CAP Image De-Identification and Upload Validation Procedure: MESA

Version 1.0 (8 March 2010)

Background

A primary goal of the Cardiac Atlas Project (1), a NIH funded research project, is to establish a database of clinical images of the heart. Providing access to medical images requires the protection of patient information. The HIPAA Privacy Rule (2) from the U.S. Department of Health and Human Services provides guidelines for protected health information (PHI). It describes what type of information is regarded as PHI, principles for the use and disclosure of the data, and ways to de-identify information (3).

All images uploaded into the CAP databases are de-identified using the LONI Debabeler (4), a software package developed at UCLA for de-identification and transfer of medical image data. The UCLA IRB has approved the Debabeler as HIPAA compliant (5). The Debabeler is configurable using mapping files, thus allowing the users to provide missing information and correct erroneous metadata values, as well as expand abbreviations, decipher enumerations, and convert between units. To ensure compliance to the HIPAA, CAP has implemented a de-identification mapping (6) for the LONI Debabeler which is customized for cardiac image data. Prior to the upload into the database protected information is either deleted or encrypted, and therefore images neither identify nor provide a reasonable basis to identify an individual. The de-identification mapping can be found in the file repository on the CAP sourceforge project site6.

This document details the process undergone to validate the de-identification procedure in the case of MESA image data.

Validation Procedure

Test Cases

Prior to upload to the CAP database, all images must be de-identified using the LONI Debabeler in conjunction with the HIPAA compliant CAP Debabeler mapping. The de-identification of MESA images will be carried out at John Hopkins Institute for Computational Medicine. An initial test sample of 50 cases chosen at random will be used for testing and optimization of the de-identification process. The test-cases will not be uploaded to the final CAP database. When the test cases pass the validation procedure all MESA cases (including the test cases) will be de-identified and uploaded in a batch process.

Evaluation

Metadata from one image from each case will be manually reviewed using the LONI Inspector. This is a Java application for reading, displaying, searching, comparing, and exporting metadata from AFNI, ANALYZE, DICOM, ECAT, GE, Interfile, MINC, and NIFTI files. The following visual inspection will be performed at Johns Hopkins University:

1. Load original and de-identified images into LONI Inspector and display metadata side-by-side
2. Validate that all metadata of the de-identified image does not contain PHI by
   1. visually scanning the metadata
   2. searching for keywords using values from the Protected DICOM Attributes of the original file
3. Validate that binary fields of the de-identified image don’t contain PHI
   1. Decode binary fields by opening the file in a HEX viewer
   2. Search for key words from the Protected DICOM Attributes of the original file
4. Generate evaluation documentation

Result Documentation

Findings from the evaluation procedure are to be documented in an XML or chart-type format, containing the following information:

• Image Information
  • (0008,0070) Manufacturer
  • (0008,1090) Model Name
  • (0018,1020) Software Version
  • (0018,1030) Protocol Name
  • (0008,0008) Image Type
• Critical Header Elements
  • Attribute
  • Finding (Issue)

Optimization

If the evaluation of de-identified images returns critical header elements containing PHI, the Debabeler mapping has to be adjusted to address the issue.

1. Cross-check images for the particular attribute containing PHI to determine
   1. occurrence of findings in other images and
   2. provenance of findings (e.g. related to Manufacturer, Model, Software Version, free text header elements, etc.)
2. Add critical attributes to the Debabeler mapping with a delete or anonymize processing instruction;
3. All images of the affected study must re-run the de-identification and validation procedure:
   1. De-identification using the updated Debabeler mapping;
   2. Evaluation of images;
   3. Documention of results; and
   4. Optimization (if required).

This process must be repeated until no PHI is found in the de-identified images.

Modeling Compatibility

Once the test cases pass the validation procedure, they will also be checked for consistency of header elements critical for model fitting at the University of Auckland. For this purpose, the de-identified images will be loaded into the CAP Client and the following items checked:

1. Images load into the CAP Client
2. Images and layers display with consistent orientation
3. Cine Loop displays all images in 3D+t

If problems are encountered the cause will be investigated and changes made to the software as needed.

Consolidation

If at any later stage in the CAP project, information contained in the header elements of medical images available through the CAP database is classified as containing PHI, the CAP will act in accordance with HIPAA § 164.526, 45 CFR Parts 160 and 164:

1. The CAP will act no later than 60 days after notification of the finding.
2. The CAP will make the amendment to the protected health information or record that is the subject of the finding by:
   1. Identifying the records in the CAP database that are affected by the amendment;
   2. Appending the required amendment to the records; and
   3. Modifying the Debabeler De-Identification mapping to reflect the actions of the amendment.
3. The CAP will inform others and provide the amendment within reasonable time to:
   1. Persons identified by the CAP as having received protected health information and needing the amendment; and
   2. Persons, including business associates, that the CAP knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.
4. The CAP will keep record of PHI and objects of the CAP database involved with the amendment.

Checking Unique Software Versions

Once all MESA cases have been de-identified and uploaded into the CAP database, a database query will be run to determine which software versions were used to create the DICOM data. A list of all unique software versions will be generated. One image from each software version will then be manually reviewed to determine if possible PHI is contained in the image metadata.

Monitoring

The consolidation and optimization procedure will be scheduled to run in the CAP database on a regular cycle at least once a year. 50 random cases will be selected from the CAP database and validated for HIPAA compliance.

References