Actually the HMO I worked for did. Every vendor such as ISP's, Colo's, and some API suppliers had to sign the CYA agreement. Most of them are aghast when you ask them to sign. Basically they have to take on all of the liabilities. I've never seen it have to be exercised however.

Do you sign business associate agreements with your colo facility, ISP, and landlord? They also are physically capable of accessing your data, even though they are legally or contractually forbidden from doing so.

The orgs that I have worked with draw the line somewhere between colo and ISP. Anyone with potential access to unencrypted network traffic or whom is operating equipment containing affected data. Usually the lawyers can agree to contractural terms for the landlord without a BAA

I'm not arguing that it makes sense, just that it happens.