Advances in search engines’ web-crawling and content processing technology increasingly enable large-scale information extraction from previously stored files. This technology can extract source images contained in PowerPoint™ presentations and Adobe® PDF files and recognize alphanumeric character information that may be embedded in the image pixels – which means an image with embedded patient information can be indexed by this process. When explicit patient information becomes associated with images in the search engine database, it can be found on subsequent internet searches on the patient’s personal information.
Workflow Steps to Consider When Safely Publishing Medical Images for Education and Publication Exporting Medical ImagesThe first place to pay attention to potential PHI exposure is when exporting images from the PACS or another imaging device or application.
Optimally, a “region of interest” screenshot is obtained which only includes actual “anatomic” image pixel information in it. Alternatively, the user can disable the DICOM patient info, i.e. use the remove/hide overlays function in PACS first, before taking the screenshot.
Every time an image is saved directly from PACS as a file, there is a risk that PHI gets into that file via patient data embedded as pixels within the image itself or in the form of metadata if a DICOM file is saved. Even when images contain PHI data, it can be redacted using appropriate tools and processes.
Some images can hold data in Exchangeable Image Format tags (additional information stored together with pixel data), similarly to how DICOM stores data in its tag structure. It’s possible the PACS will utilize these tags to store metadata that needs to be cleaned.
Creating the PresentationThe next place to look for possible PHI is when creating a document or presentation that utilizes (exported) medical images.
When medical images are inserted into a PowerPoint™ presentation and the user attempts to redact burned-in PHI data within the pixel data, they must be careful not to simply “cover up” the PHI by using a mask. Creators frequently crop the image using the PowerPoint™ tool or change the font color so the text blends into the background, but neither will result in actual removal of the information.
Modern search engine technology can automatically identify the content of the original inserted file and index PHI that might have been included, so it is important when cropping an image to explicitly delete the portion that has been cropped so that it cannot later be uncropped. Microsoft has provided instructions on how to delete the cropped areas of a picture and save the file without them.
Converting to PDFPresentations and documents are often converted to PDFs for sharing, and PDFs can contain PHI in hidden objects as well as metadata stored in tags. Adobe has a “Sanitize” function that will help you identify and redact hidden data.
Additional TipsIf you reside in a European Union member state or another nation, your use of patient-identifiable information even for educational purposes must comply with that nation’s privacy laws and regulations.
If you or your organization remove metadata from medical images, understand that will strip out alternative text that is frequently used to meet web site accessibility standards. Please consult your organization’s legal counsel for specific guidance.
Modern OCR and Indexing by Search EnginesOne of the challenges of publishing objects with hidden data is that it is often possible for programs that crawl the internet to find this hidden data and expose it without the author even knowing that data was distributed. Modern search engines are particularly adept at combing through publicly available files at scale, making it possible to quickly uncover a variety of data previously thought to be absent. Additionally, the ability to use Optical Character Recognition (OCR) at scale allows programs to quickly re-generate explicit PHI that was originally burned into the image pixels. Search engines can then associate (“index”) the image with that explicit PHI thereby making it discoverable. As a result, these data can be made available and linked to other text-based information.
If PHI gets out, you can ask the search engine company to review and consider removing a link to sensitive information if they agree that this is the appropriate action. Here is an example of how this process works with Google.
AppendixWhat Constitutes PHI?
In JACR® and the U.S. Department of Health and Human Services website, there are robust discussions of PHI and the importance of protecting patient data. It is the responsibility of the individual sharing the medical case to ensure data has been properly de-identified and that any legal constraints for sharing data have been met.
There are two methods for HIPAA-compliant deidentification: Safe Harbor, which identifies specific data elements that need to be removed and Expert Determination, which is used to determine the risk of re-identifying a patient based on statistical expertise. When using medical imaging cases for public consumption, the Safe Harbor method should be used. This method identifies the following data elements should not be shared along with the medical image:
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4