Following two decades of efforts by the Ministry of Health and Medical Education (MOHME) to develop a nationwide electronic health record system, Iran has made e-prescribing mandatory as of December 22, 2021. However, these regulations have sparked significant concerns among both health care providers and authorities of professional bodies, such as the Iranian council of medicine, concerning patient privacy and confidentiality, which we shall analyze from an ethico-legal perspective in this paper.
An Electronic Health Record (EHR) is “an electronic record of health-related information of an individual that conforms to nationally recognized interoperability standards and can be created, managed, and consulted by authorized clinicians and staff across more than one health care organization” (1). E-health has drawn the attention of policymakers in Iran since 2000. In 2001, the MOHME approved the TAKFAB project in Iran as the first pilot project for creating an e-health system. SEPAS project was another e-health project supported by the MOHME that was run in Iran from 2007 to 2018 (2).
By allowing access to patients’ medical records, increasing the accuracy of medical decision-making, saving costs, reducing medical errors, promoting clinical research and education, and providing effective communication between health care providers, EHR improves the quality of care (1,2). It can also play a crucial role in the sustainability of health systems, as it facilitates structural reforms and policy-making processes (2).
Ethico-legal aspects of medical confidentiality
The above-mentioned goals of EHR can be achieved only through the appropriate use of digital health, which considers its ethical and legal elements, the most essential of which are confidentiality and privacy (3). According to the world health organization (WHO), the primary prerequisite for successfully implementing EHR is maintaining confidentiality by defining liability for information security and managing responsibilities, independent examination of information security, third-party access security, and security in external organizations’ contracts (4).
Confidentiality is “the most widely followed rule in medical ethics across history and cultures.” Confidentiality rules date back to the Hippocratic Oath and are still incorporated into present national and international medical ethics codes (5). It is acknowledged as “informational privacy” in modern bioethics. One of the healthcare practitioners’ professional duties is to maintain confidentiality. However, as the nature of today’s patient-physician relationship has changed, maintaining patient confidentiality has been affected by various factors, and it has been shifted from an individual duty to an organizational one.
A breach of the duty of confidentiality occurs when the health care system fails to protect health data from manipulation, unauthorized access, and abuse. Promoting trust in the system by reconciling the system with legal requirements is the critical factor influencing national eHealth systems’ implementation (6). Most developed countries, including but not limited to Australia, Canada, England, and the United States, have laws requiring the security and protection of patients’ health data (4).
The Health Insurance Portability and Accountability Act (HIPAA), for example, is the most famous regulation with the most significant impact on patients. In 1996, HIPAA was passed in the United States to improve the portability and accountability of health insurance coverage (7). It implements numerous measures to secure sensitive personal and health information. Three administrative, physical, and technical goals are fundamental to the protection. HIPAA establishes policies and procedures to demonstrate how organizations comply with the rule. It also strives to regulate physical access data storage and registries to preserve patients’ privacy. The third purpose is to protect communications containing health information in the context of electronic transmissions. Furthermore, using personal information for marketing, fundraising, or research must be done with the patients’ permission under HIPPA (7).
The WHO requires that health care systems strengthen governance for digital health at global, regional, and national levels. It is implemented by creating sustainable and robust governance structures and building the capacity for digital health at international and national levels. The strategic goal of EHR implementation should be to promote standards for safety, security, privacy, interoperability, and ethical data use within and outside the health sector. In their strategic planning, governments should include principles for the ethical use of health data in technologies like artificial intelligence and big data analytics (3).
Medical confidentiality and the right to patients’ privacy in current Iranian law and regulation
Iranian legal confidentiality protection, especially for the new EHR regulations, is insufficient and the article 648 of the criminal code is the only law that governs patient confidentiality. Based on this law, physicians, surgeons, midwives, pharmacists, and all people getting informed of others’ secrets due to their jobs, are obliged to keep secrets. However, the penalty imposed by this statute is not served as a deterrence.
Likewise, patients’ privacy in electronic health record systems is not guaranteed under Iranian legislation. In the Iranian judicial system, the concept of privacy is not clearly acknowledged. It does not mean that the Iranian Constitution fails to guarantee the concept of privacy, and some articles implicitly imply privacy but do not define it clearly. For example, Article 22 states “the dignity, life, property, rights, residence, and occupation of the individual are inviolate, except in cases sanctioned by law” (8). The Iranian judicial system is based on civil law system, and it does not recognize an independent institution for the concept of privacy. Some articles in the criminal procedure code, such as articles 96, 146, and 150, imply the right to privacy, but they cannot apply to patients’ privacy right in healthcare systems (9). It can be claimed that the Law on Dissemination of and Free Access to Information was the first to reference individual’s privacy. However, it does not establish a clear definition of an individual’s privacy (10). Article 15 stipulates that obtaining written consent to disclose information to third parties is required (10). The concept of privacy is explicitly defined in the procedural code of the Law on Dissemination of and Free Access to Information. According to the code, the medical information is personal, and a third party must get consent or legal authority prior to accessing it.
The detrimental effects of breaching patients’ confidentiality in the current EHR system
There is no mention of confidentiality or privacy in the documents and texts of Iran’s new e-Health regulations. Today, approximately 50 websites and applications have access to medical information due to mandatory electronic prescribing. However, physicians and other health professionals have noted the lack of a comprehensive regulation for the safekeeping of health information. As we discussed, although prior research had identified the lack of confidentiality and security measures as a significant deficit of the pivotal electronic health projects that have been run in Iran, the existing e-health regulations’ documents and guidelines severely lack protective measurements for confidentiality, security, and privacy. Hence, it will bring great havoc to the patient-physician relationship and quality of care in the Iranian health care system in case the EHR system continues to operate in its current form.