Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Big Tech Unleashes Vaccine Passports as Privacy Questions Loom

April 19, 2021, 9:31 AM

Fans of the NBA’s Brooklyn Nets are flashing more than game tickets these days when entering Barclays Center.

They’re also required to show a recent negative Covid-19 test, a vaccination card, or their Excelsior Pass—New York’s first-in-the-nation “vaccine passport,” which uses QR codes on a smartphone to prove test results or vaccination against the disease.

The IBM-created Excelsior Pass, which debuted last month, is among a growing number of apps that could help Americans safely return to sporting events, theaters, restaurants, and flights.

But they’re also raising privacy concerns.

“It’s very important when we reopen communities and economies that there’s a level of trust in organizations such as the state of New York and IBM,” said Eric Piscini, IBM’s global vice president of emerging business networks who is leading the project. “We are here to serve communities and we are not just here to push out a piece of technology.”

Privacy fears around the public display of vaccination status threaten to hamper the rollout of a technology that could play a big part in reopening society and stemming the spread of Covid-19. But absent government coordination or regulation—and the Biden administration has been adamant that it won’t get directly involved—it’s left to the private sector to build consumer trust and navigate the laws that dictate how to keep data secure and confidential.

Tech Companies’ Role

The debate comes as the national vaccination effort is well underway. More than 200 million doses have been administered in the U.S., according to the Bloomberg vaccine tracker.

“There are a lot of unanswered questions from a legal perspective,” said Sean Sullivan, a health-care attorney at Alston & Bird LLP in Atlanta. “There’s not the same kind of privacy framework for this sort of thing.”

IBM Corp.'s vaccine passport uses an encrypted digital wallet on a smartphone so users can prove health status without sharing underlying medical or personal information. And blockchain technology obviates the need for a central database, creating instead a “hash” of the data used for verification.

Microsoft Corp. is partnering in the Vaccination Credential Initiative, which is developing an “implementation guide detailing the use of open, interoperable, and privacy-protecting standards,” a company spokesperson said.

The leading standards being floated, based on public-key cryptography and QR codes, are “very secure,” said Mike Joyce, an engagement manager at engineering and innovation firm Theorem LLC. “It provides an opportunity of scale that a piece of paper might not provide.”

State of Play

The federal government’s decision to remove itself from creating digital passports was made to avoid vaccine hesitancy from those “concerned the government will play too heavy-handed of a role in monitoring their vaccinations,” Andy Slavitt, the senior adviser for the White House’s Covid-19 response, said last month.

But health agencies are meeting to hammer out general guidelines for what they’d like to see in private company vaccine passports, which should be free to use, available in multiple languages, and accessible for the tech-averse, Slavitt said.

Overseas, European Union data regulators said plans for digital certificates must preclude access to and use of patient data by governments after the pandemic. The U.K. will test out its own system requiring people to show they are virus-free. And Israel has already launched its version of a vaccine passport called a “Green Pass,” which residents use to enter crowded spaces like concerts or weddings.

The International Air Transport Association is testing its own app that could confirm whether someone has been vaccinated or recently tested negative for Covid-19 before being allowed to board a flight. Virgin Atlantic and Qatar Airways are among the airlines running trials on the IATA pass.

In the U.S., some Republican state leaders are pushing back against requiring portable vaccine records.

Florida Gov. Ron DeSantis signed an executive order April 2 barring companies that get state grants or contracts from requiring patrons to display Covid-19 passports, calling the credentials “completely unacceptable” and expressing concerns about the exchange of private information. In Texas, Gov. Greg Abbott signed a similar order April 5.

DeSantis and Abbott haven’t tried blocking workplace vaccine mandates via executive fiat, a move that would very likely exceed their legal authority. But a handful of state legislatures are considering bills that would do just that, including Florida, Ohio, and Missouri.

Health Law Gap

Privacy and security requirements under the Health Insurance Portability and Accountability Act could make it more difficult for vaccination status to be obtained and shared. But whether vaccine passports fall under HIPAA’s purview depends on how medical information is accessed and whether a health-care provider is involved with the app, said Savera Sandhu, a partner at Newmeyer & Dillion LLP’s Las Vegas office.

HIPAA applies to health-care providers, employers who sponsor health insurance plans, and medical clearinghouses. It also generally applies to business associates such as information technology providers that assist covered entities in carrying out their duties.

App developers may find themselves outside of the HIPAA framework if they don’t work with a hospital and require users to directly upload their own medical information, including vaccination status, Sandhu said.

“They don’t necessarily fall under the health-care provider or associate category,” she said. “Those companies then may not be subject to HIPAA requirements.”

Some companies may opt for that approach—users uploading their own information—while others may glean vaccination status from a health-care provider.

“From a confidence standpoint, it’s important the consumers are in charge of what information they’re giving to the vaccine passport,” said Lauren Groebe, an attorney at Morgan Lewis & Bockius LLP in Chicago who’s focused on health, privacy, and cybersecurity.

Privacy First

App developers and the airlines, restaurants, and the like that use vaccine passports could get wider adoption and cut the risk of data compromise by collecting only necessary information, Sullivan said.

“A smart organization that collects this information would want to develop clear privacy policies and let people know how that information is being handled,” he said. “Some may choose to view passes but not retain or collect that data.”

Health or other personal information should be encrypted within apps and when it’s sent elsewhere, said Alon Kaufman, the Israel-based CEO and co-founder of Duality Technologies. “We need to have security, privacy, and safety built into these tools.”

Like all things digital, vaccine passport apps could theoretically be hacked, which means a single or handful of standards in the U.S. and internationally could help, said Marijus Briedis, chief technology officer at NordVPN in Lithuania.

“If we each have 20 different apps, how are we going to use them?” Briedis said. “Security and privacy concerns are amplified with more apps on your phone, since the area of attack increases exponentially.”

Employer Obligations

Companies generally have the authority to mandate that workers get vaccinated, though they must weigh requests for health-related accommodations under the Americans With Disabilities Act and religious objections under Title VII of the 1964 Civil Rights Act.

Given that legal landscape, the ADA shouldn’t prevent businesses from mandating workers or applicants prove they’ve been inoculated against Covid-19, employment lawyers said.

But the ADA does require employers to keep their workers’ vaccination information confidential. That could stymie the ability to share passport data with third parties, like service providers who may want to assure clients that the workers going to their homes or businesses have gotten their shots.

And getting workers’ consent to disclose their vaccine passports wouldn’t eliminate the threat of ADA liability, as courts could view that as coercive or discriminatory, said Peter Blanck, a Syracuse University law professor who’s written books on disability bias.

No company can guarantee that it has a totally vaccinated workforce due to the ADA and Title VII exceptions, said Karla Grossenbacher, an employment attorney at Seyfarth Shaw LLP. Instead of providing individual vaccine passports, an employer can simply tell a client that their workers are fit for duty and provide its fitness criteria, she said.

Still, legal observers aren’t unanimous on what the ADA requires in the way of companies sharing workers’ vaccine passports.

The Equal Employment Opportunity Commission’s permissive position on employers getting vaccination information suggests that it can be disclosed, said Myra Creighton, a Fisher & Phillips LLP attorney who counsels employers.

“If asking a person whether they’re vaccinated isn’t a disability-related inquiry, then if I tell somebody that, ‘Yes, Joe Smith has been vaccinated,’ it’s not a violation of the ADA,” she said.

To contact the reporters on this story: Jake Holland in Washington at; Jacquie Lee in Washington at; Robert Iafolla in Washington at

To contact the editors responsible for this story: Gregory Henderson at; Kibkabe Araya at; Alexis Kramer at