Many travel advisories around the world are still restricting entry into countries that are in varying stages of their fight against Covid-19, but there is some good news on the horizon. The European Commission has announced it will allow travelers who have received approved vaccines to move freely between and to the European Union this summer.
And, according to President Joe Biden in his congressional address, that includes nearly 25% of Americans who were fully vaccinated as of April 25. But news of potential travel corridors raises challenging issues about the use of digital vaccine passports and how to protect users’ privacy.
The International Air Transport Association, which includes nearly 300 airlines as members, is developing an app to allow passengers to share tests and vaccination results with area governments. The Biden administration has decided to stay out of the business of creating vaccine passports, but other jurisdictions in the EU are jumping in to have a heavy hand in this area.
Nevertheless, there won’t be a uniform system in how vaccine passports are treated between countries, or even between states. That leaves it to state governments and private sector companies to develop these passports, which probably will lead to a variety of approaches.
No Single U.S. Vaccine Passport Standard Coming
Dr. Anthony Fauci, who is leading the U.S. pandemic response, indicated that the federal government will play probably some role in offering guidelines on potential standardized proof of vaccine credentials. Because there’s not one, single U.S. vaccine passport standard, each developer of a program will have to weigh unique privacy, societal, and ethical concerns.
And in both the U.S. and Europe, there has been significant resistance to vaccine passports as a concept by those who believe they discriminate against those who choose not be vaccinated. For example, in Florida and Texas there have been moves to ban requiring proof of vaccination to gain admission to public spaces like sports stadiums, restaurants and movie theaters. Therefore, these passport programs will need to be approached with some delicacy, and privacy issues are going to be at the heart of that.
We already see a few examples of what these programs may look like. New York was the first state to launch a vaccine passport program, which is a free and voluntary platform. It allows consumers to store proof of their vaccination or negative test results on their phones through a secure app. Participating businesses and venues, including Madison Square Garden, can scan those QR codes using a companion app. Because the app uses an encrypted digital wallet on a smart phone to store the information, organizations will be able to verify vaccination status without having to access the individual’s underlying personal data.
HIPAA, FTC Privacy Rules
Vaccine passport programs in the U.S. may implicate both Health Insurance Portability and Accountability Act (HIPAA) and Federal Trade Commission privacy principles and other international privacy rules. Vaccinations in the U.S. are often administered by HIPAA-covered entities, such as hospitals, medical practices, pharmacies, and other health-care providers. As a result, the vaccination records are protected health information (PHI) subject to HIPAA protections.
When a patient requests that the vaccination record be provided to a vaccine passport program, the disclosure of that PHI may be pursuant to a HIPAA authorization signed by the patient or a HIPAA patient access request. However, once the vaccination record is being maintained by the vaccine passport company, it will often be subject to FTC privacy principles rather than HIPAA.
Some vaccine passport programs may be considered PHRs subject to the FTC’s health breach notification rule. Companies offering vaccine passports may also be subject to the consumer privacy rights afforded by the California Consumer Privacy Act and, in 2023, the California Privacy Rights Act and the Virginia Consumer Data Protection Act.
So what does that mean in respect to the EU’s travel announcement? A proposal was published in early April for an EU-wide framework called the EU digital green certificate. More than a dozen countries have been discussing what this vaccine certificate for travel purposes would look like, and what privacy concerns it would trigger under the General Data Protection Regulation (GDPR).
Additionally, the U.K. has indicated it may consider signing up to the digital green certificate as well as utilizing the NHS app to show vaccination status for travel (and other) purposes. The primary purpose for the tool, which would be consumer-driven, would be to facilitate travel and not restrict travel, which is a growing concern of governments who wish to avoid a two-tier system. The certificates, which could be digital or paper, would provide either proof of vaccination, negative Covid-19 test results, or recovery from Covid-19 through antibody tests.
The certificate will need to be blessed by the European Data Protection Board and the data protection supervisor before it’s rolled out by the EU countries (and the U.K., if it chooses to participate). And, in line with GDPR and EU privacy laws, those bodies have already said that they will only allow the collection of necessary data.
With third parties like airlines collecting this vaccine information for international governments, adopting clear privacy rules with defined limits for data collection and storage is key. Since the call for a universal standard across the EU for vaccine passports has so far gone unanswered, travelers should expect to see a patchwork of requirements from different airlines and different countries. But now those regulations will be aimed at encouraging travel, with digital vaccine passports a central feature of every one of those rules.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.