What to Do When a Vendor Won't Sign a HIPAA BAA
By BAA Generator Research Team · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ A vendor refusing a BAA is a HIPAA dead-end — you cannot share PHI with them
- ✓ Escalate: most refusals come from frontline support, not legal/compliance teams
- ✓ Try presenting your own BAA template — vendors often prefer to sign something ready-to-go
- ✓ If they truly won't sign, you must stop sharing PHI with them — no workarounds
- ✓ Document the refusal and your response in your compliance records
It happens more often than you'd expect: a healthcare organization reaches out to a vendor about HIPAA compliance, and the vendor's response ranges from confusion ("what's a BAA?") to flat refusal ("we don't sign those"). Here's the practical playbook for handling it.
Why Vendors Refuse BAAs
Understanding why a vendor is refusing helps you figure out the right response:
They don't know what a BAA is
Smaller vendors — local IT companies, independent consultants, niche software tools — often haven't encountered HIPAA before. They're not refusing out of bad faith; they genuinely don't know what a BAA is or why it's required. In these cases, education and providing a ready-to-sign template often resolves the issue quickly.
They don't believe they're a business associate
Some vendors argue they never "see" PHI, so they don't need a BAA. This is sometimes correct (a courier who delivers sealed envelopes may not need one) but often wrong (an IT company with remote system access absolutely does). If the vendor's argument is that they're not a business associate, evaluate the argument carefully — but if their systems can access PHI, don't accept that argument without analysis.
Legal or liability concerns
Some vendors — particularly small ones without in-house counsel — are reluctant to sign contracts that acknowledge liability for PHI breaches. This is understandable but not acceptable if they're going to handle PHI. The HIPAA BAA itself doesn't create liability; the underlying law already does.
Policy refusal
Some large consumer-facing platforms (personal Gmail, consumer Dropbox, standard Zoom) simply don't offer BAAs as a matter of policy. This is a clear signal: use the business/enterprise version of the product or use a different tool.
Step-by-Step: What to Do
Step 1: Escalate beyond front-line support
If you receive a BAA refusal from a customer support rep or account manager, escalate. Request to speak with the vendor's legal counsel, compliance officer, or privacy team. Many "we don't sign BAAs" responses from front-line support are actually "our support rep doesn't know how to handle this request." Enterprise and mid-market vendors almost always have BAA processes — you just need to reach the right person.
Step 2: Present your own BAA template
Many vendors who say they "don't have a BAA" will sign one if you provide it. Generate a standard, reasonable BAA and send it to the vendor with a brief cover note explaining that this is required for your organization to continue using their service. A short, clear BAA is less threatening than asking them to draft their own.
Frame it as: "We need this on file for our HIPAA compliance program. It's a standard agreement — here's a clean template. Happy to answer any questions."
Step 3: Negotiate the terms
If the vendor has legal concerns about specific provisions, there is room to negotiate within HIPAA's requirements. Mandatory provisions cannot be removed, but you can discuss:
- Indemnification scope and liability caps
- Specific breach notification timelines within the 60-day maximum
- Permitted subprocessors
- PHI return vs. destruction at termination
Do not negotiate away mandatory provisions — they are legally required. If a vendor insists on removing required clauses, the remaining document is not a valid BAA.
Step 4: If they still refuse — stop sharing PHI
If the vendor refuses to sign any BAA, your options are:
- Restructure your use — can you use the vendor in a way that never involves PHI? Some tools can be used for non-clinical functions with complete data segregation. This requires a careful architecture review, not a hopeful assumption.
- Replace the vendor — find a comparable vendor who will sign a BAA. For most vendor categories, HIPAA-compliant alternatives exist.
- Stop using the vendor for PHI functions immediately — if you're currently sharing PHI with them, that must stop until a BAA is in place. Immediate discontinuation is required.
Document Everything
Whether the outcome is a signed BAA, a negotiated agreement, or vendor discontinuation, document your process:
- Record the date you first requested the BAA
- Save copies of all communications about the BAA request
- Note the vendor's response and reasoning
- Document your decision and the date PHI sharing was stopped (if applicable)
This documentation demonstrates good-faith compliance efforts if your organization is ever investigated by the OCR. "We tried to get a BAA and were refused, then discontinued PHI sharing on [date]" is a very different story than "we never thought about it."
The Bottom Line
There is no HIPAA exception for vendors who won't cooperate. If a vendor handles PHI and refuses a BAA, you are operating outside of HIPAA compliance for every day you continue sharing PHI with them. The enforcement risk is real — the OCR has cited missing BAAs in investigations triggered by entirely unrelated complaints.
Escalate, educate, and provide your own template first. If that fails, replace the vendor or restructure your use. Don't rationalize continued PHI sharing with a non-BAA vendor as acceptable risk.
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview