DICOM Data De-identification and Re-identification

What is De-Identification?

Accessibility to massive amounts of de-identified data can substantially accelerate the pace of discovery and progress in medical research. Academic medical centers and hospitals are holders and protectors of vast archives containing valuable medical data for big data analytics, research and deep learning purposes.

However, sharing de-identified data with researchers must be accomplished within a reliable and impenetrable framework to preserve the integrity of patient privacy. HIPAA and Safe Harbor provisions impose strict and necessary rules governing the methodology and auditing of PHI de-identification.

Medical imaging in particular offers a separate set of challenges for de-identification purposes. HL7 result messages, images and associated metadata must be de-identified in compliance with the HIPAA Privacy Rule and, at a minimum, adhere to the Safe Harbor methodology. De-identification must be done using a methodology that will prevent re-identification; keys, passwords, or other methods to re-identify PHI, if any, should only be available to the healthcare provider organization originating the PHI, and should not be included in the methodology or otherwise provided to the research organization or any other parties.

De-identification must include adequate Quality Assurance (QA) functions to make sure the Protected Healthcare Information (PHI) is in fact de-identified before it is shared outside of the client hospital’s infrastructure.


Dicom Systems works closely with client hospitals and research organizations for validation testing, to include a de-identification methodology review, end-to-end process review, and subsequent review of de-identified documents and images to ensure compliance with HIPAA Privacy rules.

Additionally, it’s important that the methodology, code and de-identification algorithms be independently reviewed by objective 3rd party reviewers to ensure the airtight integrity of PHI has been observed.

Many considerations come into play, and should be identified upfront of the process. Different healthcare provider organizations have unique perspective on privacy and research-related activities. The research purpose itself can drive substantially different requirements for de-identification. Therefore, the de- identification processes cannot be carried out as a cookie-cutter. Rather, Dicom Systems engages its clients to design a highly adaptive and scalable framework that enables researchers to fulfill their mission of connecting imaging data to cure a wide variety of illnesses, while preserving the integrity of HIPAA compliance and Safe Harbor provisions.