SPECIAL CONSIDERATIONS FOR HOW TO APPROACH HANDLING EMPLOYEE HEALTH INFORMATION POST-PANDEMIC

by Michael Hughes, MSJ CIPM

Digital Vaccine Passports are growing in popularity as states and countries around the world explore whether they are a panacea for economic recovery. Political leaders and business owners weigh the options for reopening. Driven by concerns about the economy, industry collapse or business failure, political leaders and business owners are subscribing to the idea of using digital vaccine passports to restart or jump-start economies. They often justify their support by drawing comparisons to the the Yellow Fever vaccination card which is considered a vaccine passport in its own right. This report will examine the comparative relationship between the Yellow Fever vaccination card and digital vaccine passports in order to understand whether the former can reasonably be used to justify the latter.

The central common goal behind vaccine passports is to protect public health and safety by containing the spread of infection. But what differentiates the Yellow Fever vaccine card from digital vaccine passports are their regulation, the documentation methods, the specific group of people who use them, and the types of viral transmission they are meant to deter. Another distinguishing factor is their impact on individuals’ privacy. The nature of the Yellow Fever vaccine card protects travelers’ personal information by default, virtue of law and existing international agreements. Digital vaccine passports are not yet regulated by a specific law, and thus, may raise more issues than they settle, proffering inconsistent protections for consumers and businesses since no law covers them by name.

Digital vaccine passports for the SARS Coronavirus 2 (SARS Cov2) or CVD-19 pandemic are not administered by a central authority. Instead, digital passports are apps developed and maintained by private companies. Their usage is meant to protect public health and safety by qualifying vaccinated individuals and individuals who’ve tested negative, admission into public venues where SARS Cov2, a respiratory illness, may be transmitted from person to person by means of aerosol droplets suspended in the air after having been exhaled by an infected person. Unlike digital vaccine passports, the Yellow Fever vaccine card is a physical document-- a yellow card issued by a registered Yellow Fever vaccination center under the authorization of dually regulated federal and state health departments, and the World Health Organization (WHO).1,2 The “yellow card” as it is colloquially known, is used by international travelers, for entry either into or from countries in infected regions where Yellow Fever is contracted through mosquito bites.3 Contrary to popular belief, the yellow card is not required for entry into every country in every infected region.4 Presently, unlike their position on Yellow Fever Vaccination cards, the WHO does not recommend using proof of SARS Cov2 vaccination as a requirement for entry into any country.5

Not all the private companies developing digital vaccine passports and maintaining databases containing medical records documenting testing or vaccination for SARS Cov2 are covered entities under HIPAA. Non-covered entities are not required to protect this information as protected health information because the nature of the digital vaccine passports means regardless of the fact that they are processing medical information as non-covered entities, they are more likely to be regulated under the Fair Credit Reporting Act (FCRA) than HIPAA since the personal information they are processing will be used to bear “on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility.” 15 USC § 1681a (d). By contrast, registered Yellow Fever vaccination centers are healthcare providers. The yellow card that they issue following vaccination is a medical record and protected health information under HIPAA because is created by a health care provider and relates to the present health condition of the individual to whom it was assigned for the intended purpose of identifying the individual.

There is debate around the world regarding digital vaccine passports. Countries are eager to restart their economies after extended periods of quarantine which have kept employees home from work and consumers from shopping. The results of globally stagnant economic activity have forced businesses to shutter, employees to lose wages, and some to lose their savings and their homes. Vaccines have been developed in record time and despite initial hesitation, more and more people are getting vaccinated. Vaccination is slowly winning public confidence, quickly galvanizing faith in reopening and returning to business as usual; though public health experts still advise caution. Dr. Fauci still urges Americans to maintain vigilance as he continues to recommend social distancing, double-masking, and abstaining from gathering in small groups.

