How to Make Your Own Vaccine Passport (if you're a U.S. citizen)post by tkpwaeub (gabriel-holmes) · 2021-04-22T17:39:51.670Z · LW · GW · 15 comments
Alice wants to go on a date with Bob. Bob wants her to prove to him that she's vaccinated. Alice lives in the United States, but she might live in a jurisdiction where "vaccine passports" have been banned. Or she might just not like the idea, philosophically. How does she go about proving to Bob that she's vaccinated? To do this she needs to do two things:
1. Have an official photo transmitted to Bob.
2. Have proof of her official immunization records transmitted to Bob.
Getting an official photo. There are two options. She can either go to her state's DMV or the US State Department. Federal law allows for the release of "highly sensitive" personal information - including name, address, birthday, and photograph - to anybody. I'm referring to 18 USC § 2721(a)(2) which states: "A State department of motor vehicles, and any officer, employee, or contractor thereof, shall not knowingly disclose or otherwise make available to any person or entity: highly restricted personal information, as defined in 18 U.S.C. 2725(4), about any individual obtained by the department in connection with a motor vehicle record, without the express consent of the person to whom such information applies". The version of this involving the U.S. State Department invokes
5 USC § 552a(b), which says: "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains". Sample wording of a third party authorization form can be found on the state department website. There's also a standard form that you can use. I prefer this approach over DMV, in part because there's a delicious irony to using your actual passport photo to create your own system for proving to someone that you're vaccinated.
Getting official proof that she's been vaccinated. She needs to get in touch with whoever vaccinated her. Alternatively, if she's given her vaccination information to her primary care provider, she can get in touch with them. Or, she can contact her state's health department. All of these options should work, because they're all covered entities under HIPAA. Her first step is to authorize the release of her immune status, full name, birthday, and contact information to Bob. Alice is able to do this thanks to 42 USC § 17935(e)(1) which reads: the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific. Unfortunately there's no standard format for HIPAA release forms, but you can look for a few examples by doing a query on "HIPAA release form" in your favorite search engine.
OK, so now that Alice has provided consent to government agencies and/or health care providers to give information to Bob, what's the next step? For her immunization records, Alice can ask that her immunization records be given directly to Bob - there's nothing further that Bob needs to do. In the case of the photograph, Bob might have to file a FOIA request (if it's the state department) or a state-level analogue of a FOIA request (here in New York we call them FOIL requests; your mileage may vary).
It should be noted that the above rights to share one's official government records with whoever one pleases are guaranteed under federal law. That's significant not only because federal law overrides state law when there's a conflict (the supremacy clause) but also because under the 14th Amendment states aren't allowed to subtract rights guaranteed to U.S. citizens.
There are six main reasons that I prefer this approach to a "top down" implementation of vaccine certificates.
- It's a difficult process. This is important, because there's a sense in which creating an instrument like this to leverage an existing privilege warrants a degree of care and solemnity. Having to fill out a form, possibly get legal assistance in crafting correspondence to government agencies, waiting for Bob to get mail - these steps give Alice ample opportunities to ponder whether this is something she really wants to do.
- It gives the government, and health care providers, a way of measuring how many people actually want to have "vaccine passports". If they get enough correspondence like this, they'll cave. In other words, by going through with this process, Alice and Bob are "voting" for vaccine passports.
- It keeps Alice in charge of her own personal health information.
- It allows for the verification to occur off-site, without the person at the door having to check anything other than "Is this ticket valid? Is the bearer of this ticket the right person?". This creates a much smoother workflow that's far less susceptible to fraud, collusion, or alert fatigue.
- It doesn't depend on bespoke proprietary software or ownership of a smartphone.
- Customers are not exposing personal health information to one another in public settings.
In a later revision, or possibly a separate post, I'll discuss how this process can evolve into something that looks more like the kind of "vaccine passport" system that a lot of people envision - in such a way as to be equitable and transparent.
Comments sorted by top scores.