Covered Entities often share Limited Data Sets (LDS) pursuant to a Data Use Agreement (DUA) with private companies that are not a Covered Entity. However, the LDS can only be used for research, public health, or health care operations. Since the LDS is still PHI and still subject to HIPAA, the Covered Entity providing the LDS would want to be sure it is being shared for a permissible reason. (This requirement is captured in 45 CFR 164.514(e)).
If the private company is performing a function on behalf of a Covered Entity, a Business Associate Agreement is needed in addition to the DUA. Since the advent of the HITECH Act, Business Associates are directly liable for protecting PHI (although Business Associates are not required to comply with every aspect of HIPAA). If the private company is a Business Associate, it is hopefully aware of this legal obligation and following HIPAA appropriately.
