“Quick look?” lands in KT Farley’s inbox with a vendor BAA attached and sales wanting it signed by Friday. Farley, Chief Privacy Officer and Associate General Counsel at the genomics company Helix, knows the trap inside that quick look: a vendor’s standard BAA is the vendor’s template, drafted to protect the vendor, and the PHI at stake belongs to her company.
A business associate agreement review is the legal read of a HIPAA business associate agreement before signing, run against two questions: does it carry every provision the HIPAA Privacy and Security Rules require, and do its risk-allocation terms protect your company. It splits into a compliance floor (the seven provisions HIPAA mandates at 45 CFR 164.504(e), non-optional) and a negotiation layer (breach notification, indemnification, liability caps, audit rights, subcontractor flow-down). The first layer is a checklist. The second is judgment, and it is where the vendor’s template runs one-sided.
For in-house counsel at a covered entity or business associate, this is one of the most repetitive high-stakes tasks on the desk: every vendor that touches PHI needs a BAA, every one arrives on the vendor’s paper, and every one gets read, flagged, and negotiated before the business gets its tool.
Here at GC AI, the legal AI built for in-house counsel by a three-time general counsel, we help healthcare and in-house teams run a vendor’s BAA, and the rest of the paper it travels with, against their own standard positions: the seven required HIPAA provisions, the breach-notification window, the liability carve-out, the subcontractor controls. We flag the one-sided terms and turn a “quick look” into a citation-backed redline in minutes, so the judgment calls are all that is left for you.
What a Business Associate Agreement Review Is
A BAA is the contract HIPAA mandates between a covered entity and a business associate, or between a business associate and a subcontractor, whenever the downstream party creates, receives, maintains, or transmits PHI on the covered entity’s behalf. Without a signed BAA in place, disclosing PHI to that vendor is itself a HIPAA violation.
The review runs against two reference points. The HHS sample BAA provisions and the requirements at 45 CFR 164.504(e) set the compliance floor: a BAA missing any required provision is defective on its face. The negotiation layer is the terms HIPAA leaves to the parties, where the vendor’s template is built to favor the vendor and an in-house lawyer earns the read. A useful BAA review does both in one pass, because the negotiated clause that looks standard is the one that does the real damage: it carries the breach costs the required-provision checklist never touches.
What a BAA Must Contain: The Required Provisions
Every BAA has to carry the provisions HIPAA specifies at 45 CFR 164.504(e). Confirm each one is present before you touch the negotiation terms. The required elements are:
Permitted uses and disclosures of PHI. The BAA must describe what the business associate is allowed to do with PHI and bar any use or disclosure beyond what the contract or law permits.
Appropriate safeguards. The business associate must use safeguards to prevent unauthorized use or disclosure, including the administrative, physical, and technical safeguards the HIPAA Security Rule requires for electronic PHI.
Breach and security incident reporting. The business associate must report any use or disclosure not permitted by the contract, any security incident, and any breach of unsecured PHI.
Subcontractor flow-down. The business associate must require that any subcontractor that handles PHI agrees to the same restrictions and conditions that apply to the business associate itself.
Individual rights support. The BAA must require the business associate to make PHI available for access, amendment, and accounting of disclosures so the covered entity can meet its obligations to individuals.
HHS access. The business associate must make its internal practices, books, and records available to HHS for compliance review.
Return or destruction of PHI at termination. On termination, the business associate must return or destroy all PHI it holds, or extend protections if return or destruction is infeasible.
If any of the seven is missing, the BAA fails the compliance floor and goes back to the vendor before anything else gets discussed. Treat the required-provision pass as binary: present and correct, or back to redlining.
The Clauses In-House Counsel Negotiate
The required provisions get a BAA to legal. The negotiated provisions decide who pays when something goes wrong. These are the clauses where a vendor template runs one-sided and where your review creates leverage:
Breach notification timeline. HIPAA gives a covered entity 60 days from discovery to notify affected individuals, so a BAA that lets the business associate take up to 60 days to tell you leaves zero room to run your own notice process. Push for notice without unreasonable delay and no later than a defined short window, often 5 to 10 business days, with the clock starting at discovery.
