Head of Department : Maryam Borabadi (Master of Medical Records)

Overall goals :

Improve the management of medical records department staff. Improving the quality of the services provided in medical education
Promote the process of interaction with clients and employees
Improving the level of security and confidentiality of clinical records
Increased application of IT technology in various medical records services
Improving the quality of the medical records sector in accordance with the accreditation standards
services rendered :
Responding to all clients requesting medical and medical records inside and outside the hospital, supplementary insurance, legal medicine and medical system
Collecting and providing statistics on the activities of all hospitals, clinics and paraclinical units of the hospital and comparing and analyzing the statistical data and providing the required statistical reports of internal and external
Record patient statistics and statistics in national systems
Coding Diagnosis and Therapeutic Measures for Patient Records and Registering Codes in HIS System
Organizing and controlling all activities related to archives of inpatient and outpatient cases
Reply to administrative communications
Information and access level:

In our era, known as the information age, in creating value added, no factor can compete with information. This defines the internal and external mechanisms by defining the rules, the guaranty of the confidentiality of medical information.
Defining levels of access to information, drafting legislation on how to disclose them, and to what extent, at what time and place, to whom and at what level the discretion should be provided, are all issues that The managers of all hospitals and health centers have faced challenges at a micro and macro level.
Medical records are considered as one of the most important documents that contain the most sensitive medical and health information of individuals. Therefore, maintaining the confidentiality of the information provided and the documents in the medical records of patients is a high priority.
Also due to the increasing need for the use of mechanized medical information systems, the confidentiality of patient information has found new dimensions and has become one of the main medical topics that provide the information security of individuals and is a reliable person. The comprehensive system of providing medical services is of desirable and specialized quality.
Therefore, this information will be widely disseminated if the criteria for evaluating, improving and maintaining confidentiality are not defined. On the other hand, hospital managers and health centers are worried about entering the hospital due to the lack of clarity about the degree of confidentiality and levels of access to information in the HIS hospital information system. Therefore, health institutions should have clear guidelines on how to access patient medical records.


Accessibility: Access to health information, treatment of persons held by another facility.
Defining Access Levels: Determining the Level of Need for Access to Individuals, to a Source of Protected Source.
 Confidentiality is a right and the right of individuals to restrict access to and use of personal information.
Security: Protects your computer system and data from damage and loss of data. The main focus of computer safety is to check systems that are accessible by different people or through different lines and prevent unauthorized access to the system.
Confidentiality and security difference: The confidentiality of the protection of information so that unauthorized persons can not read it, on the other hand, is the security of the protection of systems, resources and information in order to protect unauthorized access and abuse.
Confidentiality and security: Privacy is a subset of security because security is not limited to data protection. When designing secure networks, you need to know more about the confidentiality of information and make sure that the whole network is properly used. Even if all communication between network elements is confidential.

Providing Appropriate Access:

Today, access to health services is considered as the most important indicator of community health promotion. Achieving health services and how to receive needs and responding to stakeholders in the community are critical factors in building infrastructure for service promotion, and the lack of proper communication and poor access (in terms of quality and comprehensiveness) to health services Causing irreparable damage and distorting the concept of social justice means a necessary and sufficient condition for the survival of society. Considering the importance of this in countries with access to health services in the world at 90th level is vital.
The necessary amendments to documents, documents and information are made by unauthorized persons, and this is done through the use of permissible and well-defined procedures and processes. Usually, to determine the level of authority for accessing documents and information, various methods are used, some of which are:

  • User-Based Method: In this method, the access level is defined according to who the user was and who he / she is.
  • Role-based user-based method: In this method, the level of authority is defined in terms of the type of role the user plays.
  • Situation-based method: In this method, the level of access to the individual's discretion is determined by the combination of different factors, and this combination is what the person is, where and when he is.

Approved laws and regulations on access to medical information and medical records in the United States

(The Access to Medical Documents and Medical Information Act 1990)

An application for access to medical records can be made by the person or person legally permissible, so there is no need to write an application. After his / her death, he / she and other persons claiming death can apply to observe the medical records of the deceased unless a person requests a written notice to prevent access to their medical records before the death. If an individual or organization that holds medical records and information believes that disclose this information can lead to serious injuries and physical and psychological damage to the patient or another person and can refrain from providing information and access The patient or other persons authorized to do so.

