The Philadelphia District Attorney Larry Krasner said in a statement, “Like many members of the public, I have questions about the methods used by Philly Fighting COVID in collecting personal data from people signing up for vaccine information, and what this company plans to do or might have already done with that personal data, as well as WHYY’s reporting today that suggests the company’s founder might have taken vaccines meant for public distribution into his personal possession.”
However, PFC claims that allegations of vaccine privacy violations are unfounded saying they, “Never have and never would sell, share, or disseminate any data we collected as it would be in violation of HIPAA rules.” They have also since updated their privacy policies.
Importance of Implementing Policies, Procedures, and Employee Training
Although it is unclear whether or not PFC violated HIPAA by selling patients’ protected health information (PHI), their lack of privacy policies at the time of allegations is concerning. Under HIPAA, PFC is considered a covered entity since they collected PHI and administered healthcare services by providing vaccinations. As such, they are required to comply with HIPAA standards by implementing policies and procedures and providing employee training.
These measures ensure that PHI is adequately protected and not subject to unauthorized use or disclosure, such as sale of data to third parties. Under HIPAA, an organization’s policies and procedures must be documented and employees must be