Indemnification. Vendor templates frequently make indemnification one-directional in the vendor’s favor or stay silent. As the covered entity carrying the regulatory exposure, negotiate indemnification that covers breach-related costs the business associate caused, including notification, credit monitoring, and regulatory penalties. The indemnification clause library shows the market range of these provisions.
Liability cap carve-outs. A general liability cap that swallows data-breach losses is the costliest landmine in a BAA. Carve breach of confidentiality, PHI handling, and data-security obligations out of the cap, or set a separate, higher super-cap for them. See the limitation of liability clause library for standard carve-out language.
Audit and inspection rights. Most vendor templates give you none. Negotiate the right to request the business associate’s security documentation, certifications, or a SOC 2 report, and to audit on reasonable notice after a security incident.
Subcontractor controls. HIPAA requires flow-down, but the template version is often a bare promise. Ask for advance notice of new subcontractors that will handle PHI, the right to a current subcontractor list, and confirmation that flow-down BAAs are executed before any PHI moves downstream.
Cyber insurance. Require the business associate to carry cyber liability and professional liability coverage at a stated minimum, name your company as an additional insured where appropriate, and provide a certificate of insurance on request.
The required provisions make the contract compliant. These six make it fair, and the read that earns its keep is the one that turns a vendor’s protective template into a balanced allocation of breach risk.
Red Flags That Should Stop a Signature
Some terms are reasons to hold the signature until they change. Watch for these in any BAA review:
A breach notification window of 30 days or longer, or notice triggered at “confirmation of a breach” instead of at discovery of a security incident. Both eat the time you need to meet your own 60-day individual-notice deadline.
A liability cap with no data-breach carve-out, or a cap set at the contract’s annual fees. PHI-breach costs run far past one year of a vendor’s fees.
One-directional indemnification that protects the vendor and leaves the covered entity to absorb breach costs it did not cause.
Silence on subcontractors, or language permitting subcontractors with no flow-down BAA requirement. A subcontractor handling PHI without a BAA is a compliance gap that lands on you.
A “security incident” definition narrowed to exclude routine unsuccessful attempts in a way that also excludes reportable events, or a definition that omits the reporting trigger entirely.
No return-or-destruction obligation at termination, which leaves your PHI in a vendor’s system after the relationship ends.
A BAA that conflicts with the underlying services agreement or DPA, where the data terms in the data protection clause annex and the BAA say different things about the same PHI.
Catching these is the difference between a BAA review and a BAA rubber-stamp. When a red flag appears, the move is to flag it, document the ask, and hold the signature, because a defective BAA signed on a Friday deadline is a breach exposure that outlives the deal.
How AI Speeds BAA Review While the Duty Stays With You
The HIPAA duty belongs to your company. A covered entity and a business associate carry the obligation to have compliant BAAs in place and to safeguard PHI, and no platform discharges that duty for you. What a legal AI platform built for in-house teams does is take the mechanical part of contract review off the desk, so the lawyer spends judgment where it matters: the negotiated terms and the red flags.
That is the work Farley runs, the same Chief Privacy Officer we met in the opener. When a partner asked her to draft a response to a HIPAA compliance question that would usually take an hour, she described what changed:
“It’s doubled my productivity. In a startup AGC role I touch everything, and the context shifting can be fatiguing. The tool helps me re-ramp quickly.”
Her team built the workflow around reusable prompts: junior teammates run a standard checklist prompt against an incoming BAA, then bring her the output as the starting point for her review. The repetitive pass, confirming the seven required provisions, surfacing the breach-notification window, flagging a missing liability carve-out, runs the same way every time. That is what GC AI Playbooks, GC AI’s saved contract-review workflows, is built for.
A BAA Playbook carries your required-provision checklist, your breach-notification window, your liability carve-out language, and your subcontractor controls, runs them against each vendor BAA, and returns a redline plus a summary of where the document falls short. The lawyer takes the close calls; the workflow handles the boilerplate. The same encoded standards become the backbone of AI for compliance monitoring, so the positions you negotiate once keep watching every BAA that comes after.
GC AI is built for in-house counsel by CEO and co-founder Cecilia Ziniti, a three-time general counsel (Anki, Bloomtech, Replit).
