What do you do if a vendor refuses to sign a HIPAA BAA?

If a vendor refuses to sign a HIPAA BAA, you have three options: (1) escalate within the vendor's organization to find someone authorized to execute a BAA; (2) present your own standard BAA template and request they sign it; or (3) discontinue use of that vendor for any purpose involving PHI. Continuing to share PHI with a vendor who has refused a BAA is a HIPAA violation. There is no exception for vendors who simply don't want to sign.

Can I use a vendor without a BAA if I don't share PHI directly?

Sometimes — but this requires careful analysis. If you can structurally prevent the vendor from ever accessing, receiving, or storing PHI (e.g., using the vendor only for non-clinical business functions with complete PHI segregation), a BAA may not be required. However, if there is any pathway by which PHI could reach the vendor's systems — including error logs, support tickets, or integrations — a BAA is required. When in doubt, execute a BAA or find a different vendor.

Is continuing to use a vendor without a BAA a HIPAA violation?

Yes — operating without a required BAA is a direct HIPAA violation under 45 CFR § 164.504(e), regardless of whether a breach has occurred. Penalties range from $141 to $68,928 per violation, with annual caps up to $2,067,813. The OCR does not require a data breach to occur before citing a missing BAA violation — the missing agreement itself is the violation.

Can a vendor refuse to sign a BAA?

Legally, yes — vendors cannot be compelled to sign a BAA. But if they refuse and a BAA is required, you cannot legally share PHI with them. Large enterprise vendors (Google, Microsoft, Zoom, AWS) all offer BAAs because their healthcare customers require them. Smaller vendors may not understand their obligations, may be unwilling to accept liability, or may simply not have a legal team capable of reviewing the agreement. In those cases, escalation or vendor replacement is the only compliant path.

Vendor Compliance

What to Do When a Vendor Won't Sign a HIPAA BAA

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read

Key Takeaways

✓ A vendor refusing a BAA is a HIPAA dead-end — you cannot share PHI with them
✓ Escalate: most refusals come from frontline support, not legal/compliance teams
✓ Try presenting your own BAA template — vendors often prefer to sign something ready-to-go
✓ If they truly won't sign, you must stop sharing PHI with them — no workarounds
✓ Document the refusal and your response in your compliance records

Direct answer: If a vendor won't sign a BAA and a BAA is required for your use of that vendor, you cannot legally share PHI with them. Period. Your options are: (1) escalate to the vendor's legal/compliance team, (2) present your own standard BAA template, or (3) replace the vendor. There is no HIPAA exception for "vendor doesn't want to sign."

It happens more often than you'd expect: a healthcare organization reaches out to a vendor about HIPAA compliance, and the vendor's response ranges from confusion ("what's a BAA?") to flat refusal ("we don't sign those"). Here's the practical playbook for handling it.

Why Vendors Refuse BAAs

Understanding why a vendor is refusing helps you figure out the right response:

They don't know what a BAA is

Smaller vendors — local IT companies, independent consultants, niche software tools — often haven't encountered HIPAA before. They're not refusing out of bad faith; they genuinely don't know what a BAA is or why it's required. In these cases, education and providing a ready-to-sign template often resolves the issue quickly.

They don't believe they're a business associate

Some vendors argue they never "see" PHI, so they don't need a BAA. This is sometimes correct (a courier who delivers sealed envelopes may not need one) but often wrong (an IT company with remote system access absolutely does). If the vendor's argument is that they're not a business associate, evaluate the argument carefully — but if their systems can access PHI, don't accept that argument without analysis.

Legal or liability concerns

Some vendors — particularly small ones without in-house counsel — are reluctant to sign contracts that acknowledge liability for PHI breaches. This is understandable but not acceptable if they're going to handle PHI. The HIPAA BAA itself doesn't create liability; the underlying law already does.

Policy refusal

Some large consumer-facing platforms (personal Gmail, consumer Dropbox, standard Zoom) simply don't offer BAAs as a matter of policy. This is a clear signal: use the business/enterprise version of the product or use a different tool.

Step-by-Step: What to Do

Step 1: Escalate beyond front-line support

If you receive a BAA refusal from a customer support rep or account manager, escalate. Request to speak with the vendor's legal counsel, compliance officer, or privacy team. Many "we don't sign BAAs" responses from front-line support are actually "our support rep doesn't know how to handle this request." Enterprise and mid-market vendors almost always have BAA processes — you just need to reach the right person.

Step 2: Present your own BAA template

Many vendors who say they "don't have a BAA" will sign one if you provide it. Generate a standard, reasonable BAA and send it to the vendor with a brief cover note explaining that this is required for your organization to continue using their service. A short, clear BAA is less threatening than asking them to draft their own.

Frame it as: "We need this on file for our HIPAA compliance program. It's a standard agreement — here's a clean template. Happy to answer any questions."

Step 3: Negotiate the terms

If the vendor has legal concerns about specific provisions, there is room to negotiate within HIPAA's requirements. Mandatory provisions cannot be removed, but you can discuss:

Indemnification scope and liability caps
Specific breach notification timelines within the 60-day maximum
Permitted subprocessors
PHI return vs. destruction at termination

Do not negotiate away mandatory provisions — they are legally required. If a vendor insists on removing required clauses, the remaining document is not a valid BAA.

Step 4: If they still refuse — stop sharing PHI

If the vendor refuses to sign any BAA, your options are:

Restructure your use — can you use the vendor in a way that never involves PHI? Some tools can be used for non-clinical functions with complete data segregation. This requires a careful architecture review, not a hopeful assumption.
Replace the vendor — find a comparable vendor who will sign a BAA. For most vendor categories, HIPAA-compliant alternatives exist.
Stop using the vendor for PHI functions immediately — if you're currently sharing PHI with them, that must stop until a BAA is in place. Immediate discontinuation is required.

Document Everything

Whether the outcome is a signed BAA, a negotiated agreement, or vendor discontinuation, document your process:

Record the date you first requested the BAA
Save copies of all communications about the BAA request
Note the vendor's response and reasoning
Document your decision and the date PHI sharing was stopped (if applicable)

This documentation demonstrates good-faith compliance efforts if your organization is ever investigated by the OCR. "We tried to get a BAA and were refused, then discontinued PHI sharing on [date]" is a very different story than "we never thought about it."

The Bottom Line

There is no HIPAA exception for vendors who won't cooperate. If a vendor handles PHI and refuses a BAA, you are operating outside of HIPAA compliance for every day you continue sharing PHI with them. The enforcement risk is real — the OCR has cited missing BAAs in investigations triggered by entirely unrelated complaints.

Escalate, educate, and provide your own template first. If that fails, replace the vendor or restructure your use. Don't rationalize continued PHI sharing with a non-BAA vendor as acceptable risk.

Have a BAA ready to send to your vendor

Generate a clean, standard HIPAA BAA template in minutes — ready for vendor signature. Covers all mandatory provisions under 45 CFR § 164.504(e).

Generate BAA for Free →