With millions of Americans receiving COVID-19 vaccinations in recent months, the conversation has turned to the concept of vaccine passports. But even though the COVID-19 use case is up for debate, questions around others’ vaccination status aren’t exactly new. Proof of vaccination has long been required to enroll students in school or college, or even for some international travel.

The method of proof has traditionally been paper-based — scanning the record, copying, and sending via email or uploading into a portal. But now, according to Dr. Brian Anderson, “There is an opportunity to leverage a new technology, a new tool, this concept of a verifiable credential, which creates a framework between issuers and verifiers.”

As the chief digital health physician at MITRE and cofounder of the Vaccination Credential Initiative (VCI), Anderson worked to create the SMART Health Card framework for interoperable, verifiable, trustworthy clinical information. He shared thoughts on both the present and future of vaccine passports in a conversation with athenahealth director of government affairs, Greg Carey.

Empowering individuals to own and share their health data

We mostly associate vaccine passports with COVID-19 vaccines right now, but the technology’s potential reaches far beyond the current moment. A digital credential like the SMART Health Card can be used to store any type of verifiable health data, like vaccination history or test results, and that data can then be accessed and shared easily via a smartphone app or QR code. At its core, VCI’s credential is a way to give patients more control over their health data and enable them to take a more active role in their well-being.

“We wanted to come together as technology vendors to empower individuals to be able to tell their own story, with their own health data, in a verifiable, trustworthy, consent-driven way,” Anderson said. “We’re really excited to see where this is going, and what it means for individuals to be able to have this kind of data, not just for vaccinations.”

Solving for data privacy concerns

Anderson says that because VCI’s goal is centered around patient empowerment, data privacy is a guiding principle of their work. Their SMART Health Card credential stores and shares only the bare minimum data needed, so there’s no risk of accidentally clicking a button and sharing an entire longitudinal health record with a third party. From a privacy perspective, it’s only storing what you’d likely find on your child’s immunization record, for example: the patient’s name, date of birth, who administered the shot, the date the shot was given, and the manufacturer of the vaccine.

“If you give a credential that [has] their entire longitudinal record and enable an individual to share it, there’s always the risk that there could be nefarious actors on the receiving side,” Anderson said. “We want to protect individuals from a risk mitigation standpoint, so we did privacy by design in designing the specification.”

Crucially, VCI’s credential is also consent-driven by the individual. “If you’re familiar with the Apple Privacy Policy, it’s those little prompts that you see, ‘Do you want to share this with this person?’” Anderson explained. “It’s not done in a way that is in the background of your digital devices.” The decision to share data is always made by the individual, and it’s important that patients understand that they’re in control. Healthcare providers will play an important role in educating patients about the existence of vaccine credentials, how to use them, and that it is consent-driven, according to Anderson.

Looking ahead to the future of vaccine credentials

While COVID-19 certainly accelerated the use case of vaccine passports, these platforms aren’t new — and they’re not going away anytime soon, Anderson says. As patients increasingly become more educated and more empowered to take care of their health, additional use cases will arise.

This type of verifiable credential that can be shared with patient consent could be useful when providers want to verify clinical data, for example. Anderson envisions a patient with diabetes being able to share their sugar logs with their provider via the patient-owned and patient-created credential, giving the provider more information about their patient’s health and more confidence that the information is trustworthy.

“Where I see VCI going is really less about vaccination credentials, and more in the direction of consumer-driven health, where patients are able to move their data around and give it to whomever they want,” Anderson said. “It’s their story to tell.”