ALBANY, N.Y. (NEWS10) — The idea of “vaccine passports” becoming a requirement for travel, attendance at mass gatherings, and even things like grocery shopping first surfaced in 2020. In March, New York became the first state to formally launch a vaccination credential app, partnering with IBM to produce the “Excelsior Pass” which officials claim will “fast track” the state’s reopening.

The concept has received backing from a number of airlines. Internationally, Israel has already launched a “green passport” which allows people to attend public events, while Denmark has one in the pipeline.

On Monday, the White House ruled out a federal mandate on vaccine credentials instead opting to let the private sector “take the lead” on vaccine passports.

“There are a couple key principles that we are working from. One is that there will be no centralized universal federal vaccinations database, and no federal mandate requiring everyone to obtain a single vaccination credential.”

White House press secretary Jen Psaki

Despite the White House’s stance on a federal mandate, and the Excelsior Pass being optional, a number of concerns have been raised around the legality of Vaccine Passports. Notably, in connection with the Health Insurance Portability and Accountability Act (HIPAA)

Do vaccine passports violate HIPAA or any other law?

The short answer is no. As Lisa Proskin, managing attorney at the Albany-based Proskin Law Firm, says, there are a number of reasons the Excelsior app and vaccine passports in general do not violate HIPAA.

A key reason for this is the user of the app is the one providing the information, not medical professionals who would be covered by HIPAA

“I don’t think it falls within HIPAA. If the vaccine required something with the doctor and the doctors were providing all of this information, it might be a little different. But the way it stands now, the person doing it, the person downloading the passport, is the one entering all of the information.”

Lisa Proskin, Esq.

No shirt, no shoes, no vaccine

The voluntary status of vaccine passports, along with a business’ right to refuse service under most circumstances, provide both a legal cushion and an incentive for their use.

Proskin related a business’ right to refuse service or entry to people who have not been vaccinated to the popular “no shirt, no shoes, no service” policy.

“You don’t need to have one, and if you go to a business that uses the passport and you don’t have one, they don’t have to let you in if you don’t have shoes on, or if you don’t have a shirt on. It could very well be a case of no shirt, no shoes, no vaccine, no passport, they don’t let you in.” she said.

There are areas where businesses are not allowed to discriminate. Refusing to serve someone based on their race, religion, sex, or national origin violates federal civil rights laws. But COVID status does not fall into any protected categories.

Could vaccine passports become mandatory?

Legal issues could arise if officials tried to make use of a vaccine passport system mandatory. Proskin claims that, as the vaccines themselves can not be made mandatory, the passport system itself can not be made mandatory either:

“I think it would be a big problem if it were mandatory, because you can’t make the vaccine mandatory. You can exclude people for not being vaccinated, but you can’t force them to take the vaccine. So if you were to require or mandate the app or the program, I think you might run into some legal problems.”

She says that, as vaccines fall under medical treatment, individuals can choose not to receive them. Where exceptions exist, such as vaccine requirements imposed by some schools, exemptions based on religion and medical grounds also exist.

“We have so many freedoms and we’re allowed to pick and choose, you can always choose not to have medical treatment which is really what this would be doing. We don’t mandate for instance flu vaccines or chicken pox vaccines. The only immunizations that are mandated are often times in schools, and even then there’s an exception. There has to be an exception for why you’re not vaccinating your child.

There are religious objections and different things like that, and they are allowed. But that’s the extent of how we mandate the vaccinations.”

Lisa Proskin, Esq.

Vaccinations aren’t actually required for clearance through New York’s Excelsior app. Users can also receive clearance through a “PCR Test Pass” which is valid for three days, or an antigen (rapid test) pass, valid for six hours. The Excelsior Pass itself is not mandatory, and other proof of vaccination or COVID-19 status may be used.

What is HIPAA?

HIPAA is a federal law which both gives people the right to access their own medical information and limits other organizations accessing and sharing that information. This information includes your medical records, conversations medical professionals have had regarding you, and the details your insurer has about you.

But the rule only applies to certain organizations.

It does apply to health plans, health care providers and health care clearing houses; it also applies at least partially to business associates of, and contractors working for, those entities.

But organizations including: life insurers, employers, workers compensation carriers, school districts, state agencies, law enforcement agencies and municipal offices are not subject to HIPAA regulations.

New York’s Excelsior Pass lists why it is exempt from HIPAA in its terms and conditions. It states that the website:

“is not provided to you by a health care provider, so, as such, you are not providing protected health information for health care treatment, payment, or operations (as defined under Health Insurance Portability and Accountability Act (HIPAA).”

There are also provisions which allow healthcare providers to share your medical information to be shared with certain entities.

This includes situations where medical professionals are required to report incidents to the police. For example, if someone arrives at a hospital with a suspected gunshot wound.

A public health provision exists within HIPAA. It involves the medical entities mentioned previously disclosing information to “public health authorities” which are the US Government, state governments, sub-divisions of those governments and Native American tribes. An example of its use listed on the US Department of Health and Human Services website is: “To protect the public’s health, such as by reporting when the flu is in your area.”