This is not a tool hoping to land its first healthcare customer. More than 1,800 legal teams across 53 countries, including 80-plus public companies, already run their contracts through GC AI, among them legal departments at Hitachi, Columbia Sportswear, Snyk, and Liquid Death, and the NPS sits at 77 as of June 2026. When your security team runs its own review, the answers are there: SOC 2 Type II and SOC 3 certified, GDPR compliant, zero data retention agreements with OpenAI and Anthropic, and AES-256 encryption. We wrote up what to look for in data security for legal AI if your team wants the longer version.
A BAA is rarely the only thing a vendor sends you. The same deal usually arrives with an MSA, a DPA, and an order form, and the same review approach applies to all of them. A vendor agreement review covers the clauses that decide the risk across the whole package, the SaaS agreement playbook does the same for the six clauses that matter most in a SaaS deal, and the DPA often carries the HIPAA BAA as a separate annex.
The duty stays with your team, and the review still needs a lawyer’s judgment, so the win is reclaiming the hours the mechanical read used to cost and spending them on the terms that move breach risk.
See the same checklist run against your own vendor BAAs, on your own paper.
Frequently Asked Questions
What Is a Business Associate Agreement Review?
A business associate agreement review is the legal evaluation of a HIPAA BAA before signing, confirming it carries every provision required at 45 CFR 164.504(e) and negotiating the terms that allocate breach risk, cost, and liability. For in-house counsel, the review has two layers: a compliance-floor checklist of required HIPAA provisions, and a negotiation pass on breach notification, indemnification, liability caps, audit rights, and subcontractor controls.
What Must a HIPAA Business Associate Agreement Contain?
A HIPAA BAA must contain seven required elements under 45 CFR 164.504(e): permitted uses and disclosures of PHI, appropriate safeguards, breach and security-incident reporting, subcontractor flow-down of the same obligations, support for individual rights of access and amendment, availability of records to HHS, and return or destruction of PHI at termination. A BAA missing any of these fails the compliance floor and should go back to the vendor before any negotiation begins.
How Long Does a Business Associate Have to Report a Breach?
A business associate must report a breach of unsecured PHI to the covered entity without unreasonable delay and no later than 60 days from discovery under the HIPAA Breach Notification Rule. Because the covered entity then has its own 60-day clock to notify affected individuals, in-house counsel typically negotiate a much shorter contractual window, often 5 to 10 business days from discovery, so the covered entity has time to run its own notification process.
What Are the Biggest Red Flags in a Vendor BAA?
The biggest red flags in a vendor BAA are a breach notification window of 30 days or longer, a liability cap with no data-breach carve-out, one-directional indemnification favoring the vendor, silence on subcontractor flow-down, and no return-or-destruction obligation at termination. Each one shifts breach cost or compliance exposure onto the covered entity, and each should hold the signature until it is renegotiated.
Do You Need a BAA With Every Vendor?
You need a BAA with every vendor that creates, receives, maintains, or transmits PHI on your behalf, including subcontractors that handle PHI downstream. Vendors that never touch PHI, such as a building’s janitorial service or a vendor on a conduit exception like a courier, generally do not require one, so the threshold question in every review is whether the vendor will access PHI at all.
How Often Should You Review Your Business Associate Agreements?
You should review your business associate agreements at least annually as part of your HIPAA compliance program, and again whenever a vendor begins a new service involving PHI, adds a subcontractor, or a regulatory change creates new BAA requirements. Annual review keeps signed BAAs current with both the vendor relationship and evolving HIPAA guidance, and it surfaces older agreements that predate your current negotiated positions.
Can AI Review a HIPAA Business Associate Agreement?
AI can accelerate the mechanical part of a BAA review by confirming required provisions are present, surfacing the breach-notification window, and flagging missing liability carve-outs against your standard positions, while the lawyer keeps judgment on the negotiated terms. A legal AI platform built for in-house teams, such as GC AI with Playbooks, encodes your required-provision checklist and preferred terms and runs them against each vendor BAA, returning a redline and a summary so counsel reviews the close calls and the workflow handles the boilerplate.
Who Is Responsible for HIPAA Compliance Under a BAA?
The covered entity and the business associate are each directly responsible for HIPAA compliance, and a BAA does not transfer that duty to a software platform. The covered entity must have compliant BAAs in place before disclosing PHI, and the business associate is independently liable under the HITECH Act for its own HIPAA obligations, so the review confirms the contract supports a duty that stays with the company.