(The Access to Medical Reports Act 1998)
Under this law, everyone has the right to see the medical records contained in their health record by the doctor or person responsible for taking care of him. Viewing these reports can be due to employment, employment, insurance or any other specific purpose. Each employer or insurance company that wishes to request a medical report from a private health practitioner must first obtain the consent of the individual and acknowledge his right to access his information under the law. The person has the right to report before the medical report is sent to the employer or the insurance company. No one has the right to modify or amend the medical records unless the physician agrees to this, but the individual has the right not to allow him to send his medical report that needs correction to anyone. If a person feels that he or she has the right to see one medical report he / she is prohibited from doing so, he / she can go to the court to receive the disclosure order. Employers or insurance companies are able to violate the law by introducing their trusted physician for obtaining such reports in an unusual and deceptive manner.

((The Data Protection Act 1984))
The law applies to certain medical information stored electronically and enables individuals to access their information. This law applies especially to health information and disclosure of electronic medical information to a person or His authorized representative permits them to simultaneously emphasize that the deliberate disclosure of such information to individuals and institutions unrelated to a criminal act is considered.

Rules for access to medical records

  1. Only some legal restrictions (such as minors and legally unskilled persons), the patient and his legal representative, have the right to access the case, have a copy of their case by submitting a request and paying the appropriate copy.
  2. There must be policies and procedures that allow the patient to review, modify, and correct the case. Under federal law, the patient or his legal representative in health care institutions has the right to have access to their case, the policies of the institution must determine who is the legal representative of the patient (patient's custody, sickness lawyer).
  3. The procedures of the institutions should determine how to respond to the request.
  4. Federal law states that the patient and his legal representative can access their entire case within 24 hours (except for holidays) upon written or verbal request.
  5. In cases where there is a request for a copy of the file, the institutions will take a standard fee in the next 2 days.
  6. The procedures for accessing and reviewing the file are as follows:
  7. When requested by the patient or other groups to see the case. This request must be forwarded to the Health Information Coordinator. The individual or unit responsible for reviewing the requests should determine that the information will be provided to the applicant in accordance with the policies of the Institute.
    If the applicant has a statutory license to observe the case, a meeting should be held within 24 hours. If the applicant could not attend the meeting within 24 hours, agreement should be reached over time (no need for doctor's consent).

    • Before the meeting, all the records of the case should be examined and the records of the other institution should be removed from the file.

    • At the same meeting, the staff of the Institute should be full-time staff. They can be staffed by medical, nursing or medical personnel.

    • The presence of these staff for patient guidance in the event of a problem is a guarantee of non-tampering with the patient's case.

    • If the same meeting is requested from the copy file, the disclosure form must be signed and dated in a special sheet. Copies should be made two days after the request.

    • In this request, the number of copies to be copied should be specified and the estimated cost should reach the applicant.
  8. Determine levels of access to information.
    • In order to access care information, the provider of services and the medical records department should distinguish between the users of third parties and providers by determining the level of policy for the level of access of authorized persons to the institution.
    •  Policies and procedures should determine when disclosure of information is made without the consent of the patient and distinguish between disclosure (such as child abuse) and disclosure with the permission of health care staff.
    •  Policies and Procedures: The circumstances in which the patient is allowed to disclose information and the circumstances in which the information can be disclosed without the consent of the patient. Policies and procedures for transmitting illnesses and other cases that threaten public health need to be determined by well-publicized government agencies.
    •  Part of the policies of each institution should specify the network of users' access and any limitations and amounts of information to be accessed.
Approved laws and regulations regarding access to information and medical records in Iran

Health authorities should have clear guidelines on how to access the medical and administrative records of the patient. The medical practitioner usually decides to file the file after negotiating with the patient and drawing his or her opinion or his legal representative. In Iran, the legal aspects of medical records and access to its contents are in the form of a circular, which is more related to the duration of its storage. It is prohibited to disclose the secrets of the patient to the same extent as the legal approvals of countries, including Iran. In accordance with Article 106 of the Tacitus Act of 1362, doctors, surgeons, midwives and drug dealers, and all those who are confiscated for the purpose of their profession or profession, shall be sentenced to 74 beats in whistle, as required by law, to disclose the secrets of the people. be. According to Article 4 of the medical law of the medical organization and the relevant laws, the medical organization has declared that the cause of the illness and the type of treatment is not authorized and can be provided directly to patients upon request of the judicial authorities. Therefore, according to Article 4 The law enforcement certificate, the patient's certificate in response to the request of the administration should only be submitted to the patient and the declaration of the type of illness is not authorized by the departments and is considered as disclosure of the secrets of the patient.

