accept Google's standard BAA or push for changes?

Google's standard BAA (covering Google Workspace and Google Cloud) is substantively compliant with HIPAA BAA requirements. For most covered entities using standard Google services, accepting the standard BAA is reasonable. Google will not accept custom modifications to its standard BAA. If you have specific requirements that Google's standard form does not address, evaluate whether those gaps are material to your use case before proceeding.

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 6 min read

Key Takeaways

✓ Many BAA provisions are negotiable — breach timeline, permitted uses scope, subcontractor disclosure, PHI disposition terms
✓ HIPAA's 60-day BA breach notification deadline is a maximum, not the target — negotiate for 15–30 days
✓ Large vendors (Google, AWS, Salesforce) typically do not accept BAA modifications; smaller vendors often do
✓ Use your own BAA form when you are the party providing the agreement — it gives you control over the starting point

Direct answer: Focus negotiation on 4 provisions: breach notification timeline (push for 15–30 days, not 60), permitted uses scope, subcontractor disclosure requirements, and PHI return/destruction terms upon termination.

Most BAA negotiations start with one party's standard form. If you provide the form, you control the starting point. If the vendor provides the form, you are marking up their document. Either way, knowing which provisions actually matter for compliance — versus which are boilerplate unlikely to be contested — determines how to spend negotiation capital. For background, see what a BAA is required to contain under HIPAA.

Which BAA Provisions Are Negotiable

These provisions are commonly negotiated and vendors have flexibility to accept changes:

Provision	Default / Common Vendor Language	Negotiation Goal
Breach notification timeline	60 days (HIPAA statutory maximum)	15–30 days to give CE time to manage downstream notifications
Permitted uses and disclosures	Broad or vague ("as necessary to provide services")	Specific enumeration of permitted uses tied to your actual use case; prohibition on use for product improvement or AI training without consent
Subcontractor disclosure	No notification requirement or catch-all clause	Vendor must notify CE before engaging new subcontractors who will access PHI; CE has right to object
PHI return/destruction on termination	Vague or limited to "commercially reasonable efforts"	Specific destruction method (e.g., NIST 800-88), timeline, and certificate of destruction
Audit rights	No audit right, or right limited to "with 30 days notice"	Right to audit or review security documentation upon reasonable request
Security incident notification scope	Only "reportable breaches" trigger notification	Notification of any security incident involving PHI, even if it turns out to be a non-reportable breach after investigation

Which Provisions Are Non-Negotiable Under HIPAA

Some BAA elements are mandated by 45 CFR § 164.504(e) — neither party can remove or dilute them:

The BA may not use or disclose PHI other than as permitted or required by the BAA or as required by law
The BA must use appropriate safeguards to prevent unauthorized use or disclosure
The BA must report any use or disclosure not provided for by the BAA to the covered entity
The BA must ensure its subcontractors who handle PHI agree to the same restrictions and conditions
The BA must make its internal practices, books, and records available to HHS for compliance determination
The BA must return or destroy PHI upon termination (or extend protections if infeasible)

If a vendor proposes removing or substantially limiting any of these provisions, that is not a negotiation about preference — it is a request to sign a non-compliant BAA. Do not agree.

The 4 Provisions Worth Fighting For

1. Breach notification timeline: push for 15–30 days

HIPAA requires BA-to-CE breach notification "without unreasonable delay and in no case later than 60 calendar days" after the BA discovers the breach (45 CFR § 164.410). Those 60 days belong to the BA — meaning if you have 60 days to notify individuals yourself, and the BA waits the full 60 days to tell you, you have almost no time to manage your own notification process.

Negotiating for 15–30 day BA notification preserves your operational buffer. Most reasonably sophisticated vendors accept this without significant resistance; it is a reasonable request that does not fundamentally change their operations.

2. Permitted uses scope: limit to your specific use case

Broad permitted use language like "for purposes of providing services" can be interpreted to permit the vendor to use PHI for product development, aggregated analytics, or AI model training. Narrow this to the specific function you are hiring the vendor for. If the vendor wants to use de-identified data for analytics, that should be a separate, explicitly negotiated provision — not buried in a catch-all.

3. Subcontractor disclosure: require pre-notification

HIPAA requires BAs to get sub-BAAs from their subcontractors (45 CFR § 164.308(b)(2)), but it does not require them to disclose subcontractors to the covered entity. Negotiating pre-notification rights — or at minimum, a list of current subcontractors who access PHI — lets you track the full data flow. This is especially valuable for cloud vendors who change infrastructure providers frequently.

4. PHI return/destruction: require specificity and confirmation

Vague termination language ("vendor will make commercially reasonable efforts to delete PHI") leaves you without a HIPAA-defensible record. Negotiate for: specific destruction standard (NIST 800-88 for electronic media), a defined timeline (30–60 days post-termination), and a written certificate of destruction. This matters most if the vendor relationship ever ends in dispute.

Negotiating with Large Vendors (Google, AWS) vs. Smaller Vendors

Large vendors with standardized HIPAA programs — Google Workspace, Google Cloud, AWS, Microsoft Azure, Salesforce, HubSpot Healthcare — typically offer non-negotiable BAA addenda. They will not accept markups to their standard form. Your options:

Accept the standard BAA if it is substantively compliant (most are, for standard use cases)
Evaluate the specific gap between their terms and your requirements — if the gap is material, the vendor may not be appropriate for your use case
Use contractual provisions in your service agreement (not the BAA) to address additional protections if the vendor's terms allow it

Smaller vendors — regional EHR systems, specialty SaaS tools, boutique healthcare IT vendors — generally have more flexibility. They may not have a standard BAA at all, which means providing your own form (generated through a structured tool) gives you full control over the terms from the start. See our guide on what to do when a vendor wants to modify your BAA.

When to Accept a Vendor's Standard BAA Without Changes

Negotiating every BAA fully is not always the right use of time. Accept a vendor's standard BAA without changes when:

The vendor is a large, well-established company with a documented HIPAA compliance program
The PHI volume and sensitivity are low (e.g., a scheduling tool that sees appointment times but not diagnoses)
The standard form contains all required HIPAA BAA elements (verify this against 45 CFR § 164.504(e))
The vendor relationship is short-term or low-risk
You have a clear understanding of the permitted uses and they match your actual use case

Accepting the standard form is a documented risk decision — not a compliance failure — as long as the standard form is substantively compliant.

Frequently Asked Questions

Can a BAA be negotiated?

Yes. Many BAA provisions are negotiable, including breach notification timelines, permitted uses scope, subcontractor disclosure requirements, and PHI return/destruction terms. Some provisions are non-negotiable because HIPAA mandates them. Large standardized vendors typically do not accept modifications to their standard BAA; smaller vendors often do.

What is the minimum breach notification timeline in a BAA?

HIPAA sets a 60-day maximum for BA-to-CE breach notification (45 CFR § 164.410). There is no statutory minimum — parties can agree to any shorter timeline. Best practice is 15–30 days, which preserves the covered entity's ability to manage its own downstream notification obligations within HIPAA's timeframes.

Should I accept Google's standard BAA or push for changes?

Google's standard BAA is substantively HIPAA-compliant for standard use cases. Google will not accept custom modifications. For most covered entities using Google Workspace or Google Cloud for standard healthcare operations, accepting Google's standard BAA is reasonable. If your use case has specific requirements Google's form does not address, evaluate whether Google is the right vendor for that use case.

Generate a BAA on your terms — before the vendor provides theirs

Using your own BAA form gives you control over permitted uses, breach timelines, and PHI disposition from the start.

Generate BAA for Free →