As states reopen under differing interpretations of CDC guidelines, they are trying to determine how to balance public health and safety with commerce and trade. Except for public school enrollment purposes, states generally lack the authority to broadly mandate vaccination. Even then, medical and religious exemptions may apply. Subsequently, states are trying to figure out how to keep their constituents safe from infection while permitting businesses to operate in the journey towards normalcy. Many believe the solution is a “Vaccine Passport,” an instrument for proving that an individual has tested negative for the coronavirus or been vaccinated, warranting the reasonable likelihood that they will not infect others or become infected by others. Health care providers, tech companies and at least one state have seized on this idea, bringing several digital vaccine passports to market. Carbon Health has Carbon Health Pass. Clear, the tech company known for its subscription-based, TSA-approved identity pre-screening app will roll out a product upgrade called Health Pass.6 The state of New York, working in partnership with IBM developed Excelsior Pass, while Israel has launched Green Pass. Maintaining the recommended physical protections has no doubt reduced quality of life, and impedes businesses’ ability to compete. Digital passports seems to provide an elegant solution-- the peace of mind consumers are looking for in order to enjoy themselves in public and the justification business owners need to reopen safely so they can cater to consumers. Digital vaccine passports appear as such an obvious solution for reopening during the pandemic that they’ve drawn comparisons to Yellow Fever vaccination cards. But thoughtful analysis reveals that such comparisons are presumptive and that they fail to consider the full impact digital vaccine passports may have on privacy and commerce.

Digital Passport as a consumer report

Digital vaccination passports like those currently being used to demonstrate proof of vaccination or negative test results for SARS Cov2 are meant to be ubiquitous in their practical use, unlike Yellow Fever vaccination cards which are used primarily for travel. The difference in the scope of use between Yellow Fever vaccination cards and digital vaccine passports further distinguishes them as consumer reports rather than protected health information. Digital vaccination passports essentially stand-in for the physical CDC vaccination card that people receive after their first dose. Those vaccination cards are considered protected health information under HIPAA because they contain personally identifiable information created by health care providers. 42 USC § 1320d. The vaccination information on the physical card is transferred to a database that pushes the individuals information to the digital vaccine passport residing on the individuals smartphone or other smart device when requested. According to Kristin Devoe of Empire State Development, the organization responsible for New York State’s Excelsior Pass, the digital vaccine passport is a digital copy of the vaccine record.7 For that reason, digital vaccine passports may not be protected under HIPAA when the app provider is neither a health care clearinghouse, a health care provider, or a health plan 42 USC § 1320d-1(a). This is due to the ambiguity of the language in HIPAA which could be interpreted to mean that “any information” created by one of the covered entities above, also implies derivative information such as digital copies. But that conclusion might by nullified by the provisional component that designates the origin of the information. Said differently, does “any protected health information” under HIPAA include derivatives of that information created by non-covered entities?

Based on these provisions, health care companies like Carbon Health would be considered a covered entity under HIPAA, and the medical record of vaccination in their digital vaccine passport could be considered protected health information. But tech companies like Clear would not meet the standard as a covered entity under HIPAA. They are neither a healthcare provider, nor a health plan. Furthermore, the information in the medical record being copied would have been transposed from the physical copy to the digital vaccination passport by the individual, not the covered entity.8 The only category where Clear might qualify is as a health care clearinghouse. But then, without having received the health information from a covered health care provider or health plan, the processing of the health information may not meet the standard for processing by a clearinghouse as clarified by the U.S. Department of Health and Human Services Office of the Assistant Secretary for Planning and Evaluation.9 That is, since the digital vaccine passport is not being used to process and standardize health information as part of a transaction related to the facilitation of health care, they are not subject to health privacy regulations under HIPAA. The same restrictions apply to state sponsored digital vaccine passports like New York State’s Excelsior Pass. There, the state and it’s health department may be covered entities, but again, the point of origin for individuals’ health information determines whether that health information is protected by HIPAA, and if not, under what laws it may be protected. Returning to Carbon Health’s digital vaccine passport, based on the analysis so far, even though Carbon Health is a covered health care provider who generally processes health information for qualifying purposes under the law, when it discloses an individuals health information to a non-covered third party, its disclosure of the information may not be covered under HIPAA.

