Eastern Mediterranean Health Journal | Articles in press | Short communications | Key security and privacy issues from implementing the National Electronic Health Record in the Islamic Republic of Iran

Key security and privacy issues from implementing the National Electronic Health Record in the Islamic Republic of Iran

Print PDF

PDF version

Seyedesedigheh Seiedfarajollah 1, Reza Safdari 1, Marjan Ghazisaeedi 1 and Leila Keikha 1

1Department of Health Information Management, School Allied Medical Sciences, Tehran University of Medical Sciences, Tehran, Islamic Republic of Iran. (Correspondence to: Leila Keikha: This e-mail address is being protected from spambots. You need JavaScript enabled to view it ).


Background: In countries that have not implemented Electronic Health Records (EHR) comprehensively, international organizations are important steps in the development of EHR.

Aims: The objective of this study was to compare different dimensions of privacy in the EHR systems for the following standards organizations: ASTM, Health Level Seven (HL7), and International Organization for Standardization (ISO), in order to create a security and privacy model for EHR.

Methods: This study was done in two steps: 1) survey of standards organizations, and 2) compare standards in comparative tables.

Results: Overall standards 12, 1 and 5 were extracted from the ASTM, HL7 and ISO respectively.

Conclusions: Evidence shows that the goal of standards was to create EHR systems that identified not only the access level of users, but taking consent for reveal information of people and also approved data by authorized persons in secure framework. In this regard, ASTM looks comprehensive to the privacy issues, while ISO18308 focuses on security issues and data interoperability simultaneously, while Hl7 has emphasized access.

Keywords: Privacy, standards, confidentiality, electronic health record, informed consent

Received: 28/08/17; accepted: 04/12/17

Citation: Seiedfarajollah S; Safdari R; Ghazisaeedi M; Keikha L. Key security and privacy issues from implementing the National Electronic Health Record in the Islamic Republic of Iran. East Mediterr Health J. 2019;25(x):xxx. https://doi.org/10.26719/emhj.19.006

Copyright © World Health Organization (WHO) 2019. Some rights reserved. This work is available under the CC BY-NC-SA 3.0 IGO license (https://creativecommons.org/licenses/by-nc-sa/3.0/igo).


In countries that either have not implemented electronic health records (EHR) comprehensively, or have had unsuccessful experiences with the implementation of EHR, utilizing the experiences of international organizations for the acceptance and incorporation of international standards are important steps in developing an EHR (1–3). However, using approved standards and modifying them according to the conditions and infrastructures of the country are key points for their successful implementation. Thus, it is necessary to assess the existing systems by current international standards and find practical solutions to close identified gaps before allocating resources.

Security and privacy are the key issues for EHR implementation systems. A literature review highlighted that technical and legal details, individual’s right to privacy and policy-making are the major challenges to the development of EHR systems in low- and middle-income countries (4–11). The objective of this paper was to study current international standards in order to create a security and privacy model for EHR. Therefore, the authors compared the different dimensions of privacy including access control, authentication / signature, consent, and security in EHR systems in the ASTM, Health Level Seven (HL7), and International Organization for Standardization (ISO). Standards 12, 1 and 5 were extracted from ASTM, HL7 and ISO respectively. Extracted standards were entered into comparison tables and evaluated in terms of number, diversity and content (Table 1). 

Security and privacy

According to ASTM, guidelines must be established that all patients and healthcare providers become aware of the content of their EHR. In contrast to ASTM, HL7 does not consider any guidelines in this subject, but addresses this issue through various standards with regard to the exchange of data. However, ISO’s stated key guidelines in terms of security include; validation, data integration, confidentiality and audit. In addition, ISO 18308 requirements cover legal and ethical aspects of personal information as one of the main prerequisites for the development of EHR.

Access control

ASTM recommends the management policy should contain licenses for authorized access. HL7 considers access control via different standards (14,15), while ISO suggests that guidelines are established to define, attach, modify and delete access to the EHR system.

Authentication / signature

According to ASTM, all data entries must be confirmed by the user identifiers. HL7 defines the vocabulary related to it and also the stated digital signature (16–18). However, according to ISO the authentication includes data source and user verification (19).


ASTM approves informed consent and recommends two types of consent; treatment and discharge consent. In HL7, the DC1.5 standard examines the creation, maintenance and verification for access to consents, licenses and advanced guides. ISO 18308 requirements also address this issue (20). Evidence suggests that Security and privacy under ASTM is approached as a comprehensive subject in security and privacy, access, electronic signature and consent issues. Moreover, ASTM has a more practical view on this by assigning category data into three categories; very restricted, restricted and usual control. HL7 has focuses on the subject of access, while ISO not only proposes requirements for security and privacy, access and consent in ISO18308, but also discusses the issue of forensic medicine and medical ethics.