Access to administrative and medical records:

A medical referral of a disease to a health center can be obtained by consenting the patient to the contents of his medical records. The doctor should be hospitalized by the hospital physician as soon as possible during the patient's health condition. The access of administrative staff such as insurance workers to the case must be made within the framework of the law and the request must be sent to the hospital manager through the legal person, if the administrator is prevented from complying with the law.

Importance of confidentiality issues regarding medical information and documents

Since the medical information and medical records of patients are valuable and relevant in various fields, they are used and cited. Observing confidentiality and defining the frameworks for accessing information and medical records in various fields is of particular importance.

Among the roles of medical records:
  1. The role of medical records and assessment of the quality of care.
  2. Medical records as the basis for studying, evaluating and evaluating.
  3. Medical records in conducting research.
  4. Medical records in education.
  5. medical records and development of information and communication technology
Confidentiality of medical records

One of the vital roles of the medical records department is to control and enforce the rules of practice, the Institute's procedures for maintaining confidentiality, security and disclosure of information. A comprehensive set of policies and procedures for the confidentiality and disclosure of information should be available at care facilities. These guidelines include federal laws and practice standards. Federal law states:The environment in which the patient's information is kept, in accordance with the accreditation and certification law, is the property of the service provider's organization, the health care professionals of that organization.
  1. The identity and health information data, regardless of the environment in which the information is stored, belongs to the patient and should be reserved accordingly.
  2. Policies and procedures for maintaining confidentiality are set up so that health-care information within an organization is determined solely for the purpose of maintaining confidentiality in order to use health-care information within organizations for the purpose they are collected.
  3. Privacy and disclosure policies should determine which confidential information and information are considered unclassified and can be disclosed without the consent of the patient.
    • Non-confidential information: Important information that is not specific to the patient, which the patient does not want to be disclosed. Unclassified information includes the patient's name, hospital or hospital outpatient services and the date of service.
    • Confidential information: includes any type of information that is derived from clinical communication between patients and the health care provider.
  4. rivacy training and contract with employees and volunteers.
    • Confidentiality policies and procedures are part of the training of newly-recruited staff and are typically part of continuous employee training programs.
    • Confidentiality agreements are endorsed by anyone who contacts healthcare organizations and may have access to sensitive patient information and reviewed annually.
    • In this regard, HIPAA recommends that a confidentiality agreement be taken separately from the recruitment guide on the principle of privacy and the consequences of violating these principles from personnel.
  5. Checking permission to disclose information.
    When a request is made to disclose information that requires authorization, this authorization should be checked for completeness. HIPAA considers the following requirements as essential:
    • Accepted in writing or via computer and fax and must be expressly stated.
    • Address to the Institute or medical records specialists.
    • Specify the patient's profile, including full name, address and birth date.
    • Identify the person or institution to receive the information.
    • Determine the health information that is permitted for disclosure.
    • Determine whether the patient or his legal representative can cancel the disclosure permission.
    • If the permission is issued by an unauthorized person or his legal representative, his relationship with the patient should be specified.
    • It should not be more than 6 months between the date of the signature of the license and the date of the request for information.
  6. Preparing the file to expose information.
    When a request is made to disclose information that requires authorization, this authorization should be checked for completeness. HIPAA considers the following requirements as essential:
    • Accepted in writing or via computer and fax, and must be expressly stated.
    • Address to the Institute or medical records specialists.
    • Specify the patient's profile, including full name, address and birth date.
    • Identify the person or institution to receive the information.
    • Determine the health information that is permitted for disclosure.
    • Determine whether the patient or his legal representative can cancel the disclosure permission.
    • If the permission is issued by an unauthorized person or his legal representative, his relationship with the patient should be specified.
    • It should not be more than 6 months between the date of the signature of the license and the date of the request for information.
  7. Preparing the file to expose information. 
    • Copies must be legible on demand and authorized information, and copies must be duplicated on both sides on double-sided forms.
    • A reasonable and suitable price to copy the requested information is specified. These costs include the cost of labor and the cost of copying medical records and postal fees (upon request).
  8. Documentation of Disclosure of Information. 
    • The signed form of permission to disclose information should be kept as part of the patient file, summarize the information, disclose the information disclosed by the staff who copied the disclosed information, and the date that the information was sent to the requesting group. .
  9. The request for a hearing must be made in accordance with the specific rules.
  10. Policies to determine the confidentiality of information transmitted by Fox machine.