There appear to be loopholes in health information privacy law which might expose individuals to threats. For all the criticisms around the lack of a comprehensive privacy law at the federal level, this is one example where the sectoral approach demonstrates its effectiveness. Privacy professionals recognize 18 specific pieces of information necessary to comprise protected health information.10 These data are also protected as personally identifying information under other laws as well; the most relevant among them being the Fair Credit Reporting Act (FCRA). 15 USC § 1681a (d)(1). The intended purpose of digital vaccine passports is to qualify individuals for admission to public venues. Seen together, the types of information which are protected under HIPAA and the purpose that digital vaccine passports are meant to fulfill are consistent with the purpose of a consumer reports under FCRA. Here, consumer reports are “...any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility…” 15 USC § 1681a (d); 1681b (a)(2), (a)(3)(F); 1691(a). This means digital vaccine passports are also consumer reports. FCRA intends to make it clear that medical information may also be considered “any information” by carving out explicit exceptions. 15 USC § 1681a (d)(3), 15 USC § 1681b (g)(3). Said differently, medical information or protected health information is not covered by FCRA because it is already covered under HIPAA-- but may be covered by FCRA when its disclosure and use fall outside the scope of medical, insurance industry, and state regulated practices. The significance of this provision can’t be overstated. It reinforces the point under HIPAA, that medical records, when processed for the purposes of facilitating commercial transactions unrelated to health care services, are not considered protected health information and thus covered by FCRA.

Proponents of digital vaccine passports evangelize its benefits to consumers, which, in the context of FCRA is appropriate because it is a consumer report, intended to evaluate consumers’ risk profile. 15 USC § 1681a. But to whom does the consumer pose the risk? This question is a third rail issue, because it closely resembles the social credit system in China where the state tracks citizens using biometric information instead of health information per se to influence social behavior, curb dissidence. Skeptics may argue that digital vaccine passports are anti-democratic, and anti-free-market; that requiring consumer reports from people for trivial practices like dining out, attending live events, and going to school might be the beginnings of policy creep that normalizes the invasion individuals’ privacy in ways that undermine the Fourth Amendment and other privacy laws. The most memorable example is the invasion of privacy permitted by the USA Patriot Act, under which various programs and laws including the PRISM information surveillance operation, FISA laws and courts, and others have already cost the United States its adequacy status with the European Union, C-311/18, ECLI:EU:C:2019:1145; making it harder for businesses to balance compliance with their business interests. Besides privacy, digital vaccine passports raise equal protection and fair trade concerns that affect individuals and businesses respectively. FCRA intends to balance individuals’ right to privacy protection against covered consumer reporting agency’s right to collect and convey individuals’ personal information through sale or other disclosure. It means to protect consumers by narrowing the effect of choices individuals have made in other areas of their lives that should not necessarily come to bear on their rights of equal access to resources or services in every single category. Digital vaccine passports, as consumer reports under FCRA could enable wider business scrutiny of consumers every day, in every consumer category, thereby normalizing the imbalance of power in the consumer to business relationship, where businesses could deny services to individual consumers or consumer groups who either have not been tested, tested positive, or not been vaccinated for SARS Cov2. Conversely, businesses not previously considered consumer reporting agencies may find themselves assuming greater accountability, costs and oversight for protecting consumers’ personal information. These businesses, if reliant on, or compelled to use digital vaccine passports for consumer reporting, may find themselves more exposed to discrimination suits or FTC complaints and expensive consent decrees as the result of making determinations about who to serve based on sensitive categories of data like medical information.

