Vaccine Credentialing Activities: WHO Interim Guidance
On March 19, 2021, the World Health Organization (WHO) issued its Interim guidance for developing a Smart Vaccination Certificate (SVC). This initial, admittedly incomplete document is aimed at describing WHO’s technical approach; two subsequent releases over the next few months are expected to cover ethical and privacy considerations (April 2021), and a further iteration of the technical considerations with additional emphasis on trust frameworks (May 2021). This current document is essentially a “request for comment” about WHO’s proposed technical approach. As usual, our observations will be focused on implications for the United States.
The interim guidance document identifies two use cases for SVCs: The first use case is the provision of vaccination information to support the “continuity of care.” This core need is currently met by the exchange of immunization information promoted by immunization information systems (IIS) in the US and elsewhere. The second use case is “proof of vaccination” for any number of purposes based on the vaccinations that the person has received. Both of these use cases are expected to be served by the same SVC.
Proposed Standards and Architecture
In order to achieve this across the globe, WHO proposes that each member country implement systems relying on similar technical standards and an agreed-upon trust framework that will allow national systems to trust one another as providing both authoritative as well as technically verifiable data. Users need to be sure that not only is vaccination data coming from a reliable source but that it has not been tampered with. National-level public health agencies (PHA) are also expected to create an SVC Registry where the digitally-signed SVC documents are deposited and from which the public health agencies can make them available. All this would be done in conformance with the OpenHIE specifications summarized in the WHO document.
OpenHIE is an open source standard for health information exchange (HIE), the process of enabling the sharing of clinical and other medical information between organizations and even patients. OpenHIE values real-world, implementable standards that serve its members in practical ways. The focus is on supporting the exchange of information both within countries and between countries. OpenHIE relies heavily on standards selected by the Integrating the Healthcare Enterprise (IHE). To date, OpenHIE has only had traction in sub-Saharan Africa and now southeast Asia.
HIE in the US is conducted somewhat differently, as usual with much less top-down direction by the government (or anyone else) and more organic, bottom-up activity. Health information organizations (HIO) that facilitate interoperability between parties in the US are often state-level or regional organizations, many participating in national networks to extend their reach. A variety of technical standards are used including those from Health Level Seven (HL7). The Office of the National Coordinator for Health Information Technology (ONC) does provide coordinating activities and helps implement any directives from Congress in this area including most recently elements related to interoperability embodied in the 21st Century Cures Act.
Information Storage and Data Flow
The functionality described by WHO does not appear to be the same as an immunization registry or IIS where the full clinical record might be found (see our earlier blog on sources of data for vaccine credentials). This is also not consistent with the notion of a person’s “digital wallet” where they might hold an SVC that is promoted by most major SVC initiatives (though it does not preclude the use of this type of personal repository). Since the US does not have a national IIS it is also not likely that a national SVC repository would be created either. OpenHIE is not used in the US (including the recommended client [patient], health worker [provider], and facility registries). However the US does have distributed systems that support the core workflows.
The interim guidance makes a point of saying that neither WHO nor any member country is expected to consolidate SVC data for a patient from vaccinations that may have been received in different countries. Each country will be expected to issue its own SVC for its part of the record and it is incumbent upon the individual to gather the necessary records together.
In the US this is contrary to the notion of an IIS recording (and providing) a consolidated record of both doses administered by a healthcare provider as well as historical doses that the provider feels are accurate though not administered at the same location. It is only assumed that this distinction is to ensure that the certification of vaccination data only applies to records actually received from their administration source. This may be sensible for COVID-19 vaccinations but may be less practical for sharing the broader set of childhood and adult immunizations.
Public Key Infrastructure
WHO member countries are also expected to maintain a digital trust environment using public key infrastructure (PKI) that is consistently implemented across all member nations. PKI allows different computer systems to trust one another through strong data encryption so parties who can reliably authenticate each other’s identities.
WHO will provide a master directory to ensure that all participants can identify the location of these systems. While this may be suitable for countries that already have a “top-down” organization of both government and healthcare, the US does not readily have such a hierarchical trust framework within its healthcare infrastructure that can easily be leveraged for this international purpose. In addition, this kind of infrastructure is not used in the US to control access to the query/response function provided by our jurisdictional IIS (which are mostly at the state/territory level).
It is still unclear how member nations will react to WHO’s proposal, and how easily they could adopt and implement its recommendations. This would be particularly challenging to the US, but in our next blog we will discuss some useful models from public health that address some of the “missing pieces” in these proposals.