Healthcare organisations face a paradox: they operate under some of the most stringent data protection regulations in the world, yet their software procurement processes are frequently among the least disciplined. HIPAA compliance requirements, EHR vendor relationships, and the proliferation of cloud-based clinical tools have created a licensing environment where costs compound year on year — often without corresponding value. The good news is that every major healthcare software contract is negotiable, provided you know what to ask for. This guide explains the key licensing considerations unique to healthcare and how to use them as leverage.
HIPAA BAA Requirements and What They Mean for Cloud Contracts
Any cloud software vendor that processes, stores, or transmits protected health information (PHI) on behalf of your organisation is a Business Associate under HIPAA. That means they must sign a Business Associate Agreement (BAA) before any PHI touches their systems. In practice, most major cloud vendors offer standard BAAs — but the terms of those agreements vary enormously and directly affect your negotiating position.
What a BAA Should Cover
A well-drafted BAA will specify the vendor's permitted uses of PHI, their sub-processor obligations, breach notification timelines (HIPAA requires 60-day notification, but you should push for shorter), data deletion commitments on contract termination, and their audit rights. Many vendors — including Microsoft, Salesforce, and ServiceNow — offer BAAs as part of their enterprise agreements, but these are written to protect the vendor, not you.
Common weaknesses in vendor-standard BAAs include vague sub-processor lists that allow unlimited downstream PHI sharing, 30-to-60 day data deletion clauses that are rarely enforced, and breach notification language that allows exceptions for "minor" incidents. Before signing any cloud software agreement that will process PHI, have legal review the BAA against your HIPAA risk register — not just the commercial terms. See our related guide on enterprise AI governance contracts for how these risks extend to AI-powered tools.
BAA Status as a Negotiation Tool
Refusing to sign a non-standard BAA is a legitimate reason to delay a renewal or require contract concessions. If a vendor cannot provide a BAA that meets your requirements, they cannot legally process PHI — which eliminates a significant portion of their proposed use cases. Use this fact to require price reductions for any modules you cannot deploy due to BAA limitations, and to exclude those modules from true-up calculations entirely.
EHR and EMR Licensing: Epic, Cerner/Oracle Health, and the Lock-In Dynamic
Electronic Health Record systems represent the largest and most complex software licensing commitment most healthcare organisations will make. Epic and Cerner (now Oracle Health after Oracle's 2022 acquisition) dominate the market across NHS Trusts, integrated delivery networks, and large private hospital groups. Both operate on pricing models designed to maximise switching costs and annual uplift.
Epic Licensing: Module Sprawl and FTE-Based Pricing
Epic licences individual modules — Ambulatory, Inpatient, Radiology, Pharmacy, MyChart, and dozens more — against a base fee tied to your organisation's size, typically measured in clinical FTEs or number of beds. Annual maintenance runs at approximately 18–22% of the original licence value, meaning a £3M implementation creates a £540,000–£660,000 annual cost floor before any upgrades or new modules.
The most common over-spend occurs when organisations license modules during the implementation phase that they never fully deploy. Epic's contract structure makes it difficult to remove modules post-implementation — vendors will argue that the module is part of the integrated suite — but unused modules can frequently be excluded from maintenance calculations at renewal if you document non-deployment formally. Redress has secured credits of 12–19% on Epic renewals by systematically auditing module activation rates against contractual commitments. Our healthcare advisory team can support the same approach for your organisation.
Oracle Health (Cerner): Subscription Transition and Millennium Licensing
Following Oracle's acquisition, Cerner's licensing model is in active transition from perpetual Millennium licences to Oracle Cloud Infrastructure (OCI)-hosted subscription arrangements. Organisations on legacy Millennium perpetual deals have significant leverage: Oracle wants migration to OCI-based contracts, which generate recurring cloud revenue. That urgency creates negotiating room.
Key negotiating points for Oracle Health customers include: freezing legacy maintenance rates as a condition of any migration commitment; requiring Oracle to carry the migration cost as part of the commercial package; and building in contractual price caps on OCI consumption as usage-based billing scales with clinical activity. Oracle's licensing complexity — particularly around processor-based metrics that can interact with virtualised healthcare infrastructure — makes independent advisory essential before any migration decision. Our Oracle licensing whitepaper covers the technical risks in detail.
Healthcare Software Costing You More Than It Should?