The adverse and unintended impacts of digital vaccine passports on consumers and businesses accumulates pretty quickly. So-called “vaccine hesitancy” refers to substantial segments of consumers who are declining vaccination. There may be valid reasons among this group for refusing vaccination such as severe reactions to the vaccine or the unknown risks of complications arising from vaccination and pre-existing underlying conditions.11 When using digital vaccine passports is so ubiquitous that it becomes standard social practice, those in the vulnerable group of consumers who have declined vaccination will probably be required by social convention to use the app and unwillingly disqualify themselves as a result of their vaccination status unless businesses assume the burden of modifying their operations to equally accommodate unvaccinated people to the same standard as they do vaccinated persons. Brown v. Board of Education, 347 US 483 1954. Otherwise, businesses using digital vaccine passports in order to determine whom they accommodate expose themselves to federal and state complaints and violations under laws like the the Americans with Disabilities Act (ADA) or the Genetic Information Nondiscrimination Act (GINA). The increased legal liability or potential therefor may require a substantial investment in compliance or remediation which would defeat the very purpose for adopting digital vaccine passports in the first place, which, ultimately would have been to make it easier to conduct business and collect a profit during the pandemic. This way, digital vaccine passports could make it harder and more expensive to stay open, especially for smaller businesses who don’t have the resources to sustain compliance programs or defend against claims.

The privacy burden, for digital vaccine passport providers, and the increased risk of discrimination liability that subscribing businesses may incur arises in part due to the consent mechanism under which consumers intentionally share their personal information and reasonably expect that it will be kept safe and free from unauthorized access and usage in ways that may prove injurious. But under a socially-standardized regime that requires consumer reporting for routine transactions like dining out, attending concerts and sporting events, attending school, or visiting theme parks, consent will support every transaction. Businesses using legitimately obtained personal information through consumer consent will not easily be able to escape the strict scrutiny for using that information when selectively denying “high risk” unvaccinated consumers admission or services while obfuscating their intent. There will be virtually no plausible deniability. When digital vaccine passports are the instrument for evaluating eligibility, the single most qualifying factor is medical status-- namely vaccination or testing status. It follows then, that a businesses intent, when requiring consumers consent to access and evaluate the personal information stored in digital vaccine passports is to select whom to serve or admit, and whom to exclude. If businesses processed consumers personal information without consent for the same purposes, it would be an inappropriate and unauthorized breach of privacy-- an invasion of privacy, subject in some cases to criminal prosecution. But, if businesses were not reliant on, or compelled to secure consent to evaluate consumers’ risk profiles as a bar to service or entry, they could more easily retain the appearance of objectivity when defending against discrimination claims. It stands to reason that since processing consumers personal information can not be separated from the consent mechanism, businesses might be better served by not using consumer reports and avoiding the risks and added burden digital vaccine passports present in order to conduct regular business in the so-called “new normal.”

Yellow Fever vaccination cards are obviously not a consumer report in any context, but comparisons between the Yellow Fever vaccination card and digital vaccine passport still prevail. These comparisons only focus on the narrow similarities between the Yellow Fever vaccination card and digital vaccine passports’ utility as instruments for documenting health status for public safety reasons. Proponents use this comparison to construct an argument along a slippery slope, theorizing that the same reasons why governments monitor the health and wellness of international travelers should apply as the same reasons why businesses should have access to monitor the health and wellness of consumers. For the comparison to be valid, it must include a comprehensive analysis of the privacy impact each instrument has on the individual. Digital vaccine passport consumer reporting agencies warrant that users’ personal information is safe by virtue of not being stored on users’ devices. But this does not preclude third party businesses from storing the information themselves. We will recall that the consent mechanism provides third party businesses with a legitimate basis to access the personal information via the vaccine passport. So even though the makers of digital vaccine passports have remarked that they would not use the stored information to track consumers, neither they nor the third party businesses to whom they disclose the information have provided any guarantee that the third party recipients won’t, which is troubling in light of the loopholes in FCRA and HIPAA which permit them to do so. When we revisit the earlier analysis, we recall that users’ data which would normally be considered protected health information under HIPAA becomes regular personal information when provided in a digital vaccine passport because and its intended purpose is to bear on a consumers eligibility for non-medically-related commercial transactions. When medical information has been rendered as personal information based on the intended use, and provided to a third party business by the consumer upon consent, the personal information may be used by the business for “legitimate businesses purposes” like customer relationship management.

