A new cross-industry initiative is seeking to establish a standard for digital vaccination records that can be used universally to identify COVID-19 vaccination status for individuals, in a way that can be both secure via encryption and traceable and verifiable for trustworthiness regarding their contents. The so-called “Vaccination Credential Initiative” includes a range of big-name companies from both the healthcare and the tech industry, including Microsoft, Oracle, Salesforce and Epic, as well as the Mayo Clinic, Safe Health, Change Healthcare and the CARIN Alliance to name a few.
The effort is beginning with existing, recognized standards already in use in digital healthcare programs, like the SMART Health Cards specification, which adheres to HL7 FHIR (Fast Healthcare Interoperability Resources) which is a standard created for use in digital health records to make them interoperable between providers. The final product that the initiative aims to establish is an “encrypted digital copy of their immunization credentials to store in a digital wallet of their choice,” with a backup available as a printed QR code that includes W3C-standards verifiable credentials for individuals who don’t own or prefer not to use smartphones.
Vaccination credentials aren’t a new thing — they’ve existed in some form or another since the 1700s. But their use and history is also mired in controversy and accusations of inequity, since this is human beings we’re dealing with. And already with COVID-19, there are efforts underway to make access to certain geographies dependent upon negative COVID-19 test results (though such results don’t actually guarantee that an individual doesn’t actually have COVID-19 or won’t transfer it to others).
A recent initiative by LA County specifically also is already providing digital immunization records to individuals via a partnership with Healthvana, facilitated by Apple’s Wallet technology. But Healthvana’s CEO and founder was explicit in telling me that that isn’t about providing a proof of immunity for use in deterring an individual’s social or geographic access. Instead, it’s about informing and supporting patients for optimal care outcomes.
It sounds like this initiative is much more about using a COVID-19 immunization record as a literal passport of sorts. It’s right in the name of the initiative, for once (“Credential” is pretty explicit). The companies involved also at least seem cognizant of the potential pitfalls of such a program, as MITRE’s chief digital health physician Dr. Brian Anderson said that “we are working to ensure that underserved populations have access to this verification,” and added that “just as COVID-19 does not discriminate based on socio-economic status, we must ensure that convenient access to records crosses the digital divide.”
Other quotes from Oracle and Salesforce, and additional member leaders, confirm that the effort is focused on fostering a reopening of social and economic activity, including “resuming travel,” get[ting] back to public life,” and “get[ting] concerts and sporting events going again.” Safe Health also says that they’ll help facilitate a “privacy-preserving health status verification” solution that is at least in part “blockchain-enabled.”
Given the urgency of solutions that can lead to a safe re-opening, and a way to keep tabs on the massive, global vaccination program that’s already underway, it makes sense that a modern approach would include a digital version of historic vaccination record systems. But such an approach, while it leverages new conveniences and modes made possible by smartphones and the internet, also opens itself up to new potential pitfalls and risks that will no doubt be highly scrutinized, particularly by public interest groups focused on privacy and equitable treatment.