One main principle among public health measures is to use the least restrictive method necessary to protect the population, or to do the greatest good. From the public health perspective, requiring COVID status credentials (“Credentials”) makes sense because it allows people who present a low risk to others to not be subject to unnecessary restrictions. However, implementation and use of Credentials will require careful consideration of individual privacy concerns, as well as the ethical questions related to access and additional privilege.
In late March, the Biden administration announced that vaccination credentials or “passports” would not be mandated at the federal level and that there would be no centralized universal federal vaccinations database. Instead, the federal government’s role will be to develop standards for such solutions so they are designed to protect people’s privacy and are “simple, free, open source, and accessible both digitally and on paper,” according to White House coronavirus coordinator Jeff Zients.
To date, federal standards for the interoperability, security, or privacy of Credentials have not been published. Despite this fact, smartphone apps are already popping up that allow individuals to upload their COVID-19 test results and vaccinations that create a digital QR code, which can be scanned to validate a person’s COVID status. A few companies are also developing a “smart card” option that does not require a smart phone.
Despite the lack of federal standards, these digital Credential solutions are already being implemented by health care providers administering the vaccine and others who are looking to meet “reopening” requirements. Reason being, while federal and state governments are not willing to require vaccination, proof of COVID status will otherwise be required in order for people to enter certain places. For example, in California the rules for reopening indoor live events require proof of vaccination or a negative test result from individuals before they are allowed to enter the venue. In New York, some state employees reportedly are required to use the state’s Credential solution, the Excelsior Pass, when returning to work.
While Credentials make sense from a public health perspective, concerns remain. Politicians in multiple states have proposed anti-passport legislation, citing privacy and civil liberty violations created by public and private entities requiring proof of vaccination.
One concern is the lack of comprehensive federal legislation that would protect the information that could be collected from individuals in connection with digital Credentials. While health care providers, health plans, and their contracted technology providers are generally subject to the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations – which impose certain security requirements and limit how health information may be used without a patient’s consent – HIPAA may not always apply to the data involved. For example, a patient could authorize their health care provider to disclose their test results and/or vaccine record to the Credentials vendor, who would then generate and maintain the passport credentials. The customer in this case is the patient, not a health care provider or health plan, which means that HIPAA would not apply.
While it seems like HIPAA applicability is a minor distinction, the privacy and security implications can be significant. Under HIPAA, patients may share their health information however they choose, and health care providers and plans are required to send records to third parties upon a patient’s request. The sending of such records does not, in itself, make the third party recipient subject to HIPAA. Digital Credential vendors and the public and private entities verifying testing/vaccination status thus may bypass HIPAA’s privacy and security requirements.
Businesses who collect COVID status and other consumer information may still be regulated by the Federal Trade Commission (FTC). However, generally speaking, fewer privacy protections apply in this kind of situation, and the applicable security standards are less specific. At the state level, digital Credential vendors may be subject to laws that are similar to, or even more stringent than, HIPAA, but this is not always the case.
As a result, the door is potentially left open for companies to collect substantial amounts of electronic health and other data without the privacy and security protections that exist in a traditional health care environment. Due to the potential value of the data and the fact that the Credentials will be offered for free, some skeptics believe companies will want to monetize the data collected to the fullest extent possible. Additionally, the potential for government agencies to collect data using Credentials and utilize it for other purposes beyond public health (e.g. monitoring and law enforcement) is a legitimate concern. If either of these things happen, there will still be a “cost” to people in using these Credentials, and in the absence of a reasonable alternative people may have little choice but to pay it.
The use of Credentials raises ethical concerns as well. Ultimately, Credentials should be available and accessible by all, via a variety of mechanisms. In practice, the use of Credentials raises the question of equal access and the further divide that could be created in society. Reports indicate that vaccine availability still varies greatly among communities, and that the rate of vaccination among racial minorities and low-income populations remains low. As a result, requiring or allowing use of a Credential becomes a privilege for those who have been vaccinated, which could lead to significant bias toward anyone without a Credential. Implementation and use of Credentials also needs to account for the subset of the population who are unable to receive a vaccine for medical reasons and those who may object to a vaccine based on religious or philosophical beliefs. Without some form of accounting in the implementation of Credentials, these groups may be unnecessarily penalized.
For the moment, individual users of digital Credentials are trusting the recipients of their data. Private and public entities are left to make tough decisions about the development and use of Credentials from a legal and ethical perspective while trying to anticipate the guidelines that might be articulated by the Biden administration.