Russia’s war against Ukraine is an important story. But no less important is the steady assault on personal privacy by the Vaccination Credential Initiative in the wake of the COVID-19 pandemic.

The Vaccination Credential Initiative is pushing its SMART Health Card, a digital QR code system that tells the world your vaccination status. It seeks to normalize the monstrous notion of vaccine passports.

Rule By Paranoia

What is the justification for this disclosure of medical information? An appeal to base paranoia:

Many indoor cultural attractions and performance venues in the U.S. require proof of vaccination. “We believe it gives people peace of mind when the folks around them are unlikely to be contagious,” says Gus Warren, CEO of Bindle, a health verification app that allows venues to verify the vaccination status of patrons.

Unfortunately for Bindle and the entire VCI effort, the COVID-19 “vaccines" offer no guarantee one is not contagious:

What about studies of total infection rates (including asymptomatic infections, so we are a bit apples-to-oranges here) concluding in July in places with only a 3 week lag between Pfizer shots? Qatar: 56%. Mayo Clinic/US: 42%. Israel: 39%. Interestingly, the Qatar (85%) and Mayo (76%) data for Moderna were more positive, and time will tell us more about Moderna’s durability. It’s important to note that real world data is inherently messy – vaccinated people might just be different than their unvaccinated “case controls” in a study – but when the same pattern crops up with different investigators in multiple countries, it’s probably real.

If one wants assurance someone else is not contagious, the best available guarantee is prior infection.

In this longitudinal cohort study, the presence of anti-spike antibodies was associated with a substantially reduced risk of PCR-confirmed SARS-CoV-2 infection over 31 weeks of follow-up. No symptomatic infections and only two PCR-positive results in asymptomatic health care workers were seen in those with anti-spike antibodies, which suggests that previous infection resulting in antibodies to SARS-CoV-2 is associated with protection from reinfection for most people for at least 6 months. Evidence of postinfection immunity was also seen when anti-nucleocapsid IgG or the combination of anti-nucleocapsid and anti-spike IgG was used as a marker of previous infection.

In other words, if we “follow the science”, we should be worrying about prior infection status, not vaccination status.

HIPAA Says It's None Of Our Business

The foregoing assumes, of course, that we should be worrying about such things at all—which the HIPAA Privacy Rule says we should not.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

Make no mistake: apps like Bindle and Docket are either “health care clearinghouses" or business associates with regards to the HIPAA Privacy Rule. They have legal obligations under HIPAA not to publish your medical information.

Health Care Clearinghouses.

Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.7 In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health information.8 Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.

Business Associates

Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9  Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity. 

Nor can there be much dispute that vaccination status (or, for that matter, prior infection status) is protected health information under the Privacy Rule which is to be kept private.

Protected Health Information.

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

“Individually identifiable health information” is information, including demographic data, that relates to:

the individual’s past, present or future physical or mental health or condition,

the provision of health care to the individual, or

the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). 

How do we know the apps contain such information? The apps themselves tell us this (emphasis mine) .

There is already an impressively widespread availability of SMART Health Cards in the U.S. More than 200 million Americans can now download, print or store their vaccination records as a QR code. When the QR code is pulled up, only the individual’s name, date of birth and vaccination information is visible.

In other words, the QR code identifies the individual by definition. HIPAA tells us this information is not to be casually broadcast to the world.

Medical Data Must Be Protected. These Apps Can't Do That

Keep in mind that the QR code itself is merely a proxy to a link to an online database. The abuse of privacy represented by the QR code is thus compounded by the potential for a security breach of that database—and, after the Equifax data breach, multiple Verizon data breaches involving millions of individuals information, the 2014-2015 Anthem Health data breach, and countless other failures of online security measures, by “potential” I mean “inevitability”.

These SMART Health Card apps will be hacked. The data will be compromised. History all but guarantees this will happen.

Medical information, including vaccination status, is information that must be protected, and these SMART Health Card apps cannot do that. They may try; they will fail.

Privacy Is A Fundamental Right

For these apps—or any other system— to casually make bold with individual medical information is an blatant invasion of the fundamental right of privacy. Let there be no misunderstanding on this point: privacy is a fundamental right which the Supreme Court has repeatedly affirmed, beginning with the 1965 case Griswold v Connecticut and extending through numerous other pivotal Supreme Court cases including the 2003 case Lawrence v Texas. The right of privacy is in no way a novel legal theory, untested in the courts.

Griswold in particular addressed medical privacy, as did the similar subsequent 1971 case Eisenstadt v Baird. Both cases involved the purchase of contraceptives, a personal medical decision every bit as intimate—and therefore private—as the decision to receive vaccination for COVID-19 or for any other disease. The HIPAA Privacy Rule merely codified that which the courts have long acknowledged: your medical choices are your business and nobody else's.

Intrusions into one's personal privacy are never a small matter. They should never be allowed without lengthy public debate over their necessity, which the SMART Health Card apps have not received. They especially should not be allowed to implement a dysfunctional and dystopian system of vaccine passports that are already proven to be abysmal failures.