Vaccine passports will be convenient, but we should keep our privacy top of mind

So many of us are ready to return to some semblance of normal life. We are eager to engage in hobbies and passions we never thought twice about before the COVID-19 pandemic. And with three COVID-19 vaccines approved for emergency use in the United States, we are seeing millions of Americans inoculated against the coronavirus every day. Once the COVID-19 vaccine is available to all, it is possible that Americans will be required or strongly encouraged to receive it before gathering with large groups of people in places like airplanes or stadiums.

How will we prove we have been vaccinated? There has been much talk in recent months about the potential of vaccine passports, which are smartphone apps we can use to show we have received the COVID-19 vaccine and/or recently tested negative for the virus. While most of us are likely willing to download an app that reveals our vaccination status in exchange for a return to something resembling pre-pandemic life, there is still much we should keep in mind. 

My organization, the American Health Information Management Association (AHIMA), works to ensure consumer health data is accurate, private and secure, regardless of if it falls inside or outside the scope of the Health Insurance Portability and Accountability Act (HIPAA). While we support the concept of vaccine passports and know their convenience could be a game-changer, we believe it’s important to keep your privacy and security in mind before you agree to let a third-party smartphone app access your health information records.

Developers who create and manage vaccine passport apps should clearly and conspicuously communicate what information will be collected and maintained and how the data may be processed and disclosed. If you are giving permission for an app to access your health information, make sure it makes its privacy policy available in plain language you can understand.

Any app that you share your health information with should require you to consent to the collection, access, disclosure and storage of your information. It is also prudent to make sure that you can revoke this consent at any time for any reason. If an app does not ask for your consent regarding your own health information and does not allow you to take back that consent, I would be wary of providing it with sensitive information.

In addition, if you consent to allowing an app to access your health information, that doesn’t mean it should access all of your health information — it’s important the app limits its collection of your health information to only what’s necessary. An app that produces vaccine passports shouldn’t need to collect information outside of vaccine records and COVID-19 test results, unless you direct it.

Finally, it’s important that apps that collect health information use privacy and security industry best practices. While it can be difficult for an average consumer to determine if this is the case, we recommend searching the name of an app in a search engine to see if there are any red flags, including whether they sell your information to other parties. Organizations like AHIMA and others in the privacy and security space are ramping up our efforts to provide consumers with the information they need to make informed decisions.

I am by no means throwing cold water on the concept of vaccine passports — I couldn’t be more excited to show my smartphone as I walk into an airport. Still, health information is human information, and it’s important to help educate the public as much as we can to ensure that private health information stays private.

Katherine Lusk, MHSM, RHIA, FAHIMA, is the president and chair of the American Health Information Management Association.