Proving Vaccination Status? There’s an App for That (Now More Than Ever)
ImmunaBand, Proxy, Clear Health, and SMART Health Cards aim to make it easier for businesses, workers and customers to prove they’ve gotten their COVID shots
A new crop of startups and apps have emerged to grapple with the problem of verifying and securely storing vaccine data on mobile devices as more governments and companies require proof of vaccination to enter workplaces and businesses.
While New York City and State each have their own vaccine verification apps, NYC Covid Safe and Excelsior Pass, most cities and states do not. That leaves employers and workers with cobbled-together solutions, like emailed photos of vaccine cards and Excel spreadsheets, or, increasingly, turning to tech startups that have developed specialized vaccine passes.
Some of these companies only focus on verifying vaccine cards and making the data as easy as possible to retrieve. ImmunaBand, for example, makes blue silicone wristbands printed with a QR code, which someone can then scan to access a password-protected photo of the wearer’s vaccine card. When the Colorado-based firm works with corporate clients, it goes through the process of individually checking vaccine cards that are unusual or aren’t valid in some way.
Dr. Tashof Bernton, who developed the band, said that his firm rejects about 10 percent of the vaccination cards it receives from individual customers. Some are rejected for being blurry, or because people send selfies. Others are denied because they appear to be forged, or because ImmunaBand wasn’t able to verify the legitimacy of the card.
A typical vaccine card has the Centers for Disease Control and Prevention seal, the patient’s name and birthday, the name of the vaccine, the dates of the vaccinations, and stickers indicating the vaccine lot numbers, according to Bernton. However, some vaccine centers opted to use hospital system cards, rather than the CDC-issued ones, or their staff decided to handwrite the lot numbers for the vaccines instead of using stickers.
“With those cards, what we do is we call and talk to the center,” Bernton explained. “Because of HIPAA legislation, I can’t call up and say, ‘Did John Smith get vaccinated on Jan. 8 at your site?’ But I can ask questions about the card and send photos. We might call a vaccination center and say, ‘Did you handwrite this lot number?’”
ImmunaBand has distributed roughly 100,000 wristbands and works with educational institutions and companies across the restaurant, tech and transportation industries. It sets up an online portal to where companies can direct their employees, who then upload their vaccine cards and any other necessary information. Then, it maintains a HIPAA-complaint database of the vaccination records.
“Often, the company doesn’t want to be in the middle of [verifying vaccine cards],” Bernton said. “We handle the information and issue the ImmunaBands if they wish to use them.”
There are a few other companies that have gotten into the vaccine app business, including publicly traded airport check-in platform Clear. The company’s Clear Health pass can read and verify QR codes; double-check vaccine and lab records from large retailers like Walgreens, Walmart or Sam’s Club; and use image recognition software to verify photos of vaccine cards. One of the company’s executives admitted to The Washington Post that its process was “imperfect” because it doesn’t verify the vaccine cards with vaccine providers.
Another early entrant in the vaccine verification race was the nonprofit Commons Project, which worked with other members of the Vaccine Credential Initiative to develop SMART Health Cards. The initiative — which includes Mayo Clinic, Microsoft, Apple and UC San Diego Health — encompasses dozens of public and private health institutions.
The SMART Health Cards became the basis for New York and California’s state vaccine passport apps, and many large vaccine providers now issue SMART cards or have developed vaccine apps based on the SMART framework. The cards themselves are just QR codes with a few lines of vaccine information, and they can be printed or stored in certain mobile apps, such as Common’s Health app.
Other vaccine passport developers, like VaxYes, claim that they use state vaccination records to check whether cards are valid.
Bernton, of ImmunaBand, pointed out that, while many states maintain their own vaccine databases, some don’t even necessarily keep centralized vaccine data. Instead, they rely on providers to manage the data.
“There’s not one database, there’s 50 at a minimum,” said Bernton. “So you have to go state by state.”
He noted that his company doesn’t have access to the state databases, but he hopes that one day there will be a systematic way to verify vaccine data with each state. He also thinks that state governments may reach a point where they’ll be willing to verify a specific person’s vaccine status, if they receive a notarized statement from that person.
Naturally, many health tech startups are also concerned with tying vaccination status to office building access. Many companies — especially large corporations like Morgan Stanley and Walmart — are rolling out vaccine mandates for their employees and want a streamlined way to prevent people from entering their offices, if they can’t furnish proof of a vaccination or a recent negative test.
Google, for instance, hired private clinic operator One Medical to verify vaccine cards for all 144,000 of its employees, according to the Post. (Google’s parent company, Alphabet, invested in One Medical before the health care startup went public in January 2020.) Employees are expected to send a photo of their vaccine records to One Medical via its web portal or app. The company, which uses human reviewers to verify vaccination cards, told the Post that it has integrated with “several state vaccine databases” that it uses to match patient records.
On Aug. 9, Google started conducting spot checks to ensure that only vaccinated employees were on-site at its Bay Area offices.
But, many firms are relying on less labor-intensive forms of vaccine card verification. San Francisco-based startup Proxy, for example, built a mobile Health Pass app that allows employees to upload their ID and vaccine card, which can then be verified by a receptionist or a building security guard. When workers enter the office, they use their phone to tap an iPad with Proxy’s check-in app. If the employee’s credentials match what the company requires, the screen flashes green to let them know they can go in. The check-in app can also be configured to ask COVID screening questions — like whether the employee has been sick or has tested positive for COVID in the last few days — and to require a negative COVID test as an alternative to a vaccination card.
Proxy doesn’t store any health data on its servers, because the vaccine card is stored locally on a user’s phone.
“There’s nothing on our servers, and there’s nothing on the company’s servers and dashboard,” explained Ed Dischner, the company’s vice president of sales. “There’s liability with personal health information. We don’t want it, companies don’t want it.”
He emphasized that the app is structured so that you only show your vaccine card when you want to, typically at the request of an employer or building security person.
“You’re only sharing your [vaccine] certificate with your consent,” said Dischner. “The employer can request to see your certificate. We’re not forcing that on anybody.”
He added that employers can prevent building access for people who don’t show the necessary credentials. Proxy’s check-in app also logs everyone who comes in and out, and keeps track of who “fails” the credential requirement when they tap their phone. The firm’s flagship app already allows touchless building access as an alternative to plastic security badges.
Ultimately, Dischner said that Proxy wanted to make the vaccine card verification process as painless as possible for employers.
“We’re not trying to make this a political conversation,” he explained. “We’re trying to have this be a safe and secure way for businesses to go back to work without sacrificing privacy.”
Rebecca Baird-Remba can be reached at email@example.com.