Entities that institute COVID-19 Passports will likely be found to have acted illegally, if taken to court. The amount of exemption, reasonable accommodation, and individual protection found in current privacy and discrimination laws is an extremely high bar. COVID-19 Passports, as presented thus far, would fail to clear that bar.
Existing U.S. domestic vaccination requirements
Virtually all existing U.S vaccination requirements for schools, U.S. citizenship, the military, and health care workers contain exemptions for medical reasons or reasons of religion or conscience. Additionally, a vaccine being distributed under an FDA Emergency Use Authorization (EUA) very likely cannot be added to these lists of required vaccines.
The CDC does not set vaccination requirements for schools or childcare centers; each state decides which vaccines are required.
In all 50 states, you can be exempted from these requirements for medical reasons.
In 44 states, you can be exempted from these requirements for religious reasons.
In 15 states, you can be exempted from these requirements for reasons of conscience.
These exemptions are granted without question if the proper form is filled out or the proper online certificate submitted.
Waivers to all vaccination requirements for moral or religious beliefs are available.
Although not as extensive, healthcare workers in many states can be exempted from employer vaccination mandates for medical and philosophical reasons.
Even people who sign away their lives to the military can receive medical, administrative, and even religious belief exemptions.
Ramifications of the FDA Emergency Use Authorization (EUA) for COVID-19 Vaccines
None of the above requirements encompass EUA vaccines not fully approved by the FDA.
Non-approved EUA vaccines have a nearly impossible legal bar to be deemed “Required.”
Dr. Amanda Cohn, executive secretary of the CDC’s Advisory Committee on Immunization Practices on the question of whether COVID-19 vaccination can be required: “under a EUA – vaccines are not allowed to be mandatory. So, early in this vaccination phase, individuals will have to be consented and they won’t be able to be mandatory.”
The FDA requires the secretary of HHS to “ensure that individuals to whom the product is administered are informed… of the option to accept or refuse administration of the product” and to “ensure that recipients are informed to the extent practicable… that they have the option to accept or refuse the EUA product”
Pfizer/BioNTech and Moderna vaccines require fact sheets to be given to vaccination providers and recipients. These fact sheets make clear that getting the vaccine is optional: “It is your choice to receive or not receive the Covid-19 Vaccine,” and if “you decide to not receive it, it will not change your standard of medical care.”
The U.S. EEOC has issued guidance indicating that employers generally can mandate vaccinations for their employees (again with the caveat of medical or religious exemptions) but specifically addressed vaccinations that are authorized or approved by the FDA, and a vaccine with an EUA is not.
HIPAA and the COVID-19 Passport
Any record of an individual’s visit to a healthcare facility or the administering of a vaccine is a record of provision of health care to the individual. By definition, this is PHI. Even though the letter of HIPAA defines “Covered Entities” and that definition is limited in its application, the systems by which a business or other entity would legitimately validate this PHI (the COVID-19 Passport) would be the actions specifically intended to be protected by HIPAA: Obtaining consent from the individual and transmitting, reading, and possibly storing PHI.
Protected Health Information (PHI) – includes an individual’s past, present, or future physical or mental health condition, the provision of health care to the individual, or payments regarding health care.
HIPAA was intended to cover entities that could possibly see and transmit PHI – “Covered Entities” (CE) that include any Health Plan, Health Care Clearinghouse, or Health Care Provider and, by extension, any “Business Associate” (BA) that may handle PHI as part of business with any Covered Entity.
How CEs and BAs are to secure and store your PHI and enforce PHI rules.
Procedures and policies that CEs and BAs must follow if there is a breach of PHI.
Requirements and necessary documentation required before exposing PHI to other individuals and entities, including obtaining written acknowledgement/permission from the patient to expose that information.
The documentation and record of your vaccine shot is PHI
The record of your visit to a healthcare clinic and the administration of a vaccine are records of provision of health care to the patient. By definition, this is PHI.