Yellow Fever vaccination cards permit governments whose countries require them for entry, the right to monitor and track travelers and their health under the legitimate basis of public health and safety. Businesses owe a duty of care to protect the public health, but that duty doesn’t impart the unrestricted right to routinely monitor, track and aggregate consumers’ health information with each transaction. Yellow Fever vaccination cards don’t offer total anonymity, but since they have a narrow scope of use including covering a narrow class of individuals and tracking a narrow subset of actual or probable threats within that subset of individuals for a narrow period of time. Yellow Fever vaccine cards still appear to offer better privacy protection than digital vaccine passports since persons possessing the physical yellow card have greater control over who has access to their medical record. Unlike their digital vaccine passport counterpart, travelers who possess the card are themselves the link to the otherwise anonymous personal information. Without the actual person to whom the vaccine record belongs, and without sufficient aggregate data to link the information to a specific individual, the risk of breach is low. Further, because it is a physical document, consent to access the information is easily rescinded or revoked once the yellow card is returned to the traveler. The instantaneous nature of the request for consent, grant of consent, review of document, and revocation of consent eliminates the need for third party access of personal individuals who may not be adequately qualified to collect, maintain, secure of dispose of the information, further reducing the risk of breach to the traveling individual.

Contrasted with digital vaccine passports, the breach implications are myriad. When we look at all the facets of modern living that consumer reports influence, we start to recognize the moral and ethical complications surrounding their usage. So far this analysis has focused on the consumer and business impact of privacy policy, but looking more closely, we will find that the issue of digital vaccine passports doesn’t just affect commerce in terms of sales, it may also affect commerce in terms of employment. The United States’ Equal Employment Opportunity Commission (EEOC) published guidelines for businesses reopening during the pandemic. The guidelines permit employers to require vaccination and/or testing as a requirement or condition for employment.12 Many have misinterpreted this guidance as having the effect of law authorizing employers to invade individuals’ privacy. The guidance is not law, and it does not have the power or effect of law. It is only the departments public advisory during this state of pandemic emergency informing businesses that within certain parameters, it will neither dictate nor prohibit employers from determining whether to adopt reasonable standards for workplace safety including SARS Cov2 vaccination as a minimum requirement for employment. The EEOCs guidance survives strict scrutiny because of the public interest in protecting public health and maintaining a competitive economy by driving interstate commerce. But without more substantive clarity, the practical outcomes of this guidance may not align with the agency’s intent to stimulate commerce without punishing businesses.

If employers rely on digital vaccine passports to enforce their vaccination and testing mandates as a condition for employment, candidates and existing employees who have not been vaccinated or tested; or who reject or decline vaccination or testing may become ineligible to hold employment. Since the EEOCs guidance is not law, employers are free to implement vaccine and testing mandates or avoid them. Employers are free for example, to adopt strict policies such as requiring vaccination and testing as part of specific job descriptions, or take a more relaxed approach and follow the CDCs loose guidelines for workplace safety which simply recommends social distancing, wearing masks, and washing hands frequently. For employees who are unable or unwilling to vaccinate or get tested, strict employment requirements for vaccination or testing may weaken their eligibility, forcing them to either get vaccinated, tested or lose their jobs without serious consideration of the valid reasons behind why they may have declined vaccination. Despite the EEOCs guidance on employment practice during the pandemic, it is still enforcing its anti-discriminatory employment rules. (id) So, just as in the consumer analysis, employers who fail to properly apply the EEOC guidance when using digital vaccine passports to qualify employment risk using the consumer reporting in a way that could be seen as intentionally discriminating against a protected class. For those employers, added injury may be found among competitors who offer employees less strict employment requirements and reasonable accommodations.

