What to Do When a Vendor Wants to Change Your BAA

By BAA Generator Editorial  ·  Published Apr 19, 2026  ·  Last reviewed Apr 19, 2026  ·  6 min read

Why Vendors Redline Your BAA

When you send a vendor your HIPAA BAA, their legal or operations team will often return it with proposed changes. This is a normal part of contracting — every vendor's legal team has positions on certain terms. Common reasons vendors request changes:

• Liability exposure: Your BAA may have uncapped indemnification or liability provisions that their legal team will almost always push back on
• Operational incompatibility: A breach notification window of 48 hours may be genuinely impractical for a vendor to meet operationally
• Different BAA standard: The vendor has their own standard BAA they prefer and wants to substitute it
• HIPAA uncertainty: The vendor is not sure which provisions apply to their role and proposes changes out of caution (or ignorance)
• Scope limitations: The vendor wants to limit the BAA to specific services or data types they actually handle

Acceptable BAA Modifications

The following types of changes are generally reasonable and can often be accepted without significant concern:

Red-Flag Redlines That Should Concern You

The following vendor changes should raise immediate concern and require careful evaluation before acceptance:

Deletion of breach notification requirement

If a vendor strikes the entire breach notification obligation or proposes language like "vendor will notify covered entity at its discretion" — this is a major red flag. Breach notification is a required element of a HIPAA BAA (45 CFR §164.504(e)(2)(ii)(C)). A BAA without it is not a valid BAA.

Removal of subcontractor BAA requirement

Vendors sometimes push back on the requirement to execute BAAs with their own subcontractors. This is non-negotiable under HIPAA — the vendor must have BAAs with any subcontractor that handles PHI. If a vendor wants to delete this provision, they either do not understand HIPAA or are trying to avoid a compliance obligation they cannot meet.

Deletion of PHI return/destruction at contract end

Striking the PHI return/destruction clause is common among vendors who want to retain data after the relationship ends. Under HIPAA, PHI must be returned or destroyed when it is no longer needed. Accept language that allows reasonable retention periods for legal or regulatory reasons, but not indefinite retention without purpose.

Broad permitted use language for vendor's own purposes

A vendor proposing to add language permitting them to "use PHI to improve services, train machine learning models, or conduct internal analytics" is seeking to use your patient data for their commercial benefit. This is inappropriate and should be rejected unless there is an extraordinary business justification and patient consent framework.

Self-serving de-identification carve-out

Language allowing the vendor to de-identify PHI using their own methods (not HIPAA's Expert Determination or Safe Harbor standard) and then use it freely is a red flag. HIPAA de-identification has specific requirements — a vendor-defined standard is not sufficient.

How to Respond to a Vendor's Counter-Proposal

When you receive a vendor's redlined BAA:

• Categorize each redline: Is this administrative (acceptable), commercial (negotiable), or substantive HIPAA provision (needs careful review)?
• Prepare a response document: Accept the acceptable changes, counter-propose on negotiable items, and reject/escalate red-flag changes
• Provide regulatory basis for your position: When rejecting a redline, cite the specific HIPAA regulation that requires the provision (e.g., "45 CFR §164.504(e)(2)(ii)(C) requires breach notification language in the BAA — we cannot remove this")
• Offer compromise language: Rather than simply rejecting, propose alternative wording that addresses the vendor's concern while preserving the HIPAA requirement
• Involve legal counsel: For complex redlines involving liability, indemnification, or unusual proposed language, involve your legal or compliance counsel

When to Walk Away

Some vendor positions make a HIPAA-compliant BAA impossible to execute. Walk away from the vendor relationship (for PHI-handling services) if:

• The vendor refuses to include any breach notification obligation
• The vendor refuses to require subcontractor BAAs or disclose subcontractors who handle PHI
• The vendor insists on language permitting unlimited use of PHI for their own purposes
• The vendor refuses to include any obligation to return or destroy PHI at contract end
• The vendor says they "don't do HIPAA BAAs" but still wants to handle your PHI

Walking away can be difficult, especially when a vendor offers a compelling product. But operating without a valid BAA — or with a deficient BAA missing required elements — exposes your organization to significant HIPAA enforcement risk. The cost of an OCR investigation or civil penalty typically far exceeds the cost of finding a compliant alternative vendor.

Frequently Asked Questions

Can a vendor refuse to sign your BAA?

Yes — vendors can refuse to sign your BAA and insist on using their own, or refuse any BAA at all. If the service involves PHI and the vendor will not execute any BAA, you cannot use the vendor without violating HIPAA.

What if a vendor strikes key HIPAA provisions from my BAA?

If required elements are struck (breach notification, subcontractor BAAs, PHI return/destruction), the resulting document may not be a valid BAA. Do not execute it. Provide the regulatory basis for why the provision must remain and propose acceptable compromise language. If the vendor refuses, consider whether the relationship is viable.

Is a modified BAA still HIPAA compliant?

Yes — a modified BAA is HIPAA compliant as long as all required elements (45 CFR §164.504) remain present. Modifications to optional provisions (liability caps, governing law, style) do not affect compliance. Modifications that remove required elements make the BAA non-compliant.