Privacy (EHR)

ASTM standards are guidelines for privacy, the purpose of which is the EHR privacy in the next ten years. In order to achieve this, the EHR should protect the confidentiality of patient information to be appropriately available and be an appropriate means of measuring confidentiality. The Patient Computerized Patient Information Agency (AHIMA) and the ASTM have provided information about the confidentiality and security of data and defined the framework. HIPAA Health Insurance Standards have been tracking this activity since 1996. HIM experts have argued that confidentiality is the right of individuals to control the disclosure of information.

Note: If we can not back up, this means that the files can never be retrieved. In this case, the lives of the owners of this information may be compromised. The concept of security and privacy in a separate, but related, one-to-one health information system Is. Security of health information systems is a major issue, and IT technology has violated many of these protections, and finally, a number of legal responsibilities have been imposed by administrators on the security of computers.

Reasons to require confidentiality and privacy
  • Strengthening confidence between doctor and patient, because even the notion of lack of information security and confidentiality can question the reputation of the doctor and the relevant health center.
  • Encouraging patients to visit doctors and treatment centers to treat their illness and to expose honest information that will help them to cure their illness.
  • Improve the effectiveness and effectiveness of medical interventions.
  • Respecting the right of the patient to remain confidential and identity.
  • Prevention of any discrimination, including socio-political and economic, based on the patient's condition.
  • Prevention of any injury or damage to individuals through the disclosure of medical and health information
Consequences of Misrepresentation in the Information and Medical Record of Persons:
  • Loss of privacy due to access to medical records and information.
  • Losing trust and confidence.
  • Improper treatment.
  • Loss of occupation and health insurance.
  • Unwillingness to treat illness in certain circumstances due to a privacy impairment.
  • Threatening person financial welfare.
  • Social contempt.
  • Rejection of the circle of friends and family and social isolation
Privacy exceptions
  1. Disclosure for other care providers.
    At present, care providers are not allowed to provide written consent to a referral to another provider because the second provider is not involved in the diagnosis and treatment of the patient. Patient permission is not required and when the patient information is disclosed to the care provider, the provider ) One who has not been in contact with the patient, has not consulted, and has not had a medical relationship with the patient.
  2. Disclosure for the investigating and evaluation officer.
  3. Disclosure following a reported condition, such as infectious diseases.
  4. Disclosure to protect health and safety.
  5. To protect or reduce serious risks for the treatment of diseases, support for the safety and health of the person is necessary.
  6. Disclosure to facilitate research

Medical records security

  1. One of the most important security measures that must be taken at any care institution is the registration and filing system; not only is this system essential, but also the effectiveness of these systems should be strengthened.
  2. To prevent loss, destruction or theft of files, the following measures are taken: 
    • When a file is lost or stolen, a tireless search should be made to find the documentation, and when the file is found, the defect in the system that led to the disappearance of the file has been reviewed and corrected.
    • If a file has been stolen or destroyed, it should be taken from databases such as computer systems and backup copies, or re-transcribed or copied the file from the centers that received a series of documents.
    • If you are not able to obtain a part of the file, document the time and information that is missing and the accident that led to the disappearance.
  3. Each institution should plan a program in the event of natural disasters and disasters, and identify how to protect medical records and health information from risks.

The draft plan should include various types of natural disasters that interfere directly with the functioning of the institution, such as fire, explosion, storms, etc.

Security elements

According to ISO17799:

  • Verify or authenticate users
  • Recognizing user privileges
  • Availability of required information
  • Audit
  • Information Integration
  • Control the amount of access and encryption
  • responsiveness

Three of the first three elements are referred to as "3 A" and are known to be the main elements of maintaining the integrity and security of information, and today they are important in securing the confidentiality and control of access levels in e-commerce, integration of information means ensuring this issue. It is important.