Employers who offer flexible work accommodations rather than qualify employment subject to vaccination or testing may attract employees from other businesses, further normalizing the new model for work where employees expect more balance and less intrusion from with employers. All businesses will eventually have to implement privacy protections; some sooner than others. But when it comes to balancing privacy obligations and satisfying business interests, each business will have to make strategic decisions in order to stay competitive, particularly as their workforce is concerned. Compared to the costs for adopting and maintain privacy infrastructure; responding to and defending against discrimination complaints, the costs for implementing reasonable accommodations are more manageable and cost-effective. Acting Director of the EEOC Mindy Weinstein said “There are often simple and low-cost accommodations that employers can provide to workers with disabilities that do not cause an undue hardship on an employer’s business. By engaging in an interactive communication process with disabled workers, employers can identify such accommodations, accurately assess the ability of the workers to perform their jobs, and enable those workers to continue contributing to our economy. This is a not only a smart business practice but the right thing to do.”13 Businesses who can, and who do invest in reasonable accommodations rather than digital vaccine passports may find that is is a more compelling and competitive strategy for business.

Comparatively, Yellow Fever vaccine cards and digital vaccine passports are not the same. Both share the common intended purpose of protecting the public health by qualifying whom doesn’t present an infection risk, but only the Yellow Fever vaccination card fulfills that function and maintains individuals’ privacy by default because of its physical nature and narrow scope of use. There, governments serve as clearinghouses for processing the medical information on the card. By admitting or denying entry and/or tracking risk-prone travelers, governments who require Yellow Fever vaccination protect public health and warrant to businesses that the travelers are either safe or low-risk. Since travelers’ protected health information is only shared with the government of the country to which they are traveling, businesses in those countries are unaffected by additional regulatory burdens, compliance costs, or the double jeopardy of liability for violations of law or interferences with individual privacy protections. According to Compliance Week, for small and medium sized businesses in the United States-- the businesses most likely impacted by the types of compulsory privacy implements that would probably follow the adoption of digital vaccine passports, the initial costs for privacy compliance range from as low as $50,000 to as high as $2M depending on the industry.14 That’s a substantial investment for businesses trying to stay open after incurring substantial financial losses as a result of the pandemic.

Based on this analysis, comparisons to the Yellow Fever vaccine is faulty premise as a model or a justification for the adoption of digital vaccine passports. There are some obvious examples where proof of SARS Cov2 vaccination or negative test results ought to be required and where their immediate disclosure via digital means is convenient or even prudent. Healthcare workers and first responders seem as the most obvious examples of a narrow class among whom society might require the disclosure of personal information vis-a-vis digital vaccine passports. Qualifying healthcare workers and first responders as a condition of their employment is consistent with the rationale behind Yellow Fever vaccine cards because it concerns a narrow class, in a narrow field, for a narrow purpose. Healthcare workers’ and first responders’ jobs expose them to close proximity with other individuals whom they may infect, or from whom they may contract SARS Cov2. By taking closely scrutinized steps to interfere with healthcare workers’ and first responders’ privacy under a narrow scope, society balances ensuring public health and safety with individual privacy rights, equally satisfying the public interest in both. Another way the example of a narrow approach to digital vaccine passport use would be consistent with Yellow Fever vaccination cards is how the narrow scope reduces the privacy burden and impact on others downstream. But then again, where the concern is protecting user data, in order to best replicate the Yellow Fever vaccination card digitally, perhaps the digital vaccine passports are wholly inappropriate and instead vaccine NFTs would be more effective.

Vaccine NFTs or VNFTs may not cure all the issues that digital vaccine passports raise in terms of equal protections, but they appear to address the privacy issue more effectively. The reason why is because NFTs or non-fungible tokens make use of blockchain technology to create a unique authentic files which are recorded on a centralized ledger that is virtually impossible to hack.15 Rather than create a digital copy of an existing physical record for retrieval using a QR Code, as many of the existing digital vaccine passports already do to de-identify the data, NFTs permit healthcare providers, clearinghouses or consumer reporting agencies to authenticate an individuals status once, then issue a de-identified unique and authenticated VNFT which individuals could be use to certify their vaccination or negative SARS Cov2 test status. Lance Koonce and Sean M. Sullivan of Davis, Wright, Tremaine, LLP write “Because NFTs are not fungible, they can be used to represent other, unique assets that are either online or in the real world.”16 For individuals, using VNFTs virtually eliminates the privacy risk because the VNFT needn’t actually be linked to any personally identifiable information. If the issuing authority is validated by federal and state regulators the same way Yellow Fever vaccination centers are, the medical record can be created by the healthcare provider the way it normally has been. Vaccine recipients can continue to receive a physical vaccine card for their own records, but they may also receive a completely anonymized VNFT to represent and validate their vaccination or negative test status. VNFTs may be presented as tokens for admission in the traditional context, or individuals may provide vaccine NFTs on a timed-release basis providing access to the token only for so long as the business needs it for review and then self-deleting thereafter. Using a timed-release NFT, even if businesses made unauthorized copies of the VNFT, 1.) the individual still retains the original file, 2.) the copied files provide a trail for accountability, 3.) the original file and the unauthorized copies are anonymized, encrypted and only certify status, 4.) the VNFT self-deletes after it has been viewed.

