Philly Fighting COVID, a private startup company tasked with vaccine distribution for the city, is under investigation. The Philadelphia Department of Public Health has ceased their relationship with the startup after allegations that the company’s privacy policies allowed for the sale of private information. More details on the alleged vaccine privacy violations are discussed.
Vaccine Privacy Violations: What Do We Know?
On January 25, the Philadelphia Department of Public Health announced that it had ceased working with Philly Fighting COVID (PFC) due to a change in the company’s privacy policies. Philly Fighting COVID changed its nonprofit status, updating their privacy policies to allow for the sale of patient data. PFC also stopped their COVID testing operations without first discussing it with the city.
A spokesperson for the Philadelphia Department of Public Health stated, “For PFC to have made these changes without discussion with the City is extremely troubling. As a result of these concerns, along with PFC’s unexpected stoppage of testing operations, the Health Department has decided to stop providing vaccines to PFC.”
PFC is currently under investigation by the Philadelphia District Attorney for mishandling COVID-19 vaccines and failing to disclose their change in status from a nonprofit organization to a for profit organization. According to reports, 6,800 patients had received COVID vaccines from PFC before vaccine privacy violations were publicized.
The Philadelphia District Attorney Larry Krasner said in a statement, “Like many members of the public, I have questions about the methods used by Philly Fighting COVID in collecting personal data from people signing up for vaccine information, and what this company plans to do or might have already done with that personal data, as well as WHYY’s reporting today that suggests the company’s founder might have taken vaccines meant for public distribution into his personal possession.”
However, PFC claims that allegations of vaccine privacy violations are unfounded saying they, “Never have and never would sell, share, or disseminate any data we collected as it would be in violation of HIPAA rules.” They have also since updated their privacy policies.
Importance of Implementing Policies, Procedures, and Employee Training
Although it is unclear whether or not PFC violated HIPAA by selling patients’ protected health information (PHI), their lack of privacy policies at the time of allegations is concerning. Under HIPAA, PFC is considered a covered entity since they collected PHI and administered healthcare services by providing vaccinations. As such, they are required to comply with HIPAA standards by implementing policies and procedures and providing employee training.
These measures ensure that PHI is adequately protected and not subject to unauthorized use or disclosure, such as sale of data to third parties. Under HIPAA, an organization’s policies and procedures must be documented and employees must be trained on those policies. Employees must also be trained on HIPAA basics and cybersecurity best practices. When organizations fail to have policies and procedures in place and fail to train employees they are not HIPAA compliant and therefore subject to HIPAA audits and fines.