The data infrastructure in the United States can’t adequately support the effort to vaccinate the U.S. population against Covid-19. Four steps must be taken: standardize the way personal health data is exchanged; align states’ immunization registries and state and federal reporting analytics; design immunization “passports” that are portable, equitable, and protect privacy; and address privacy, portability, and cybersecurity tradeoffs.
As the rollout of Covid-19 vaccines gets underway in the United States, the country is confronting a major IT challenge: how to track distribution of the vaccines and determine who receives them. This is crucial to ensure individuals get the recommended number of doses, that guidelines determining who is next in line are followed, and that enough of the U.S. population — at least 60% to 70% — is vaccinated to achieve herd immunity.
The hard truth that policymakers, health systems, pharmacies, and public health leaders must face is the current U.S. data infrastructure is not up to the task. In this article, we outline four broad actions to improve the data infrastructure that can be taken to ensure that the vaccination effort is effective and equitable, protects privacy, and thwarts wrongdoing.
1. Standardize how personal health data is exchanged.
Personal health information, including vaccination records with personal identifiers, is typically difficult for the U.S. government to access and to manage due to federal and state privacy rules or laws (such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act) and the difficulty in getting different proprietary systems to exchange information (i.e., be interoperable). This is made even more challenging by the lack of a single national identification system in the United States other than Social Security numbers. And of course, Social Security numbers can be stolen and used fraudulently, not everyone in the United States has a Social Security number, and not all health care providers organize their data based on them. Difficulties with ensuring unique patient identifiers (such as name variation or missing addresses) can easily lead to duplication or to inappropriately merged records. We believe this can be addressed by leveraging existing identity verification and management systems from other industries beyond health care.
2. Align states’ immunization registries and state and federal reporting analytics.
The United States has a fragmented system to track vaccine administration. States’ immunization information systems — centralized registries that have the capacity to electronically exchange data with clinical systems, including electronic medical records — play an important role in vaccine verification. During the 2009 H1N1 pandemic, U.S. states utilized them to track inventory at provider sites, communicate with providers (e.g., by sending reminders for a second dose to certain population groups or alerts of recalled vaccines), and aid with dosing regimens (e.g., by determining who was eligible for one dose or two).
Insight Center
But today, only 60% of American adults are registered on immunization information systems (with large variations across states), and not all vaccinators have joined these registries: One study found that among those who administer vaccines, only 31.6% of clinicians and 38.4% of pharmacists submitted records to these registries.
To be optimally effective in the drive to vaccinate the U.S. population against Covid-19, states should make sure to operationalize cross-state data-sharing agreements. The vast majority of states have the authority to transmit or allow access to immunization data across state borders, but only a small number have done it.
Making matters worse, reporting by health care providers into immunization information systems is uneven and not always mandatory. In September 2020, the Trump administration issued emergency guidance to allow pharmacists and pharmacy interns to order and administer Covid-19 vaccinations, which could add to the challenge of tracking vaccinations given that not all states require pharmacies to participate in their systems.
All these deficiencies will thwart America’s ability to track vaccinations.
3. Design immunization “passports” that are portable, equitable, and protect privacy.
In order to recognize those that have completed their vaccination, there is a need for a private and portable form of identification. Some countries already require immunization certificates for diseases such as polio and yellow fever to prevent their spread. At the most basic level, an immunity passport would be a digitized version of the “yellow card,” the paper-based International Certificate of Vaccination or Prophylaxis that many international travelers carry with them traveling to and from high-risk areas of the world.
Immunity passports can be designed to ensure privacy and provide portability of status. In addition, the data infrastructure supporting such digital passports can track each vaccine vial and its delivery to a unique individual. The passports would also need to be portable both within and across borders through a set of common global standards and linked to passport information for cross-border use. With additional investment in technology, governments can provide strong verification mechanisms while requiring users to only reveal minimal identity information. With this in mind, some have argued for biometric registries to function as Covid-19 “immunity passports” that verify proof of immunity (via past infection or vaccination) and allow someone to move around freely.
Another issue that needs to be considered is the interoperability of such digital passports across organizations (think airlines and hotel chains), governments (both domestic and international), and even health care systems. Some airlines plan to introduce Covid-19 health pass apps (i.e. CommonPass) to verify passengers’ Covid-19 status. While such pass apps could pave the way for reopening society, they raise concerns around privacy and equity. Vulnerable populations with limited access to vaccination services and smartphones could effectively be denied access to workplaces, restaurants, schools, and so on.
4. Address privacy, portability, and cybersecurity tradeoffs.
Accounting for privacy concerns is essential as we think about a national vaccine rollout. This includes implementing strong security controls to prevent bad actors from stealing information; ensuring compliance by navigating a host of regulations and rules set by the Centers for Medicare & Medicaid Services; and aligning federal and state regulations to avoid confusion among how personal data is handled — an issue that has already surfaced.
Medical identity theft is one potential problem that could impact a Covid-19 vaccine identity or registry. For example, there is a danger that people will use stolen or fake identities to receive their vaccination sooner than they would under guidelines. Targeted phishing campaigns against those anticipated to receive the vaccine sooner can be expected as well. Another potential risk in this vein is spoofed or fake records that show an individual has received the vaccine when he or she, in fact, has not (i.e., a fake vaccine certificate). Given such scenarios, it makes sense to consider using existing digital health platforms; examples of what we have in mind include the Commons Project, Dimagi, Simprints, PathCheck Foundation, Onfido, and Yoti.
As the effort to vaccinate the U.S. population against Covid-19 gains momentum next year, there will inevitably be unanticipated mishaps such as shortages and different distribution prioritizations by individual states. In the few weeks left before the vaccine is offered to the general population, public health leaders, care provider systems, and pharmacy retailers should strive to agree to data standards and implement upgrades to improve the data infrastructure so it supports the efficient and equitable distribution of the vaccine in ways that both maximize transparency and protect privacy.