Secure determination of your vaccination status by a business or entity would require transmitting and reviewing this PHI
In order for a vaccine passport to be properly verified while minimizing the possibility of fraud and forgery, a system would need to be instituted that pulled a verified copy of your vaccine record.
An airline, concert venue, grocery store, etc. likely would have to have a device capable of reading, transmitting, and possibly storing your vaccination status. There is no precedent for any of these types of entities having the legal authority to validate a prospective customer’s PHI and then deny them entry, with no provision for exemptions for medical or personal beliefs.
By definition, reading, transmitting, and storing PHI is the behavior of either a Covered Entity (CE) or a Business Associate (BA) of a CE.
While CEs and BAs are explicitly defined in the letter of HIPAA law, this entire process is contrary to and in direct opposition of both the intent and spirit of the HIPAA law
You don’t have to go back 235 years to discern the original intent argument for HIPAA: Committee hearings and floor debates on HIPAA are public record and occurred just 25 years ago.
HIPAA and supporting laws like HiTech were written to protect your PHI, and they define the rules that entities who might have access to your PHI must follow.
Retail businesses, airlines, and concert venues were never on the radar as possible CEs in 1996.
To apply strict, enforceable, and extremely specific laws to HIPAA CEs and BAs, while allowing a grocery store, concert venue, airline, or other entity unfettered access to PHI, is in direct opposition to the intent of HIPAA and the Privacy Rule for PHI.
HIPAA should be modified to expand the definition of Covered Entities and, by extension, Business Associates, so that when the current Public Health Emergency declared by the Dept of HHS ends, a patient’s private PHI and civil liberties can once again be protected to their intended extent.
American with Disabilities Act Opinions
“The Americans with Disabilities Act protects those who have a disability, which is defined as a physical or mental impairment that substantially limits one or more major life activities, and those perceived by others as having such an impairment, from discrimination in the workplace. Although courts have never considered lack of immunity to a disease as such an impairment, the legislative history of the ADA is broad enough to allow such an interpretation. This means that employers can’t discriminate against workers based on whether they have or don’t have immunity.”
“The ADA also protects people who do not have a disability but are ‘regarded as’ having a disability. For example, if a cab company fires a driver because of a mistaken belief that she has epilepsy, the action would violate the ADA. That’s because it treated the non-disabled driver as disabled.”
“But allowing only people with immunity — or evidence of past infection — to work would disadvantage those who haven’t gotten sick or those without the antibodies to prove it. It’s as if, in the eyes of their employer, their lack of infection constitutes a disability. The inequality that immunity passports could foster in these situations may be illegal under the ADA. As long as an employee is able to perform the essential functions of his or her job, those without immunity are most likely protected under the ADA.”
Author’s interpretation of the EEOC December 2020 Guidance
The EEOCs Dec 2020 guidance for employers desiring to require vaccination stated an employer would have to prove the unvaccinated would pose “significant risk of substantial harm” to other employees and that this risk could not be reduced with reasonable accommodation. In the event this could be proven, employers must then provide accommodations such as working remote. Further, the guidance stated that the employer must provide reasonable accommodation for an employee “unable to receive a vaccination due to disability, sincerely held religious belief, practice or observance.” Finally, the guidance specifically pointed out the problematic current FDA EUA status of Covid-19 vaccines.
COVID-19 Passports would, by design, coerce individuals to take a vaccine currently only authorized under an FDA Emergency Use Authorization, and present PHI in order to function in normal society. This would be contrary to all previous U.S. vaccination precedent and contrary to both the intent and the letter of laws like HIPAA and the ADA. This would be an unprecedented overreach and a massive infringement of individual liberty. It also has the potential to create a caste system, favoring the vaccinated while discriminating against the un-vaccinated. COVID-19 Passports should be vigorously opposed, and laws against them should be established to prevent their implementation in all domains of society.