Yes. Multiple covered health care providers can contract with a third party to perform data aggregation and linkage services on their behalf, as long as the providers enter into a HIPAA-compliant business associate agreement (BAA) with the third party, and so long as the aggregation is for purposes permitted under HIPAA. (Such third parties are considered to be “business associates” (BAs) under HIPAA and have direct compliance obligations with certain aspects of the HIPAA Rules.) In these cases, the participating providers may enter into one, common business associate agreement with the third party.
The BAA then governs the subsequent uses and disclosures that the BA may make with the data. For example, the BA may be authorized by its BAA to share the PHI on behalf of the participating providers with each other or other providers for treatment purposes, including care coordination, or, subject to certain conditions, for health care operations purposes