Is this providing proof of a vaccination or just proof of a record in an EHR

[josiahdecker]

As far as I know, If I go tell my PCP that I got vaccinated at walgreens/cvs/etc then he or she is likely to enter it into the EHR as a vaccination record without requiring any proof from me. Once it's in the EHR I can get a signed health card where the EHR attests to the fact that I got vaccinated, even though it's only based on my claim to my doctor.

Is this correct? If so, what's the value in providing the secure framework around the attestation when the original claim can be easily faked?

Is there a requirement for the issuers to have somehow verified records they are signing, or distinguish between patient claims of vaccinations and vaccinations that were done in-house?

[arztnh]

The work flow you describe is absolutely correct. Noam On 3/30/2021 6:53 AM, josiahdecker wrote: As far as I know, If I go tell my PCP that I got vaccinated at walgreens/cvs/etc then he or she is likely to enter it into the EHR as a vaccination record without requiring any proof from me. Once it's in the EHR I can get a signed health card where the EHR attests to the fact that I got vaccinated, even though it's only based on my claim to my doctor. Is this correct? If so, what's the value in providing the secure framework around the attestation when the original claim can be easily faked? Is there a requirement for the issuers to have somehow verified records they are signing, or distinguish between patient claims of vaccinations and vaccinations that were done in-house? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. [ { ***@***.***": "http://schema.org", ***@***.***": "EmailMessage", "potentialAction": { ***@***.***": "ViewAction", "target": "#109", "url": "#109", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { ***@***.***": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

[jmandel]

It gets even more challenging when you consider that the site providing an initial vaccination may not have actually checked a person's ID (e.g., often a person is just asked to supply their own name and birth date).

The aim here is to model what we know, including uncertainty -- so for the vaccination use case, https://github.com/dvci/vaccine-credential-ig is capturing requirements and data modeling decisions, but to summarize here:

• a Health Card can include information about the level of identity assurance achieved. This is an explicit "IAL" value, to help verifiers decide how to use the information in the Health Card. http://build.fhir.org/ig/dvci/vaccine-credential-ig/branches/main/index.html#identity-assurance has details.

• a Health Card can include information indicating whether the Immunization record was captured by a "primary source" (http://build.fhir.org/ig/dvci/vaccine-credential-ig/branches/main/StructureDefinition-vaccine-credential-immunization-definitions.html#Immunization.primarySource), which gets at your question more directly

Overall, I'd note that Health Cards are designed for use in mixed environments where trust levels (and requirements!) may vary by use case. We focus on exposing what's known, and conveying associated levels of uncertainty.

[steatcal]

The link in bullet item 2 is not resolving. Can you update?

[agropper]

Where are we tracking the use of photos in association with a credential? Is this a premature close?

[jmandel]

I don't think photos came up in this thread, so it can't be prematurely closed for that reason :-)

The thread asked a question about what a Health Card provides "proof" of, and I tried to answer --- happy to re-open if this answer is not helpful, but may migrate to a "GH Discussion" if the aim is to explore other topics.

[agropper]

We are used to credentials including an identifier that can be checked against a biometric. For example, a vaccination or testing site might match the name and DOB against a driver's license and attest that they did that as part of the credential.

In other cases, the biometric is included in the credential itself. Some health records display a person's face to avoid patient matching errors as much as to prevent fraud.

What we're seeing in the health cards context is terrifying. Here's Walmart: https://hitinfrastructure.com/news/walmart-increases-access-to-digital-health-records-for-vaccinations using CLEAR. Here's how CLEAR sells ambient surveillance as a "convenience" https://onezero.medium.com/clear-conquered-u-s-airports-now-it-wants-to-own-your-entire-digital-identity-15d61076e44d

The overall public health impact of adding fraud-prevention to vaccination or testing has not been studied as far as I know. I'm reminded of analyses that relate the impact of anti-terrorism money laundering regulations to making a large fraction of the "global south" unbanked and facing usurious rates for getting remittances from relatives abroad which is, in effect, a public health issue.

Does anyone have data on the public health impact of fraud-resistant test and vaccine credentials?