> Palentir has certainly assisted, but the origin of the data collection here was public
Yes, it's surely public information and therefore ought to be subject to the same controls as any other personal health information. It seems moot that it was given to a private company; the issue just shifts to being that the private company (apparently) does not comply with data protection laws, e.g. HIPAA.
PHI collected by private entities that receive no state or federal funding whatsoever is still PHI and has the same PHI protections as data collected by the government directly. "Public information" doesn't play any role here.
Yes, it's surely public information and therefore ought to be subject to the same controls as any other personal health information. It seems moot that it was given to a private company; the issue just shifts to being that the private company (apparently) does not comply with data protection laws, e.g. HIPAA.