According to ISO1799 - BS7799:

These standards can be measured and evaluated for any private or public entity that is responsible for maintaining a range of confidential information in internal or external systems or measuring its security of information in comparison with an international standard.
Now these standards are used as a reference for certification and information security management in many countries.
Getting the BS7799 certificate from an international group or organization demonstrates executive capabilities and the ability to manage and control the three factors of confidentiality, accuracy and availability of information.
The most important reasons for an organization to apply for the BS7799 certificate are as follows:

  • Optimizing current and business activities of the organization 38%
  • Information security 35%
  • Gaining and maintaining a competitive advantage of 30%
  • Customer requests
Transmission over the Internet

Transmission of electronic health records over the Internet has created more safety concerns for both providers and customers, which should list the following:

  • Maintaining servers and databases from harassment and unauthorized changes
  • Verification of transmitters and receivers
  • Keep your message manually
  • Ensuring that senders can not falsely send a message
  • Data tracking
  • Securing messages confidentially
The patient should have the right to access medical records and correct the mistakes contained therein, and should be informed of the nature and frequency of the use of information and medical records by natural and legal persons and request a report. This issue was clearly clarified for researchers in the countries of the United States, Canada and Britain, but Australia's information was not available in this area. In the United States and the United Kingdom, the patient has the right to view his case and to refer to terms that are meaningless to him. Describes your physician and the doctor will also be required to provide the patient with the explanation needed in understandable language. In each of the four studying countries, the patient can introduce one person as a representative to a medical practitioner. This third party has full access to the medical records of the patient. In computer systems where some decisions are made automatically, the patient has the right to obtain reasonable information on such decisions. This case was also found in the study of the United States, Canada and the United Kingdom, but no such case was found in the case of Australia. In all countries studied, the patient has the right to request a copy of his computer or paper records. In Iran, it is rarely discussed with the patient about the disease or its treatment and treatment, and this type of treatment is routine and the patient in most cases has no access to medical information or medical records. The findings show that in all of the studied countries, the hospital staff, such as the chief executive officer of the center, metron, financial director, health information consultant, health information service director, medical and medical staff, nursing staff and even health care providers, provided information and documents Medical patients have access. This access is in some cases subject to restrictions and requirements. What is certain is that there should be a balance between the need to preserve the secret aspect of medical records and the need for immediate access to this information.

Comparing laws and regulations related to the subject, laws on the quality control of health data in the countries of Canada, the United Kingdom and Australia are evident, and in the United States no information was found on this issue, and there is no legal right in this regard. In the context of preserving the security and confidentiality of health information, there are laws and regulations on treatment in four countries, and there are still no laws in this regard in Iran. Comprehensive laws regarding the mechanisms of storage and retrieval and access to information and medical records, how to use and disclose information, to maintain the security and confidentiality of information at the time of missing and deliberate manipulation, disclosure of protected health information lawfully or with permission The patient and the access of authorized persons to certain medical information in the studied countries are indicative of the importance of the issue of confidentiality of information and respect for the rights of citizens of all members of the community. In these countries, in order to retrieve the medical records of all citizens, centers have been designed and commissioned under the name of information centers, which allows for the retrieval of information, even in the event of unexpected accidents. There were certain rules regarding the way out of the medical records of patients from the hospital in the United States and Australia, which in other countries were not subject to applicable laws and health centers, depending on their diagnosis. There are laws to eliminate medical records in each of the five countries, but in order to record and retrieve information after the expiration of the period of maintenance, there are various ways in which there is a law.

According to research findings in all studied countries, a person is responsible for maintaining the confidentiality of patient information and the hospital, and this person is responsible for information such as accuracy and completeness of information, training programs for familiarizing personnel with issues relating to the confidentiality of information and compliance with relevant regulations To maintain the safety and answer the patient's questions. This person has the right to vote and direct responsibility in matters of confidentiality and disclosure of information. This person is often in charge of the medical records department of the hospital.

  • Comparison of access and confidentiality levels of medical records in selected countries and Iran-Iran University of Medical Sciences and Health Services -Forhanna Sadooghi, Masoumeh Khoshkam, Siavash Behnam (Internet)
  • Designing a Health Information Requirement Model for Electronic Health Record for Iran, Kashan University of Medical Sciences, Mehrdad Farzandipour, Maryam Ahmadi, Farahnaz Sadoghi, Iraj Karimi (Internet)
  • Comparative Study of Access Levels on Health Information, Therapy in Selected Countries with Iran - Bachelor's Thesis for Medical Record - Faculty of Paramedicine, Tehran University of Medical Sciences and Health Services- Year 85
  • Examination of confidentiality in electronic health records - Thesis for medical records - Faculty of Paramedicine, Tehran University of Medical Sciences and Health Services, Tehran, Iran, Year 87