How to Review a HIPAA Business Associate Agreement a Vendor Sent You
By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 7 min read
Key Takeaways
- ✓ Always review 7 key provisions before signing any vendor BAA
- ✓ Most critical: permitted uses, breach notification timeline (push for ≤30 days), and PHI return/destruction
- ✓ A vendor's BAA is a starting point — you can and should negotiate problematic terms
- ✓ A 90-day breach notification window is a red flag; standard minimum is 60 days under HIPAA
Why You Should Always Review a Vendor BAA Before Signing
When a vendor sends you their standard HIPAA BAA, it is tempting to sign quickly — you want to move forward with the vendor relationship, and having "a BAA in place" feels like the compliance box is checked.
But vendor BAAs are written by the vendor's legal team to protect the vendor, not you. Standard vendor BAAs frequently contain terms that:
- Allow the vendor to use your PHI for their own purposes (training AI models, analytics, product improvement)
- Set breach notification windows as long as 90 days — leaving you scrambling to meet your own HIPAA reporting deadlines
- Limit the vendor's liability to a few thousand dollars — even if their breach costs you millions
- Fail to require the vendor to disclose new subcontractors that receive your PHI
- Have no obligation to return or destroy PHI when the contract ends
A signed BAA that contains these terms is worse than no BAA in one respect: it gives you false confidence that you are protected when you are not.
7 Things to Check in Any Vendor BAA
The BAA must specify what the vendor is allowed to do with your PHI — and nothing more. Permitted uses should be limited to providing the contracted service. Watch for: language allowing the vendor to use PHI for their own product improvement, analytics, AI model training, or marketing without your explicit consent. This is common in SaaS vendor BAAs and should be struck.
The vendor should commit to accessing only the minimum PHI necessary to perform the service. Broad access rights without restrictions (e.g., "access to all PHI in the covered entity's systems") should be narrowed. The minimum necessary standard is a core HIPAA principle that should be reflected in the BAA.
HIPAA requires a covered entity to notify affected individuals and HHS within 60 days of discovering a breach. But that 60-day clock starts when the covered entity discovers it — not when the vendor tells you. If the vendor's BAA says they have 60 days to notify you, you could have zero days left to meet your reporting obligations. Push for: vendor notification within 5–30 days of the vendor discovering a breach.
Vendors rarely process data entirely in-house — they use cloud providers, analytics vendors, support tools, and other subcontractors. The BAA should require the vendor to: (a) disclose all current subcontractors that receive PHI, (b) execute BAAs with each subcontractor, and (c) notify you before adding new subcontractors so you can object. Lack of subcontractor transparency is a common gap.
When your agreement with the vendor ends, what happens to your PHI? The BAA must specify that the vendor will either return all PHI to you or securely destroy it within a defined timeframe. Watch for: language that allows the vendor to retain PHI indefinitely "as required by law" without specifying what law or when retention ends. This provision is frequently missing from boilerplate vendor BAAs.
HIPAA grants patients rights to access their records, request amendments, and receive an accounting of disclosures. When a vendor holds PHI, they must cooperate with you to honor these patient rights. The BAA should obligate the vendor to: provide access to PHI upon request, support amendment requests, and maintain records of disclosures for accounting purposes.
If a vendor breach results in a HIPAA violation and OCR penalty, who bears the cost? Many vendor BAAs cap liability at the total fees paid in the prior 12 months — which might be a few thousand dollars for a SaaS tool that caused a breach exposing hundreds of thousands of patient records. Evaluate whether the liability cap is commensurate with the risk the vendor carries. Also check whether the vendor indemnifies you for penalties arising from their breach of the BAA.
Red Flags in a Vendor BAA
Beyond the 7 provisions above, watch for these specific red flags:
- AI/ML training carve-outs: Some SaaS vendors include language allowing use of PHI to "improve services" which is code for training AI models on your patient data.
- Broad "de-identification" rights: Vendor claims the right to de-identify PHI and use it freely. De-identification must meet HIPAA's Expert Determination or Safe Harbor method — not the vendor's own definition.
- No termination for cause: A BAA should allow you to terminate immediately if the vendor breaches the agreement. If termination requires lengthy notice periods, you lose the ability to act quickly when a vendor violates their HIPAA obligations.
- Jurisdiction and governing law: If the vendor specifies a jurisdiction that makes enforcement impractical, this can limit your practical remedies.
When to Push Back on a Vendor's Terms
You should push back whenever a vendor BAA:
- Sets a breach notification window longer than 30 days
- Allows PHI use beyond providing the contracted service
- Has no PHI return/destruction clause at contract end
- Caps liability at less than 1x annual contract value for a high-PHI service
- Does not require subcontractor BAAs or disclosure
Approach the negotiation professionally: identify the specific provisions you want changed, explain the HIPAA regulatory basis for your request, and propose specific replacement language. Most vendors with a genuine commitment to HIPAA compliance will accept reasonable modifications.
What a HIPAA BAA Must Include (Required Elements)
| Required Element | HIPAA Regulation | What to Look For |
|---|---|---|
| Permitted uses and disclosures | 45 CFR §164.504(e)(2)(i) | Specific list of permitted purposes |
| Prohibition on unauthorized use | 45 CFR §164.504(e)(2)(ii)(A) | Vendor cannot use PHI except as permitted |
| Appropriate safeguards | 45 CFR §164.504(e)(2)(ii)(B) | Vendor must implement security safeguards |
| Reporting of security incidents | 45 CFR §164.504(e)(2)(ii)(C) | Must report breaches and security incidents |
| Subcontractor requirements | 45 CFR §164.504(e)(2)(ii)(D) | Subcontractors must also have BAAs |
| Access to PHI | 45 CFR §164.504(e)(2)(ii)(E) | Support patient right of access |
| Amendment of PHI | 45 CFR §164.504(e)(2)(ii)(F) | Support patient right to amendment |
| Accounting of disclosures | 45 CFR §164.504(e)(2)(ii)(G) | Track disclosures for patient requests |
| Return or destruction of PHI | 45 CFR §164.504(e)(2)(ii)(J) | PHI returned or destroyed at contract end |
Frequently Asked Questions
What should a HIPAA BAA include?
A HIPAA BAA must include: permitted uses and disclosures of PHI, safeguard requirements, reporting of security incidents and breaches, obligations regarding subcontractors, support for individual patient rights (access, amendment, accounting of disclosures), return or destruction of PHI at contract end, and termination provisions if the vendor breaches the agreement.
Can I modify a vendor's BAA?
Yes — a vendor's standard BAA is a starting point for negotiation. You can propose redlines to their document. Common modifications include shortening the breach notification window, strengthening subcontractor disclosure, and adjusting the liability cap. The vendor may or may not agree to all changes, but it is always worth requesting modifications to problematic terms.
What if the vendor's BAA has a 90-day breach notification window?
A 90-day window is a red flag. HIPAA's minimum is 60 days, but you need vendor notification well before that — ideally within 5-30 days — so you have time to investigate, assess breach status, and meet your own HIPAA reporting obligations to HHS and affected individuals. Push back on any window longer than 30 days.
Does the vendor want YOU to provide the BAA instead?
Some vendors prefer to sign the covered entity's BAA rather than provide their own. Generate a clean, HIPAA-compliant BAA in minutes.
Generate BAA for Free →