Is this providing proof of a vaccination or just proof of a record in an EHR

[josiahdecker]

As far as I know, If I go tell my PCP that I got vaccinated at walgreens/cvs/etc then he or she is likely to enter it into the EHR as a vaccination record without requiring any proof from me. Once it's in the EHR I can get a signed health card where the EHR attests to the fact that I got vaccinated, even though it's only based on my claim to my doctor.

Is this correct? If so, what's the value in providing the secure framework around the attestation when the original claim can be easily faked?

Is there a requirement for the issuers to have somehow verified records they are signing, or distinguish between patient claims of vaccinations and vaccinations that were done in-house?

[arztnh]

The work flow you describe is absolutely correct.

Noam

On 3/30/2021 6:53 AM, josiahdecker
  wrote:

  As far as I know, If I go tell my PCP that I got vaccinated at
    walgreens/cvs/etc then he or she is likely to enter it into the
    EHR as a vaccination record without requiring any proof from me.
    Once it's in the EHR I can get a signed health card where the
    EHR attests to the fact that I got vaccinated, even though it's
    only based on my claim to my doctor.
  Is this correct? If so, what's the value in providing the
    secure framework around the attestation when the original claim
    can be easily faked?
  Is there a requirement for the issuers to have somehow verified
    records they are signing, or distinguish between patient claims
    of vaccinations and vaccinations that were done in-house?
  —
    You are receiving this because you are subscribed to this
    thread.
    Reply to this email directly, view it on GitHub, or unsubscribe.
  [

{ @.": "http://schema.org", @.": "EmailMessage", "potentialAction": { @.": "ViewAction", "target": "https://github.com/smart-on-fhir/health-cards/issues/109", "url": "https://github.com/smart-on-fhir/health-cards/issues/109", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { @.": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

[jmandel]

It gets even more challenging when you consider that the site providing an initial vaccination may not have actually checked a person's ID (e.g., often a person is just asked to supply their own name and birth date).

The aim here is to model what we know, including uncertainty -- so for the vaccination use case, https://github.com/dvci/vaccine-credential-ig is capturing requirements and data modeling decisions, but to summarize here:

• a Health Card can include information about the level of identity assurance achieved. This is an explicit "IAL" value, to help verifiers decide how to use the information in the Health Card. http://build.fhir.org/ig/dvci/vaccine-credential-ig/branches/main/index.html#identity-assurance has details.

• a Health Card can include information indicating whether the Immunization record was captured by a "primary source" (http://build.fhir.org/ig/dvci/vaccine-credential-ig/branches/main/StructureDefinition-vaccine-credential-immunization-definitions.html#Immunization.primarySource), which gets at your question more directly

Overall, I'd note that Health Cards are designed for use in mixed environments where trust levels (and requirements!) may vary by use case. We focus on exposing what's known, and conveying associated levels of uncertainty.

[agropper]

Where are we tracking the use of photos in association with a credential? Is this a premature close?

[jmandel]

I don't think photos came up in this thread, so it can't be prematurely closed for that reason :-)

The thread asked a question about what a Health Card provides "proof" of, and I tried to answer --- happy to re-open if this answer is not helpful, but may migrate to a "GH Discussion" if the aim is to explore other topics.