Patient Confidentiality
and Digital Imaging

horizontal rule

ViewPlus DICOM Viewer
Patient Confidentiality
How QCA Works
Order QCAPlus On-Line
How QLVA Works
MailCleaner for Outlook
About SDS
About Bill Sanders
One of the major advantages of acquiring, archiving and distributing images in digital format is the opportunity to conveniently associate patient and procedure information with the images. The DICOM standard provides a standardized way of accomplishing this association and has been widely adopted. However, the inclusion of patient and procedure data with digital images can be a curse as well as a blessing. 

A major medical device company is concerned about the problem of compromising patient confidentiality by distributing DICOM CDs of interventional Cardiology procedures for training and sales purposes. Physicians displaying images at conferences have the same problem, as do medical research studies that use digital images. 

Just erasing the label on a DICOM CD or copying the CD to a blank CD does not remove most of the identifying information on the CD. The information is still present in digital form in the files recorded on the CD. 

I have prepared an example that I hope will illustrate the problem of patient confidentiality in the age of digital imaging. I selected an image file from the ACC DICOM DISC 95 for illustration purposes and used a DICOM parsing program to obtain the contents of the file. This is the result (edited to remove clutter):

(0008,0020) [DA/8] "19941016"; Study Date
(0008,0030) [TM/6] "083000" ; Study Time
(0008,0080) [LO/18] "Community Hospital" ; Institution Name
(0008,0081) [ST/12] "Anytown, USA" ; Institution Address
(0008,0090) [PN/10] "Gray^Henry" ; Referring Physician's Name
(0008,1030) [LO/24] "Cardiac Catheterization " ; Study Description
(0008,103E) [LO/14] "Ventriculogram" ; Series Description
(0008,1050) [PN/10] "White^Paul" ; Performing Physician's Name
(0010,0010) [PN/14] "Johnson^Robert" ; Patient's Name
(0010,0020) [LO/12] "123-45-6789 " ; Patient ID
(0010,0030) [DA/8] "19231016"; Patient's Birth Date
(0010,0040) [CS/2] "M " ; Patient's Sex

To illustrate how easy it is to obtain this information, I also opened the same file with Microsoft Word. This is a few lines from the file as displayed by Word: 

Acme Products €LOCommunity HospitalSTAnytown, USAPN
Gray^Henry0LOCardiac Catheterization >LOVentriculogramPPN
White^PaulPNJohnson^Robert LO123-45-6789 0DA19231016@CSM 

As you can see, the same data are readily discernable, especially to a practiced eye.

These data are part of the DICOM header that precedes the images in every DICOM file. These data must be present if the file is to conform to the DICOM Standard.

In addition, each DICOM CD must contain a directory file named DICOMDIR. DICOMDIR contains the same patient and procedure information as well as information about each image file.

I have added an anonymizing function to ViewPlus, my cardiac DICOM viewer. A DICOM anonymizer is computer software that removes all identifying data from a DICOM file. In order to accomplish this, I added the following functionality to ViewPlus:

  1. A user views a DICOM CD and selects some or all of the cine runs on it. The user then clicks the "Make DICOM" button.
  2. A new DICOMDIR file is created de novo with absolutely NO identifying information.
  3. A new set of image files is created. The header of each image file is created de novo with absolutely NO identifying information. The image data is then appended to the header.
  4. The DICOMDIR and image files are recorded on a blank CD.

The resulting CD is viewable by any standard DICOM viewer. Creating an anonymized CD takes just a bit longer than just copying the CD.

Following is the edited parse of the anonymized file created by ViewPlus from the same image file shown above:

(0008,0020) [DA/8]	"00000000" ; Study Date
(0008,0030) [TM/6]	"000000" ; Study Time
(0008,1030) [LO/0]	"" ; Study Description
(0008,103E) [LO/0]	"" ; Series Description
(0010,0010) [PN/0]	"" ; Patient's Name
(0010,0020) [LO/0]	"" ; Patient ID

As you can see, there is absolutely no way to identify the patient or even trace the source of the images.

Note for technically-minded readers:
UIDs used in DICOM files can also compromise confidentiality. For this reason, UIDs that contain patient, hospital or manufacturer data are also set to zero.


Copyright © 2010 (Sanders Data Systems). All rights reserved.