AI Vendor BAA Evaluation Checklist

A signed BAA is the beginning, not the end. 12 clauses your AI vendors’ contracts may be missing.

Privacy Officers, healthcare attorneys, IT security managers, and procurement teams at covered entities and business associates evaluating AI vendors for healthcare deployments.

Most AI vendor BAAs are standard templates that were not written to address AI-specific risks — model training on PHI, complex subprocessor chains, AI-generated outputs containing PHI, and the question of who is liable when an AI tool makes a clinical error. A BAA can be signed and still leave the covered entity exposed.

A two-section checklist: six core HIPAA BAA requirements (with AI-specific annotations) and six AI-specific clauses not found in standard BAAs, including the AI model training prohibition, named subprocessor disclosure, data residency, AI output PHI handling, model accuracy liability, and audit rights. Plus a security documentation section and a quick decision framework.