What’s more is, none of the covered agencies concerned need to wait for federal or state government agencies to permit the use of VNFTs. Blockchain is already being used in cryptocurrency as tender to conduct transactions. Tesla, the maker of electric vehicles is accepting Bitcoin as payment for their automobiles. Meanwhile, the digital art market is booming with NFT artwork selling for multiple millions of dollars.17 International, federal and state privacy law mostly all contain the same provision requiring data controllers, companies, and all covered entities to take “adequate,” “reasonable” or “sufficient” measures to protect peoples’ personal information. And while not explicitly dictating how specifically covered entities should protect users’ personal information, these laws do make clear that covered entities must take into consideration the state of the art, and do more than less to ensure what Article 32 (1) GDPR calls “...appropriate technical and organizational measures to ensure a level of security appropriate to the risk…” and what California’s CCPA remarks are “...reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure….” Cal. CIV 1798.100 (e). VNFT’s demonstrate the ability to exceed those requirements beyond what digital vaccine passports and their purveyors warrant is currently possible. If Yellow Fever vaccination cards are going to be the standard, digital vaccination passports don’t meet the bar and should not be recommended as an instrument for qualifying individuals’ status for admission, especially when the World Health Organization recommends against it and when more effective solutions exist that better reflect the intent referred to in the Yellow Fever vaccination card model.

Again, VNFTs are not a panacea. They are actual information that fits the definition of being “any information” under FCRA that could comprise a consumer report because of the way it bears on a consumer’s eligibility. That means the same equal protections and discrimination liability issues facing individuals and businesses under digital vaccine passports still exist. This analysis underscores the importance of performing the necessary due diligence, including research, conducting privacy impact assessments, and where applicable, seeking guidance from the relevant privacy authority so your company recognizes the full scope of responsibility they stand to assume when either providing digital vaccination passports or VNFTs, or when using them as part of your normal operating procedures in the new normal. This analysis is for academic purposes only and should be used or construed as legal advice. Please consult with your attorney or resident privacy professional to develop a privacy program that addresses your specific privacy obligations and business interests.

Michael Hughes is an independent intellectual property and privacy policy analyst, IAPP member and principal of PIVOTAL, a firm specializing in strategic marketing for brands in need of disruptive intervention. Contact Michael at [email protected].

__________________________________________

REFERENCES

1 Centers for Disease Control and Prevention. “Frequently Asked Questions about the U.S. Yellow Fever Vaccination Center Registry.” www.cdc.gov. 9 Aug. 2019. https://wwwnc.cdc.gov/travel/page/yellow-fever-registry-faq. Accessed on 17 Apr. 2021.

2 World Health Organization. “International Certificate of Vaccination or Prophylaxis.” www.who.it. 2005. https://www.who.int/ihr/IVC200_06_26.pdf?ua=1. Accessed on 17 Apr. 2021.

3 Centers for Disease Control and Prevention. “Yellow Fever.” www.cdc.gov. 15 Jan. 2019. https://www.cdc.gov/yellowfever/index.html. Accessed on 17 Apr. 2021.

4 Department of Health, Australian Government. “National Guidelines for Yellow Fever Vaccination Centres and Providers.” health.gov.au. 2021.

