In particular, Amazon's agreement included: A clause that puts all of the burden for securing data on the CE. No terms outlining how the BA would respond to breaches of unsecured PHI. Lack of specification about the BA’s level of access to PHI. A non-disclosure clause.