Our advisors have benchmarked healthcare software contracts across NHS Trusts, private hospital groups, and integrated care systems. We know what deals are achievable — and where vendors are inflating costs.
Book a Free 30-Minute ReviewMicrosoft 365, Salesforce Health Cloud, and ServiceNow Healthcare
Beyond EHR systems, healthcare organisations increasingly rely on a stack of clinical collaboration and operations platforms — each with its own licensing complexity and renewal risk.
Microsoft 365 for Healthcare: Teams, Copilot, and HIPAA Compliance
Microsoft 365 is nearly ubiquitous in healthcare, and Microsoft has introduced dedicated healthcare capabilities including Teams for clinical communication, Nuance DAX for ambient clinical documentation, and Copilot for Microsoft 365. Each layer adds licensing cost — and each requires specific HIPAA BAA configuration to deploy lawfully.
The most common over-spend on Microsoft 365 in healthcare organisations involves licence tier misalignment: clinical staff assigned E5 licences when E3 with targeted add-ons would cover actual usage at 22–30% lower cost. Microsoft's annual true-up model also creates a ratchet effect — licences added mid-year become permanent minimums at renewal unless you formally contest them. Redress benchmarks show that NHS Trusts typically overspend by £85–£140 per user per year on Microsoft 365 relative to what peer organisations pay for equivalent configurations.
Salesforce Health Cloud: FSC Licensing and Integration Costs
Salesforce Health Cloud builds on the core Salesforce platform to provide patient relationship management, care coordination, and referral management capabilities. Licensing is complex because Health Cloud sits on top of standard Salesforce CRM licences — organisations often pay for both layers without realising the duplication. Integration costs with EHR systems via HL7/FHIR interfaces add further expense that Salesforce routinely underestimates during the sales process.
At renewal, the key leverage point is the existence of EHR-native patient engagement modules (Epic MyChart, Oracle Health Patient Portal) that may duplicate Salesforce Health Cloud functionality. If you can demonstrate functional overlap, you create grounds for either price reduction or module exclusion. See our guide to software licensing in regulated industries for parallel negotiation approaches.
ServiceNow Healthcare and HRSD
ServiceNow's Healthcare and Life Sciences (HCLS) bundle bundles ITSM, HRSD, and compliance management for clinical environments. Pricing is per-user across clinical and administrative staff, but the model conflates very different user types — a ward sister with a ServiceNow login for incident reporting should not cost the same as a full ITSM fulfiller. Mapping user types to the appropriate licence tier before renewal is a straightforward exercise that consistently yields 15–22% cost reductions. Our detailed ServiceNow HRSD licensing guide covers this in full.
How to Negotiate Healthcare Software Contracts
Healthcare software vendors know that switching costs are high and procurement processes are slow. Their renewal strategies exploit both facts. The following principles consistently shift outcomes in healthcare organisations' favour.
Document Compliance Risk as Commercial Leverage
Regulatory requirements — HIPAA, NHS Data Security and Protection Toolkit, GDPR — create contractual obligations that run in both directions. If a vendor cannot provide evidence of ISO 27001 certification, DSPT compliance, or adequate sub-processor transparency under GDPR Article 28, you have legitimate grounds to delay signature and require remediation. Vendors who want to close the deal before your financial year-end will move faster on commercial terms to keep the renewal on schedule.
Build Competitive Tension Without a Full Market Exercise
Healthcare organisations frequently assume they cannot run a competitive process for EHR or core clinical systems — replacement timelines are too long and clinical risk too high. But competitive tension does not require a completed tender. Requesting information from alternative providers, engaging a specialist healthcare IT advisory firm, or simply commissioning a business case for migration creates documented competitive pressure. Epic and Oracle Health both offer meaningful discounts when they believe migration is a genuine consideration rather than a negotiating posture.
Tie Renewals to Implementation Milestones
Clinical software implementations routinely slip. If a vendor is six months behind on a module deployment, any maintenance payments for that module during the delay period represent pure over-payment. Build milestone-linked payment schedules into contracts at signature stage, and apply the same logic at renewal: unused capacity from the prior year should translate into reduced Year 2 fees or extended contract terms at no additional cost.
For healthcare organisations looking to take a structured approach to software cost management, our assessment tools provide a baseline spend analysis that identifies the highest-value optimisation opportunities before you enter any renewal negotiation. Book a call with our healthcare advisory team to start the process.