ASTM is comprehensive with regard to the issue of privacy, but for forensic and medical ethics, ISO 18308 may be applied. Therefore, before any planning for the design and development of a national EHR, it is essential to consider the confidentiality and security subjects when examining the interoperability of data. In addition, it is important to note that such research in those countries that have not yet succeeded in implementing the EHR completely, will prevent duplication and save time and cost.


We sincerely appreciate the directors of ASTM, HL7 and ISO organizations for their cooperation with this study.

Funding: None.

Competing interests: None declared.


  1. Deutsch E, Duftschmid G, Dorda W. Critical areas of national electronic health record programs—Is our focus correct? Int J Med Inform. 2010 Mar;79(3):211-22. https://doi.org/10.1016/j.ijmedinf.2009.12.002
  2. Sinha PK, Sunder G, Bendale P, Mantri M, Dande A. Electronic health record: standards, coding systems, frameworks, and infrastructures: John Wiley & Sons; 2012.
  3. Jahanbakhsh M, Rabiei R, Asadi F, Moghaddasi H. Electronic health record architecture: a systematic review. Journal of Paramedical Sciences. 2016;7(3):29-36.
  4. Dunlop L. Electronic health records: interoperability challenges patients' right to privacy. Shidler JL Com & Tech. 2006; 3:1.
  5. Fernández-Alemán JL, Señor IC, Lozoya PÁ, Toval A. Security and privacy in electronic health records: A systematic literature review. J Biomed Inform. 2013 Jun;46(3):541-62. https://doi.org/10.1016/j.jbi.2012.12.003
  6. Garde S, Knaup P, Hovenga EJ, Heard S. Towards Semantic Interoperability for Electronic Health Records. Methods Inf Med. 2007;46(3):332-43
  7. McGinn CA, Grenier S, Duplantie J, Shaw N, Sicotte C, Mathieu L, et al. Comparison of user groups' perspectives of barriers and facilitators to implementing electronic health records: a systematic review. BMC Med. 2011 Apr 28;9:46. https://doi.org/10.1186/1741-7015-9-46
  8. Terry NP, Francis LP. Ensuring the privacy and confidentiality of electronic health records. University of Illinois Law Review, 2007(2), 681-735
  9. Fraser H, Biondich P, Moodley D, Choi S, Mamlin B, Szolovits P. Implementing electronic medical record systems in developing countries. Inform Prim Care. 2005;13(2):83-95
  10. Xu W, Guan Z, Cao H, Zhang H, Lu M, Li T. Analysis and evaluation of the electronic health record standard in China: a comparison with the American national standard ASTM E 1384. International Journal of Medical Informatics. 2011;80(8):555-61.
  11. Hiller J, McMullen MS, Chumney WM, Baumer DL. Privacy and security in the implementation of health information technology (electronic health records): US and EU compared. BUJ Sci & Tech L. 2011;17:1.
  12. Kwak YS. Electronic health record: definition, categories and standards. J Korean Soc Med Inform. 2005 Mar;11(1):1-15
  13. ASTM. American society for testing materials 2017 (https://www.astm.org).
  14. Ueckert FK, Prokosch H-U, (eds). Implementing security and access control mechanisms for an electronic healthcare record. Proceedings of the AMIA Symposium; 2002: American Medical Informatics Association.
  15. Blobel B. Authorisation and access control for electronic health record systems. Int J Med Inform. 2004 Mar 31;73(3):251-7 https://doi.org/10.1016/j.ijmedinf.2003.11.018
  16. Quinsey CA. Using HL7 standards to evaluate an EHR. Journal of AHIMA. 2006;77(4A):C.
  17. Rau HH, Hsu C-Y, Lee YL, Chen W, Jian WS. Developing electronic health records in Taiwan. IT Professional. 2010;12(2):17-25
  18. Blobel B. Security requirements and solutions in distributed electronic health records. Information Security in Research and Business: Springer; 1997:377-90.
  19. Pharow P, Blobel B. Security Infrastructure Services for. Medical and Care Compunetics 1. 2004;103:434.
  20. Namli T. Security, privacy, identity and patient consent management across healthcare enterprises in integrated healthcare enterprises (IHE) cross enterprise document sharing (xds) affinity domain: Middle East Technical University; 2007.