What a HIPAA BAA must say (and what most vendors hide)

“HIPAA compliant” is a marketing claim. Anyone can put it on a homepage. A signed Business Associate Agreement is a legal contract, and it’s the thing that actually determines whether a pharmacy is safe when something goes wrong.

If you’re evaluating any vendor that will touch patient data — delivery software, pharmacy management systems, SMS platforms, marketing tools — the BAA is the most important five-page document in the whole procurement process. Here’s what has to be in it, what vendors commonly leave out, and what to do when a vendor’s BAA isn’t real.

What a BAA actually is

A Business Associate Agreement is the written contract that HIPAA requires between a Covered Entity (your pharmacy) and any Business Associate (a vendor that creates, receives, maintains, or transmits Protected Health Information on your behalf). The rules are set by 45 C.F.R. § 164.504(e). The BAA doesn’t make a vendor “HIPAA compliant” — it defines the responsibilities each side has when a vendor handles PHI.

Without a signed BAA, a pharmacy sharing PHI with a vendor is arguably making an impermissible disclosure under the Privacy Rule. That’s a compliance problem for the pharmacy, not just the vendor.

The nine provisions HIPAA requires

Every real BAA contains all nine of the following. If any are missing or watered down, the document may not satisfy HIPAA and it almost certainly doesn’t protect the pharmacy.

1. Permitted uses and disclosures. Exactly what the vendor can and cannot do with PHI. Anything not listed is prohibited.
2. Prohibition on further use or disclosure.The vendor can’t use PHI for anything outside the defined purposes — especially not for marketing, resale, or training third-party AI models.
3. Required safeguards. Administrative, physical, and technical protections consistent with the Security Rule. Real BAAs point to a specific security policy or trust page.
4. Reporting obligations. The vendor must notify the pharmacy of any unauthorized use, Security Incident, or Breach, within a specific timeline. HIPAA caps this at 60 days for confirmed Breaches; good vendors commit to much faster.
5. Subcontractor flow-down. Any downstream vendor that touches PHI has a BAA on terms at least as protective as the one with the pharmacy. A published subprocessor list is how you verify.
6. Individual rights support. The vendor must help the pharmacy respond to patient requests for access (§ 164.524), amendment (§ 164.526), and an accounting of disclosures (§ 164.528), within specific timelines.
7. HHS access. The vendor must make its books and records available to the Secretary of HHS on request, so the pharmacy can demonstrate compliance during an audit.
8. Return or destruction on termination. When the contract ends, PHI is returned to the pharmacy or destroyed. The pharmacy gets an exportable copy on the way out.
9. Termination for breach. The pharmacy can terminate the contract if the vendor materially breaches the BAA and fails to cure, and in serious cases can do so without notice.

Red flags that mean a BAA isn’t real

You don’t have to be a HIPAA lawyer to spot a bad BAA. The patterns repeat.

1. The vendor won’t send one until you’re “close to signing”

A vendor that treats the BAA as a late-stage legal hurdle has probably optimized their sales cycle for closing, not for compliance. Ask for the BAA in the first discovery call. If the answer is “we’ll send it after the demo,” you’ve learned something about how they think.

2. There’s no HIPAA BAA at all — only an MSA that claims to cover it

Some vendors try to fold BAA-type language into the general Master Service Agreement. This is rarely sufficient. HIPAA’s required provisions are specific and separable; a generic “we’ll comply with applicable laws” clause doesn’t satisfy § 164.504(e).

3. Breach notice is set at the legal maximum

“Without unreasonable delay and in no case later than 60 days” is the HIPAA ceiling for a Breach. Good vendors commit to much faster — 10 days or less for confirmed Breaches, 24 hours for suspected Security Incidents. A vendor that sets breach notice at 60 days is saying you’ll be the last to know.

4. Liability is disclaimed or capped at zero for breaches

Read the Limitation of Liability clause. If the vendor’s BAA caps all liability at a nominal amount (often $100 or one month’s fees), or disclaims liability entirely for consequential damages, you are the party bearing the cost when something goes wrong — even if it was the vendor’s fault. Indemnification for breach-of-BAA and breach-notification costs should survive the general cap.

5. The vendor owns “aggregated” or “anonymized” versions of your data

Watch for language like “Vendor shall be entitled to store, aggregate, and use any data generated as a result of the performance of Services.” On its face, this permits the vendor to commercially exploit a derivative of your patient data indefinitely, even after termination. HIPAA allows de-identified data to be used freely, but “aggregated” is not the same as de-identified under § 164.514.

6. No subprocessor list

A vendor that can’t tell you who their subprocessors are can’t possibly have BAAs in place with them. Ask for a current list (with BAA status for each). A good vendor publishes this openly.

7. The BAA forbids the pharmacy from exporting its own data on termination

HIPAA requires the vendor to return or destroy PHI on termination. Good vendors let the pharmacy export everything in a portable format during the contract and for a defined window after. A BAA that bars export, or makes it conditional on “reasonable vendor discretion,” should be a walkaway.

What to do when a vendor stalls

1. Ask for the standard form up front. Not a redlined negotiation draft — the template they send to every customer. Any vendor that has been operating for more than a year should have one ready in ten minutes.
2. Get the list of subprocessors and their BAA status in writing. If the vendor can’t produce this, assume there are gaps.
3. Insist on a breach-notice timeline below the legal cap. 24 hours for suspected incidents, 10 days or fewer for confirmed Breaches, is achievable and standard for vendors that take this seriously.
4. Read the liability and indemnification sections in the MSA at the same time as the BAA. The BAA doesn’t have commercial teeth without them.
5. If the vendor refuses to negotiate in writing, walk. There are enough options in this category that nobody has to accept a BAA they don’t trust.

How we handle it at ScripRun

We publish our standard BAA at /baa. It’s there before you sign up, before you book a demo, before we know your name. The terms are the same for every customer: 24-hour suspected-incident notice, 10-day confirmed-Breach notice (both faster than the HIPAA cap), a subprocessor list with BAA status that is updated publicly at /security#subprocessors, pharmacy-owned data, a liability framework where breach-notification costs survive the cap.

If your lawyer wants redlines, we read markups. The fastest review cycle, though, is the one where the standard form is already acceptable — which is why we write it for pharmacies to accept, not for sales to negotiate around.