BAA Negotiations: The Five Clauses Healthcare Buyers Should Never Sign

Business Associate Agreements come in two flavors: the boilerplate that protects the vendor, and the variant that genuinely protects you. Five clauses appear in vendor BAAs that healthcare buyers should refuse — or at minimum negotiate before signing. Each one looks innocuous and each one shifts risk in ways that matter under audit.

1. Vague “reasonable security” language

Many vendor BAAs say the vendor will use “reasonable and appropriate” security measures. Reasonable to whom? At minimum, the BAA should reference specific standards: HIPAA Security Rule, SOC 2 Type II, HITRUST or equivalent. Without a named standard, “reasonable” is whatever the vendor's lawyer argued during a deposition.

2. Sub-processor permission without notification

Some BAAs grant the vendor blanket permission to engage sub-processors that handle PHI without notifying the covered entity. This is a real problem: a 2024 sub-processor change at one vendor exposed PHI to a new third party that the customer had never approved.

Demand: a published sub-processor schedule, with advance notice of any additions, and a contractual right to object to a specific sub-processor.

3. Breach notification windows over 60 days

HIPAA requires breach notification to affected individuals within 60 days. Vendor BAAs sometimes set the vendor-to-customer notification clock at 60 days too — which means the covered entity has zero time to investigate before having to notify patients.

Demand: 24-48 hour vendor-to-customer notification. The 60-day patient notification clock should give the covered entity time to respond.

4. Indemnification carve-outs

Vendor BAAs sometimes cap or carve out vendor indemnification for breaches caused by the vendor's own actions. The financial logic is that vendors don't want unlimited liability. The buyer logic is that a vendor that causes a breach should bear meaningful financial responsibility for the consequences.

Negotiate a meaningful cap — typically 1-3x annual contract value at minimum — and ensure the cap doesn't apply to gross negligence or willful misconduct.

5. Return / destruction language without timelines or audit

On termination, the vendor is supposed to return or destroy PHI. Vendor BAAs often say so without specifying a timeline or providing for verification. The covered entity has no way to confirm what happened to the data.

Demand: a specific timeline (30-60 days), an audit certificate from the vendor confirming destruction, and an obligation to flow the same requirement to sub-processors.

What good looks like

A well-structured BAA includes:

• Named security standards (SOC 2 Type II, HITRUST, or specific Security Rule controls).
• Published sub-processor schedule and change-notification rights.
• 24-48 hour breach notification window vendor-to-customer.
• Meaningful indemnification that doesn't exempt the vendor's own negligence.
• Specific destruction timelines and audit certificates on termination.

Where Vizier sits

Vizier's standard BAA includes all five items above. It is executed in 1 business day for new customers. The BAA template is available for prospect review before contract — we don't hide it. See the security page.

Related: the HIPAA audit framework for what the BAA is meant to protect against.