In a recent tweet, I stated: “Covid-Passports are a violation in your personal privacy and violates the law. aka HIPAA”. The backlash, while moderate, was constant for days.

The inspiration for the tweet came when Governor Cuomo announced that he is implementing a “vaccine passport”. The passport would enable New Yorkers to prove vaccination or history of a negative COVID-19 test. The program, called the “Excelsior Pass,” is an app that is being called “not mandatory” but is being forced upon venues who wish to fully reopen. There has been addition communication and articles stating that the Biden Administration may be considering a similar program for the entire nation.

The “Excelsior Pass” is a product from IBM for contact tracing with covid; IBM insists user data will be kept confidential, as it will use blockchain technology to record and transmit data; I have no reasons to doubt them, but everything is being hacks these days. In addition, the terms of service accompanying the app do not explicitly state how the data is tracked or safeguarded, even less so than standard smartphone applications. This is important to keep in mind because, in the terms of HIPAA, IBM is not a covered entity. I will discuss what a covered entity is here shortly but who is the custodian of the data will be key.

For now, the important take away is that people will soon start carrying an app that entrusts the government with HIPAA-privileged health information and is able to track its users by recording protected health information, tracking individual locations and correlating gatherings in real-time. If you did not carry big brother in your pocket before, they have you now.

It is my plan to outline why I believe our currently privacy laws prohibit the creation of vaccination passports without the consent of the patient. This argument does not apply to those who consent because they have opted out of their privacy by requesting a passport and by using voluntarily using it. There are several other privacy laws I can include here but due to the complexity of this argument, I will keep it focused on HIPAA. It is also a fun exercise since I have a ton of haters out there who say I do not know anything about it. But it is worth noting that I am a cybersecurity and data privacy expert and have had to build secure systems for many types of organization that contained personal health information. While I know absolutely nothing about the medical billing aspects of HIPAA, the privacy and security rules of Title II are what sets the requirements of who can see your health data.  But, more about that later.

Even before we get into the privacy issues and the laws that protect us, I think it is also worth noting that by the time, the program roles out, the community should already have obtained herd immunity. Creating software and making sure it is reliable take months if not years to get right. President Biden has already stated July 4th should be great family holiday to get together because he believes the virus will be at a controllable level. If so, these apps are not needed but the rollout would open the door to possible government abuse. Every law starts out as someone’s great idea. They may even have merit, but good laws are abused all the time. I can provide many.

The app may start out with your covid vaccination but then what is stopping lawmakers from slowly adding to that list. Now you may be carrying your full medical record followed by military, school, or police records. Your entire life may now be captured as a QR code and everyone with a reader can access it. We can talk about phone security in another topic but keeping private information that is accessible with a look or fingerprint has its own set of risks.