SliceVault Express
Patient de-identification
Introduction
The de-identification process is the process by which SliceVault de-identify medical images locally before data is transferred via secure communication to SliceVault servers. The de-identification process ensures all images are free from Personal Health Information (PHI) before being committed to the online trial repository.
Last updated: 21 December 2022
Introduction
The de-identification process is the process by which SliceVault de-identify medical images locally before data is transferred via secure communication to SliceVault servers. The de-identification process ensures all images are free from Personal Health Information (PHI) before being committed to the online trial repository.
SliceVault de-identifies all images before data is transferred via secure communication to the SliceVault servers. This is a fully automated procedure with no manual redaction steps required to ensure that images containing PHI does not leave the investigators' closed network.
Health Insurance Portability and Accountability Act (HIPAA)
The use of PHI in research is regulated by the “Privacy Rule”. The Privacy Rule is a Federal regulation under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The Privacy Rule protects specific personal health information that can be used to identify living or deceased individuals. The Privacy Rule allows for the preservation of patient confidentiality without affecting the values and the information that could be needed for different research purposes.
The HIPAA Privacy Rule role can be found here.
What is Personal Health Information (PHI)?
PHI is defined as "individually identifiable health information” i.e., information that can be used to directly or indirectly identify an individual in relation to the individual’s past, present or future health condition and the provision of health care to the individual. Common types of PHI include: patient name, address, birth date, social security number, medical and laboratory reports, physician name, hospital name, and date of examination.
PHI can be embedded in both DICOM tags and pixel data.
De-identification in SliceVault
SliceVault uses a standards-based approach to de-identification of DICOM objects. This approach is adopted to ensure that medical images de-identified by SliceVault are free from PHI before transfer to SliceVault servers and that SliceVault's method of de-identification complies with the HIPAA Privacy Rule and developments in the DICOM standard.
Process overview
Image de-identification in SliceVault is a fully automated process consisting of the following steps:
1. Redaction of PHI in DICOM tags
2. Optical character recognition of burned in annotations
3. Formal determination by qualified expert
All steps of the de-identification process are executed locally, by means of a de-identification script provided by SliceVault that runs locally in the submitting investigator's internet browser. Local de-identification means no images containing PHI leaves the investigator site's closed network. Only after successful completion of the de-identification process, the de-identified images get transferred via secure communication to the SliceVault’ servers.
Step 1: Redaction of PHI in DICOM tags
The first step is a fully automated process where PHI stored in DICOM tags gets redacted. No manual redaction is required.
The methodology for de-identification of DICOM objects is defined by the DICOM Standard PS 3.15 Digital Imaging and Communications in Medicine (DICOM), Part 15: Security and System Management Profiles, which can be found here.
SliceVault combines the following application-level confidentiality profiles to generate de-identified DICOM objects:
• Basic Application-Level Confidentiality Profile
• Retain Patient Characteristics Option Profile
• Retain Long Modified Dates Option Profile
• Retain Safe Private Option Profile
Step 2: Optical character recognition of burned in annotations
SliceVault’s optical character recognition (OCR) algorithm automatically scans and flags images with burned in annotations. This is a fully automated process and no manual redaction is required.
Images that are commonly known to store PHI such as x-ray, mammography and screen captures are scanned for characters embedded directly in the pixel data. If the OCR scanning returns a positive result, the images get invalidated immediately. Invalidated data cannot be transferred to SliceVault without formal determination by qualified expert (Step 3).
Step 3: Formal determination by qualified expert
The submitting investigator gets prompted immediately if the OCR scanning return a positive result. The investigator automatically receives a detailed OCR report for each invalid image detailing the detected characters. Formal determination is mandatory where the investigator is required to mask and redact any PHI using the supplied redaction tools. After formal determination all de-identified images are transferred via secure communication to SliceVault servers.
DICOM tag redaction
A list of de-identified DICOM tags including redaction method in SliceVault can be found here.
Base level de-identification: Patient Name and Patient ID are either blanked or modified. SliceVault does not perform ID mapping between the original Patient ID and the ID that the images will receive in SliceVault. Any mapping that is performed manually at the submitting site, is the sole responsibility of the submitting site, and SliceVault never receives the original Patient ID. To show that the Patient Identity has been removed in SliceVault, the value in DICOM tag (0012,0062) “PatientIdentityRemoved” is changed to “YES”.
Exam identifiers: DICOM makes extensive use of universal identifiers (UID) that could be used to identify a subject if a user had access to the PACS system at the institution where the images originated. SliceVault uses its own root UID and then removes the original UID. UIDs have no special meaning other than serving as unique identifiers. This technique ensures that images stay associated with the appropriate series, study, and subject as well as ensuring that referenced images between secondary capture images, structured reports, PET/CT, etc. are still valid references to images within SliceVault.
Patient demographics: The keep Patient Characteristics Option allows keeping certain patient demographics for research purposes. The allowed fields are Patient’s Sex, Patient’s Age, Patient’s Size, Patient’s Weight, Ethnic Group, Smoking Status, and Pregnancy Status. If a subject is over 90 years of age, then the age must be listed as 90+. Allergies, Patient State (this is not where they live, rather their health condition), Pre-Medication, and Special Needs are defined by the DICOM standard as “clean” and are kept by SliceVault and examined for PHI along with all tags during curation. Other patient demographics such as birthdate, address, religious affiliations, etc. are removed or emptied.
Free text: Free following free text fields are removed by SliceVault during the curation process: Allergies, Patient State, Study Description, Series Description, Admitting Diagnoses Description, Admitting Diagnoses Code Sequence, Derivation Description, Identifying Comments, Medical Alerts, Occupation, Additional Patient History, Patient Comments, Contrast Bolus Agent, Protocol Name, Acquisition Device Processing Description, Acquisition Comments, Acquisition Protocol Description, Contribution Description, Image Comments, Frame Comments, Reason for Study, Requested Procedure Description, Requested Contrast Agent, Study Comments, Discharge Diagnosis Description, Service Episode Description, Visit Comments, Scheduled Procedure Step Description, Performed Procedure Step Description, Comments on Performed Procedure Step, Requested Procedure Comments, Reason for Imaging Service Request, Imaging Service Request Comments, Interpretation Text, Interpretation Diagnosis Description, Impressions, and Results Comments.
Private tags: All private DICOM tags are removed except DICOM tags deemed safe by the Retain Safe Private Options application-level confidentiality profile.