A Business Associate Agreement is not a standard vendor contract with a HIPAA section added. It is a legally required instrument that establishes your obligations as a Business Associate under 45 CFR §164.504(e). The core purpose is to ensure that PHI shared with you by a covered entity is subject to the same privacy and security protections the covered entity is required to maintain. If you are providing IT services to any HIPAA-covered entity, this document must be signed before you access any PHI — not during onboarding, not afterward.
The required provisions in every BAA are non-negotiable because they are mandated by HHS regulation. These include: specifying the permitted and required uses of PHI, requiring you to implement appropriate safeguards, requiring you to report breaches and security incidents, requiring you to make PHI available to the covered entity's patients on request, and requiring you to return or destroy PHI at the end of the agreement. A BAA that omits any of these provisions is legally deficient regardless of what the parties intended.
The 'permitted uses' section defines what you can do with PHI you encounter during service delivery. The standard language permits you to use PHI only as necessary to perform services under your MSA. Do not agree to broader permitted uses than necessary — every additional permitted use expands your liability exposure. Specifically, do not agree to use PHI for your own operations, marketing, or training purposes.
The safeguard requirements section should reference the HIPAA Security Rule's administrative, physical, and technical safeguard categories. A well-drafted BAA requires you to implement safeguards 'in accordance with the HIPAA Security Rule' rather than specifying particular controls. This is correct — specific control requirements belong in your security policy, not the BAA. If a client's BAA requires specific technologies or vendors, push back: you cannot guarantee that a specific vendor's product is available or appropriate for all future circumstances.
What to negotiate: breach notification timelines, indemnification scope, and subcontractor obligations. The regulation requires 'without unreasonable delay and no later than 60 days' for breach notification from BA to covered entity. Some client BAAs demand notification within 24 or 48 hours — this is overly aggressive and may not be achievable if you discover a breach on a Friday evening. Push for 72 hours as the notification floor with daily updates after that. Indemnification clauses should be mutual and capped at the value of the agreement.
What to refuse: unlimited liability provisions, requirements to maintain client-specific insurance policies beyond what you already carry, provisions that make you responsible for PHI access by the covered entity's own staff, and data residency requirements that conflict with your tool stack. If a client insists on provisions you cannot meet operationally, it is better to decline the engagement than to sign a BAA you know you cannot comply with.