Institutions Propose Digital Health Passports During the COVID-19 Pandemic

| Spencer R. CarterPhilip M. Nelson

As countries around the world begin administering COVID-19 vaccines, many institutions, both governmental and private, are considering the possibility of requiring proof of COVID-19 status to travel, work, and attend live-audience events. The International Air Transport Association (IATA), is one of many organizations developing a smartphone app that will allow travelers to display their COVID-19 status in airports. In the UK, VST Enterprises Limited has developed a similar app for sports attendance. These “digital health passports” may help society return to normal, but they also raise privacy concerns.

These apps could centralize sensitive personal information, such as health data and vaccination records, increasing value for hackers. Requiring use of the new applications may also violate constitutional freedoms. Vaccination status could become a barrier to fundamental rights such as the right to peaceful assembly and freedom of movement. Private entities such as airlines and other businesses not directly restricted by the U.S. Constitution could create rules that threaten these rights.

The Health Insurance Portability and Accountability Act (HIPAA) sets rules on who can view and receive private health information which may limit private entities’ ability to implement digital health passports. Companies may be faced with a choice between compliance with CDC mandates and risk of HIPAA violations.

It is unclear how consumers will react. On the one hand, digital health passports may allow a technological bridge back to a higher level of social trust in public health norms. However, if U.S. consumers receive the passport idea as coldly as contact tracing apps, companies may quickly drop this initiative. Consumer backlash may increase if mandating digital health passports has a discriminatory effect on disadvantaged populations.

Many unanswered questions remain at this early stage. Would personal data inquiries be limited to COVID-19 status or include other health or non-health related statuses? Would they cease as a country approaches COVID-19 herd immunity? Which entities or governments would have access to this data and for how long?

One thing is clear: COVID-19 is sure to impact data privacy policy, law, and culture in the very near future.