Why COVID Passports are taking so long

March 2021

Carbon Health (where I work) launched the Carbon Health Pass, a couple of weeks ago. This is the first COVID Passport that’s live in the US today with vaccination data. Any patient who has been vaccinated at a Carbon run site automatically gets one after their first shot. Here’s what it looks like:

This was straightforward to do for patients, because Carbon administers the vaccines, and as such has all the data. Carbon reports vaccination data directly to the state immunization registries, called IISes (all COVID Vaccine providers are required to). It’s tougher to do for everyone else (including the IATA Travel Pass[1], IBM Digital Health Pass[2], CommonPass[3] and Clear[4]). Here’s why.

IISes before COVID

In the US, prior to COVID, each state (and a few large city and county governments) managed its own Immunization Information System (IIS). Theoretically, these feed their data all the way to the CDC. The IISes are the state’s way of tracking who has what shot. Your doctor, when they give you a vaccination (such as measles or tdap) is encouraged to report it to the IIS. This way, the respective governments track penetration of a vaccine in their region.

Anecdotally I’ve heard that, prior to COVID, only 30% - 40% of immunizations ended up being reported to the IISes. This hasn’t been a problem during COVID, because the government entities distributing vaccines have made accurate IIS reporting a condition of receiving additional vaccine inventory.

The other advantage of IISes is that they enable providers to retrieve a patient’s full vaccine history. In a perfect world, everytime you see your primary care provider, they’d know if your immunizations were up to date, and if they weren’t, the doctor would be able to get you up to date with precision.

Today's Problems

Prior to COVID, in order to report to, or retrieve data from a state’s IIS, you had to be a licensed care provider with physical operations in that state. This is constraint is embedded in the statute[5] and from what I can tell, remains in place today. From my understanding states are still internally discussing changes to these rules in response to post-pandemic needs for vaccine verification. This creates two problems.

Coverage Across States

This problem existed prior to COVID. Say for instance, you grew up in Tulsa, and got your polio immunization there, and your immunization was properly reported to the Oklahoma IIS. If you moved to Boise, your doctor in Boise wouldn’t be able to check the Oklahoma IIS to verify your polio vaccination. This problem is compounded in COVID for a couple of reasons. The first reason is, a few of the COVID vaccines being administered in the US require 2 shots. As a result, if you receive your first shot in one state, then head to another, most administration systems still can’t retrieve your proof of vaccine from the original state, and thus must rely on you to ensure (for instance) that you’re not accidentally given the wrong second shot.

Access for non-healthcare providers

The second reason is that as a consequence of the pandemic, tons of organizations will rely on proof that you’re vaccinated to grant you access. This includes flights, cruises, sporting events and other scenarios where strangers congregate. None of these organizations (or the vaccine passports hoping to serve them) are care providers, so even in states where they operate, they wouldn’t by default be able to access the state IIS. In addition, even if they were able to get specialized access to the IISes, they’d still need individualized agreements with each state.

On top of these problems lies the issue that exists with all cases when a system is used in a way it’s not intended. IISes and the system of vaccine reporting were designed to assist doctors in keeping patients’ immunizations up to date. They are about to be used in everything from getting on planes to going to concerts, by entities that don’t regularly deal with clinical data, pulling from systems that don’t and that haven’t dealt with this volume of data in this short a period of time. There are going to be mistakes.

Scaling Issues

Over the course of 2021 and 2022, demand for proof of vaccine data will go through the roof. This means that government run databases that are used to being queried by low volume, low throughput, offline entities like hospitals and doctors offices, will start being queried by multiple, non healthcare entities, that are extremely high throughput, such as airlines, airports, cruises, hotels, concerts and conferences. In all likelihood, these databases won’t be set up to handle the load, and will need either an abstraction layer exclusively for this purpose, or will need to be directly re-engineered. Absent that, these databases will essentially be DDOS-ed and crash under the load (some state IISes are already basically down today, and currently the only load hitting them is vaccine reporting).

What comes next

My instinct is that this problem is too important for society to not be solved, and the technical and policy infrastructure exists to do it in a safe way, so I suspect one (or both) of two things will happen. Either states will come up with a framework for non-care providers to access their IIS, and the various vaccine passport companies will integrate with all the states via one of the API routing layers with integrations to all IISes (like IronBridge or STC Health). Or, the federal government will expose an API to the centralized database(s) being assembled by the CDC. Whichever way it goes, we’ll use it too.

Thanks to Caesar Djavaherian, Eren Bali, Lindsey Whitehouse, Fahm Saeturn, Nikhil Krishnan & Kerem Ozkay for reading this in draft form.


[1] https://www.iata.org/en/programs/passenger/travel-pass/

[2] https://www.ibm.com/products/digital-health-pass

[3] https://thecommonsproject.org/commonpass

[4] https://www.clearme.com/healthpass

[5] More details about this is here: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC§ionNum=120440