Arizona has done an admirable job delivering over 2 million vaccines to its citizens so far. Today, marks a milestone, with @AZDHS announcing that anyone above the age of 16 is eligible to get a vaccine as of March 24, 2021.
There is a significant body of scientific study, such as one being done in Israel which indicates that after the vaccine, even asymptomatic carriers have a vastly reduced viral load, minimizing the spread of the disease.
Guided by science, we should be able to take advantage of this to allow employees to safely return to work and businesses to resume close to normal operations. Employers, such as Bolthouse Farms have setup vaccination clinics and given incentives to their employees to take the vaccine. Very few employers are contemplating a mandate, instead opting for incentives and providing objective information so that employees can make informed decisions.
When folks return to work, employers have to check whether a person has been vaccinated or taken a test recently, especially in manufacturing/assembly environments where employees tend to work close to each other for hours.
Privacy Concerns
Employee privacy needs to be protected while ensuring their medical readiness. Any attempt to federate information from the healthcare provider or the state Immunization Information Systems is fraught with potential privacy violations and leads to added liability and risk for the employer.
Currently, we have the technology to allow for information such as an immunization record or a test result to be securely provided to an employee as a digital record. This digital record has cryptographic properties that make it tamper proof and is in complete control of the employee. The digital record can be issued to a "mobile wallet" application in an employee's mobile phone (many free ones such as connect.me, trinsic.id and the soon to be available IATA Travel Pass exist and more will be released).
For those without mobile phones, inexpensive digital cards such as the ones from Zebra Technologies or companies like Tangem can be used. These are offline alternatives that allows us to empower employees with secure access to their health information.
Digital Credentials
These technologies fall under the category of Self Sovereign Identity (SSI) and are backed by standards such as W3C Verifiable Credentials standard (W3C stand for the worldwide web consortium, an international community that develops open standards for the web).
The biggest advantage of these digital records is that it is under the complete control of the holder of the credential. The holder (employee) can present these credentials at the entrance to a place of work and a piece of software called a "Verifier" can quickly check if the credentials are tamper free and valid.
The best part is, only the minimum required data that needs to be verified can be presented - typically it is a check if the correct test or immunization record exists and if it is not past an expiration date. That's it. The "Verifier" software is written in such a way that it does not record any unnecessary information.
As a matter of fact, when the credentials are presented, the credential can carry a "Terms of Use" clause, that is digitally signed and presented by the holder which can restrict you from storing the credential data.
Governance standards have been developed for these verifiable credentials in order to ensure that the best practices are adhered to. The COVID-19 Credentials Initiative is one such body that has been working hard for over a year to develop these best practices, seeking input from a wide variety of resources including privacy experts.
Building a Digital Credential Network
So, how do we go about providing this digital record to employees and how do we provide the tools to employers to verify this data in a privacy preserving manner? Let us address the first part.
When the federal administration made vaccines for COVID-19 available, providers had to enter into an agreement with the CDC and adhere to a set of standards. One of the standards stipulate that all providers will have to provide vaccination data to the appropriate local authority. The exacts words are as follows:
"After administering a dose of COVID-19 vaccine, record to the extent not already recorded in the vaccine recipient’s record all information marked below by an asterisk and report the following required vaccine administration data, or other data elements if revised by CDC, to the appropriate entity noted in the agreement."
In the case of Arizona, the appropriate entity is ASIIS run by the Arizona Department of Health. So, wherever an employee takes a vaccination, whether it is at Statefarm Stadium or at a private clinic, the data needs to be reported back to the ASIIS system. While it is possible to issue the digital credential to a phone or a digital card at the time of delivering the vaccine, that will remain impractical for quite some time.
The focus of the healthcare delivery system now is to vaccinate as many people as possible. So, adding the burden of issuing a credential in this process, however streamlined it is, can be burdensome. The only situation where this may work is if the employer is organizing the vaccination drive. Even there, we will not be able to cover all the corner cases.
Moving Forward in Arizona
So, for Arizona, the best method is to tap into the state ASIIS system. This is going to require some investment of resources, but in the end this will help solve the problem for all employers in the state. How it could work is to make available a mobile app that an employee downloads and fills in some basic information so that their data can be matched with the ASIIS system. If a match is not found, then a manual intervention needs to be developed via a ticketing application to get the matching done between the employee and the ASIIS system.
Once the match is in place, an employee should be able to request a digital record of their COVID-19 vaccine (Technically this can be extended for all their vaccine information as well as the one for their children, but that is for another blog post!). The digital record will conform to the W3C Verifiable Credentials format along with the correct cryptographic signatures required by the standards.
Verifier software can be built as per the W3C Verifiable Credential standards and hosted in the cloud. Employers can subscribe to this service and use the software to verify the credentials the employees hold. This is simply done by the employees mobile app reading a QR code and establishing communication with a verifier. The verifier will do the rest and report either a success or failure. No other data needs to be reported. Verifier apps can run on desktops, laptops, mobile phones and tablets so it can be easily implemented under all situations.
Call to Action
This is a call to action to our Governor and state lawmakers. Can we move fast to enable employees to get access to their vaccination data?
This is also a call to action for companies like ours, Pravici. Pravici is a Chandler based startup and would love to provide our expertise to Arizona to solve this important issue - bringing employees safely back to work! We have extensive experience in this technology and have built a product to do the same, check out www.pocketcred.com.
We are happy to partner with the state as well as all parties concerned to make this happen. We can customize the verifier to suit the employers requirements, whether it is a big manufacturing facility or a small bar. This is not about making money but saying thanks to a state where we have thrived in good times. It is time to pay it forward.