This Applicant Privacy Notice (herein referred to as Privacy Notice) applies to personal information collected from applicants for positions with PA Options for Wellness (herein referred to as PAOFW).
Personal Information Collected
Through the application process, PAOFW may collect personal information in a variety of ways. Personal information includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an applicant. Personal information is collected in the following portions of the application process:
Application for Employment
When applying for a position with PAOFW, personal identifiers (name, email address, phone number(s), and/or address(es)) as well as professional and/or employment information (resume/CV, certification(s), qualification(s), employment history, and/or educational history) is collected. This personal information is used to assess a candidate’s application and suitability for the position, for communication purposes, and to comply with federal, state, and/or local laws.
Candidates may also be offered an opportunity to voluntarily self-identify (gender, race, veteran status, and/or disability status). This information is used solely for government reporting purposes and is not required.
Pre-Employment Background Check
Upon extension and acceptance of a conditional offer of employment, a background check will begin. In strict compliance with federal, state, and/or local laws, PAOFW utilizes a third-party vendor, First Choice, to conduct a pre-employment background check and drug-screen. First Choice’s privacy policy may be found by accessing https://firstchoiceresearch.com/privacy-policy/. In doing so, First Choice receives personal identifiers (name, physical address, telephone number, and Social Security number), professional or employment information (employment history and educational history), and/or medical information (drug test results). This information is collected via a secure portal and shared with PAOFW upon completion of the check via a report. The report is utilized by PAOFW to assess a candidate’s application and suitability for the position as well as in compliance with any/all legal requirements.
Employment Eligibility Verification
Upon hire, PAOFW will collect additional personal information to verify employment eligibility. All new hire employees will complete Form I9. As part of the process, PAOFW will collect personal identifiers such as date of birth, Social Security number, and forms of identification per page 3 of Form I9.
General Sharing of Personal Information
PAOFW will share personal information with service providers and other third parties as follows:
To Validate Applicant Information
Subject to federal, state, and/or local laws, PAOFW may utilize external services to collect, process, and/or validate personal information. Candidates may also be offered an opportunity to voluntarily self-identify (gender, race, veteran status, and/or disability status). This information is used solely for government reporting purposes and is not required.
With Service Providers
PAOFW may need share personal information with First Choice, a third-party background check vendor, who supports the application process.
Within PAOFW
PAOFW may share personal information within the Human Resources team for legitimate business purposes relating to an application for employment.
For Legal Purposes
PAOFW may be required to disclose personal information to third parties, such as government/regulatory entities, legal advisors, law enforcement agencies, etc. to protect legal interests and other rights, protect against fraud and/or illegal activities, for risk management purposes, and/or to comply with legal obligations.
During a Corporate Reorganization
Personal information may be shared if PAOFW enters into or intends to enter into, a transaction that alters the business structure, such as a reorganization, merger, acquisition, sale, etc.
Please note, PAOFW does not and will not sell any/all personal information.
For questions on this Privacy Notice, please contact us at compliance@paofw.com.
PHI/PII Confidentiality Policy
PA Options for Wellness, Inc. (“the Company”) is committed to safeguarding the privacy and security of all Protected Health Information (“PHI”) and Personally Identifiable Information (“PII”) collected in the course of providing medical cannabis services and conducting clinical or observational research. This policy describes the categories of information we collect, how we use and protect that information, and the rights available to patients under HIPAA and applicable federal privacy laws.
1. Information We Collect
a) Protected Health Information (PHI)
The Company collects limited categories of PHI necessary to provide pharmacist‑guided medical cannabis care and to support internal clinical research activities. This includes qualifying medical conditions, medical history when voluntarily provided by the patient, medication lists when voluntarily provided, all medical cannabis purchases, past cannabis use history when voluntarily provided, and cannabis product laboratory results (but no patient laboratory results).
b) Personally Identifiable Information (PII)
We also collect certain identifiers necessary for patient verification and compliance with state medical cannabis regulations, including address, date of birth, and state‑issued medical cannabis identification numbers.
2. How We Obtain PHI
The Company primarily receives PHI directly from patients during consultations, onboarding, or follow‑up interactions. We also receive limited information from the Pennsylvania Department of Health (DOH) for the purpose of verifying patient eligibility and accessing the correct patient record. On rare occasions, with patient consent, a pharmacist may contact a healthcare provider and receive relevant clinical information.
3. How We Use PHI
The Company uses PHI solely for purposes permitted under HIPAA and applicable state law. These purposes include providing pharmacist‑guided patient care, developing individualized cannabis regimens, verifying patient identity and eligibility in the DOH system, supporting internal clinical or observational research activities, and improving internal operations and patient services. PHI received from the DOH is used only to access patient records and confirm identity. We do not use PHI for marketing or the sale of information.
4. Disclosures to Third Parties
The Company does not disclose PHI to external research partners, universities, sponsors, or government agencies. Only de‑identified data is shared externally. We do use third‑party vendors who may have access to PHI for purposes of secure data hosting, IT support, or analytics. These vendors operate under Business Associate Agreements (BAAs) where required and/or implement their own safeguards.
5. Substance Use Disorder Information
To the extent any information collected qualifies as substance use disorder (SUD) information under 42 CFR Part 2, the Company complies with heightened confidentiality requirements.
6. Safeguards and Security Measures
The Company maintains administrative, technical, and physical safeguards to protect PHI and PII. These include HIPAA‑compliant environments with BAAs and multi‑factor authentication (MFA), OAuth‑based authentication, firewall protection, and access controls limiting PHI access to authorized personnel only.
7. Breach Notification
The Company maintains a breach response process overseen by its cybersecurity insurance provider. In the event of a suspected or confirmed breach, the incident will be investigated, and notifications will be issued in accordance with HIPAA breach notification rules.
8. Data Retention and Destruction
PHI is retained only as long as necessary to fulfill the purposes described in this policy or as required by law.
9. Patient Rights
Patients may ask to see or get a copy of their health records. They may also ask us to correct their health records if they believe the information is incomplete or inaccurate. In addition, patients may ask us not to use or share certain health information. We will review these requests and respond in accordance with applicable law.
10. Commitment to Compliance
The Company will not use or disclose PHI except as described in this policy or as permitted or required by law. Any future changes to this policy will apply to all PHI maintained by the Company.