Success of vaccine passports hinges on data privacy
There are numerous legal and operational questions surrounding vaccine passports.
As COVID-19 vaccines become more widely available, a growing number of corporations and countries have begun to consider requiring vaccine passports—proof of vaccination for “entry.” There are numerous legal and operational questions surrounding vaccine passports, says Janice Suchyta, a partner with McGuireWoods whose practice area encompasses health law, including strategic, regulatory and operational advice to health systems, hospitals, academic medical centers, federally qualified health centers, telehealth and other digital startups.
Related: Digital vaccine passports and the legal risks for employers
“In theory, a vaccine record verification system could quickly and verifiably check a person’s vaccination status,” Suchyta said. “The digital vaccine passport would be accessed using a smartphone application that links the user’s COVID-19 vaccination record to a QR code displayed on the device. The Biden administration has already requested government agencies to ‘assess the feasibility’ of an electronic system that links coronavirus vaccine certifications to other vaccination documents.”
What about privacy?
The digital technologies powering digital vaccine passports raise privacy concerns, Suchyta said.
“First, vaccination programs would require a substantial collection of health data,” she explained. “Broader utilization of such systems would be essential for facilitating the data sharing required to make vaccine passports effective.”
Also, any application must be interoperable, meaning it must work with multiple systems across organizational and technical boundaries, she continued.
“Digital vaccine passports are largely being designed by tech companies and nonprofits, which makes interoperability a challenge,” she explained.
What precautions are being taken?
Whenever health information is connected to an identifiable individual, developers will need to develop safeguards for ensuring the security of that data, Suchyta says.
“These safeguards include collecting only the minimum data necessary to render the application functional, storing data for as little time as possible, promptly deleting data after functional use, and avoiding any undisclosed third-party tracking.”
Vaccine passports also involve technical challenges, including authentication of vaccine status, Suchyta said.
Unlike most countries, the U.S. has no national immunization information system (IIS)—a confidential, secure, population-based digital database that records all vaccine doses, she explained.
“Preventing falsification of vaccine status is vital to vaccine passport integrity,” Suchyta said.
School programs already systematically authenticate and enforce immunization status through standardized forms, she said. Currently companies are developing technologies to securely validate immunization status.
There is also discussion of using blockchain and digital ledger technologies (DLT) for a vaccine verification system framework, Suchyta said. The theory is that digital ledgers cannot be falsified and can reliably prove that a person has been vaccinated.
An electronic health record of a patient’s vaccination would be sent to the vaccine verification DLT in addition to the administering organization’s internal health- care information system or a regional electronic health record (EHR) system, she added.
What else should be done?
According to Suchyta, either a secure smartcard or tamper-proof label could be added to a passport or other ID card which could then be printed and given to the patient as physical proof of vaccination.
A patient with a smartphone who wants a digital vaccine certificate (in addition to the physical certificate), could use a mobile app on the patient’s device, she concluded.
Read more: