In a recent tweet, I stated: “Covid-Passports are a violation in your personal privacy and violates the law. aka HIPAA”. The backlash, while moderate, was constant for days.

The inspiration for the tweet came when Governor Cuomo announced that he is implementing a “vaccine passport”. The passport would enable New Yorkers to prove vaccination or history of a negative COVID-19 test. The program, called the “Excelsior Pass,” is an app that is being called “not mandatory” but is being forced upon venues who wish to fully reopen. There has been addition communication and articles stating that the Biden Administration may be considering a similar program for the entire nation.

The “Excelsior Pass” is a product from IBM for contact tracing with covid; IBM insists user data will be kept confidential, as it will use blockchain technology to record and transmit data; I have no reasons to doubt them, but everything is being hacks these days. In addition, the terms of service accompanying the app do not explicitly state how the data is tracked or safeguarded, even less so than standard smartphone applications. This is important to keep in mind because, in the terms of HIPAA, IBM is not a covered entity. I will discuss what a covered entity is here shortly but who is the custodian of the data will be key.

For now, the important take away is that people will soon start carrying an app that entrusts the government with HIPAA-privileged health information and is able to track its users by recording protected health information, tracking individual locations and correlating gatherings in real-time. If you did not carry big brother in your pocket before, they have you now.

It is my plan to outline why I believe our currently privacy laws prohibit the creation of vaccination passports without the consent of the patient. This argument does not apply to those who consent because they have opted out of their privacy by requesting a passport and by using voluntarily using it. There are several other privacy laws I can include here but due to the complexity of this argument, I will keep it focused on HIPAA. It is also a fun exercise since I have a ton of haters out there who say I do not know anything about it. But it is worth noting that I am a cybersecurity and data privacy expert and have had to build secure systems for many types of organization that contained personal health information. While I know absolutely nothing about the medical billing aspects of HIPAA, the privacy and security rules of Title II are what sets the requirements of who can see your health data.  But, more about that later.

Even before we get into the privacy issues and the laws that protect us, I think it is also worth noting that by the time, the program roles out, the community should already have obtained herd immunity. Creating software and making sure it is reliable take months if not years to get right. President Biden has already stated July 4th should be great family holiday to get together because he believes the virus will be at a controllable level. If so, these apps are not needed but the rollout would open the door to possible government abuse. Every law starts out as someone’s great idea. They may even have merit, but good laws are abused all the time. I can provide many.

The app may start out with your covid vaccination but then what is stopping lawmakers from slowly adding to that list. Now you may be carrying your full medical record followed by military, school, or police records. Your entire life may now be captured as a QR code and everyone with a reader can access it. We can talk about phone security in another topic but keeping private information that is accessible with a look or fingerprint has its own set of risks.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a central concern of US organizations that are in any way involved with the creation, access, processing or storage of sensitive confidential health records – electronic protected health information (ePHI). The Security and Privacy Rules are a particular point of focus since violation of those guidelines often leads to federal fines and settlements; those parameters are covered under Title II of HIPAA.

A newer piece of healthcare legislation is the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. The first act is typically discussed in terms of concern with security and privacy of health records, while the second is generally described as increasing the implementation of digital health records and technologies. However, Subtitle D of HITECH is specifically focused on issues of security and privacy of electronic health data; it achieves this end by modifying and elaborating on those parameters within HIPAA. Essentially, if an organization is HITECH-compliant, that means that they are compliant with the most recent HIPAA security and privacy stipulations contained within the 2013 Omnibus Rule.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information. This protection is achieved through implementing appropriate privacy safeguards and by setting limits and conditions around the uses and disclosures of that information that may be made without patient authorization.

An organization’s obligation to meet these requirements under HIPAA may be created from engaging in covered transactions or being a covered entity. Defined by the U.S. Department of Health and Human Services, covered transactions are those involving the transmission of health information electronically in connection with certain administrative and financial transactions (45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R). Similarly, an organization is a covered entity if the organization is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits any health information in electronic form in connection with covered transactions 45 CFR § 160.103.  If you look at the definition of covered transactions, you will not see the transmission of your personal health information or PHI. So, is your private medical data even covered by HIPAA or is it just about transactions in regard to billing? Here is where we get to connect the dots!!!

The Office of Civil Rights (OCR) states on their public website that, “Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.”

Time to look at the Privacy Rule in more detail since it sounds like it is our connection between HIPAA and your private health data that would be exposed on a vaccination passport.

The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patient’s rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. 

As a cybersecurity guy, I think it is also fair to mention the Security Rule of HIPPA. HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005.

So, while HIPAA highlights transactions, many people believe that is where it stops. Looking at the HIPAA Privacy and Security Rules (found in Title II), the law clearly outlines the inclusion of PHI.

In case there is still any doubt, the OCR has clearly stated in this document, “The HIPAA Privacy Rule ensures that you have rights over your health information, including the right to get your information, make sure it’s correct, and know who has seen it.”

With all of the hackings of major companies lately, you may be wanting to know what would happen if your HIPAA classified data was ever involved in a breach. HHS has stated that whenever you experience a hack, you must report it to the Secretary of the HHS through this portal. It is important to contact the agency right away when there is ePHI of more than 500 people involved – within 60 days and “without unreasonable delay,” per the agency. When the number of impacted individuals is lower than 500, you can report annually for the previous year – as long as you do so no more than 60 days into the next year (i.e., February 29 or March 1).

A healthcare organization has to send a notice to anyone who was affected by the hack by email (if you have a signed authorization to send these notifications to the person electronically) or first-class mail. When a firm does not have the current contact details for 10 or more people, they need to take alternative means to get the word out by either sending an announcement to the local media (broadcast or print) in areas where the patients or consumers live, or by posting information about the hack on their website homepage within 90 days. A toll-free number should be available and live for at least 90 days, so that affected people can learn basic information about the compromise. If the number of people for which contact information is outdated is lower than 10, the healthcare company can use a different means of alternative contact, such as telephone or another written format.

Finally, the custodians of the data must contact “prominent” media organizations within areas that are home to 500 or more people whose data was exposed. Just the same as the deadline for contacting the HHS for a larger (500+) hack, you have 60 days maximum to make this contact – and it should happen “without unreasonable delay.”

Business associates do not need to be concerned with the above contact parameters since that aspect is handled by the healthcare firm. However, they do need to notify the covered entity that is involved. Regardless of the number of people whose ePHI is exposed, the BA must get official notice of breach discovery to the covered entity within 60 days.

One of the biggest push backs on my tweet did not come from the perspective of a covered transaction. Everyone wanted to tell me about covered entities and that the government and other companies are not required to abide by HIPAA because they are not included in that list. I’m not really sure that has to do with anything. The data, that YOU own, is sitting on a server at the covered entity. The covered entity does not own the data. It is YOURS. They are simply the data custodian and because they are storing it, they are responsible for it. They are not allowed under the Privacy and Security sections of HIPAA from transmitting that information to anyone else without your expressed consent. Once that data leaves that entity, it is open to anyone who wants it as they are not obligated to abide by HIPAA.

If you value your privacy, you must not give your consent for vaccine-passports. So, now I ask you ....

Do current privacy laws protect the public from forced vaccination passports?