5 World Health Organization. “Interim Position Paper: Considerations Regarding Proof of COVID-19 Vaccination for International Travelers.” www.who.int. 5 Feb. 2021. https://www.who.int/news-room/articles-detail/interim-position-paper-considerations-regarding-proof-of-covid-19-vaccination-for-international-travellers. Accessed on 16 Apr. 2021.

6 CLEAR. Product Announcement. Www.clearme.com. 2021. https://www.clearme.com/vaccine-validation. Accessed on 16 Apr. 2021.

7 Fowler, Geoffrey A. “We Tested the First State ‘Vaccine Passport.’ Here’s What Worked – and Didn’t.” The Washington Post. Www.washingtonpost.com. 9 Apr. 2021. https://www.washingtonpost.com/technology/2021/04/08/vaccine-passport-new-york-excelsior-pass/. Accessed on 16 Apr. 2021.

8 Savage, Mark and Savage, Lucia Clara. “Doctors Routinely Share Health Data Electronically Under HIPAA, and Sharing With Patients and Patients’ Third-Party Health Apps is Consistent: Interoperability and Privacy Analysis.” Journal of Medical Internet Research. 22. No 9. 2020. https://www.jmir.org/2020/9/e19818. Accessed on 24 Apr. 2021.

9 Office of The Assistant Secretary of Planning and Evaluation. “Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Health Care Clearinghouse.” U.S. Department of Health and Human Services. https://aspe.hhs.gov. 28 Dec. 2000. https://aspe.hhs.gov/report/standards-privacy-individually-identifiable-health-information-final-privacy-rule-preamble/health-care-clearinghouse. Accessed on 18 Apr. 2021.

10 Alder, Steve. “What is Considered Protected Health Information Under HIPAA?” HIPAA Journal. www.hipaajournal.com. 2 Mar. 2021. https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/. Accessed on 18 Apr. 2021.

11 Centers for Disease Control and Prevention. “Vaccine Considerations for People with Underlying Medical Conditions.” www.cdc.gov. 12 Mar. 2021. https://www.cdc.gov/coronavirus/2019-ncov/vaccines/recommendations/underlying-conditions.html. Accessed on 20 Apr. 2021.

12 U.S. Equal Employment Opportunity Commission. “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws.” www.eeoc.gov. 16 Dec. 2020. https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws. Accessed on 23 Apr. 2021.

13 Equal Employment Opportunity Commission. “Lockheed Martin to Pay $115,000 to Settle EEOC Disability / Retaliation Discrimination Lawsuit.” JD Supra. Www.jdsupra.com. 26 Oct. 2020. https://www.jdsupra.com/legalnews/lockheed-martin-to-pay-115-000-to-48739/. Accessed on 26 Apr. 2021.

14 McDevitt, Aly. “CCPA Compliance Costs Projected to Reach $55B.” Compliance Week. Www.complianceweek.com. 10 Jan. 2020. https://www.complianceweek.com/data-privacy/ccpa-compliance-costs-projected-to-reach-55b/27847.article. Accessed on 22 Apr. 2021.

15 Clark, Mitchell. “NFTs, Explained.” The Verge. Www.theverge.com. 11 Mar. 2021. https://www.theverge.com/22310188/nft-explainer-what-is-blockchain-crypto-art-faq. Accessed on 26 Apr. 2021.

16 Koonce, Lance and Sullivan, Sean M. “What You Don't Know About NFTs Could Hurt You: Non-Fungible Tokens and the Truth About Digital Asset Ownership.” Blog. Davis, Wright, Tremaine, LLP. Www.dwt.com. 24 Mar. 2021. https://www.dwt.com/insights/2021/03/what-are-non-fungible-tokens. Accessed on 26 Apr. 2021.

17 Chow, Andrew R. “NFTs Are Shaking Up the Art World—But They Could Change So Much More.” TIME. Www.time.com. 22 Mar. 2021. https://time.com/5947720/nft-art/. Accessed on 24 Apr. 2021