DICOM explained Part 2: GDPR, Security and Personal Information – The Challenges with DICOM Data

In part 1 of our DICOM explained-series, you already learned that imaging plays an important role in modern medicine and that the focus is on files in DICOM format. You got to know what is behind the abbreviation DICOM, how it is used in healthcare, how a DICOM file is structured and that the DICOM headers and tags contain a lot of personal data. In part 2 of our DICOM series, we will go into detail about the latter and explain what problems the data contained can cause when working with DICOMs in practice.

Of course, it has many advantages that DICOM images contain a lot of technical and personal data (you don’t remember exactly which ones? Then go back and take a look into part 1 of our DICOM explained-series here). However, this is also problematic at the same time: If DICOMs are sent unencrypted by mail on a CD, for example – as it is still regularly done today, e.g., as part of a study or to obtain a second opinion – they can be directly assigned to the patient; and this is, of course, not in compliance with data protection laws. Who would want their neighbor to find out unintentionally that they suffer from a certain illness? Especially since the General Data Protection Regulation (GDPR) came into force in May 2018, there are many discussions and unknowns that lead to uncertainty among clinicians and healthcare workers who work with medical images. There are many aspects to consider, but here we will focus on personal identifiable data in DICOM images and its technical aspects.

DICOM data: Anonymization vs. pseudonymization

In this context, there are two terms that are often misused when talking about privacy protection of medical images. “anonymization” and “pseudonymization.” Anonymization means that there is no way to retrieve or identify the patient if you only have the medical images. Often physicians or study nurses use this term when informing the patient that “all data will be completely anonymized,” for example, in the context of clinical trials or eligibility testing by outside medical experts. However, the recipient of the images, a core lab or central reader, in most cases needs to know the date of the exam and from which location the images were sent, as these identifiers are an essential parameter of the clinical trial or project. Often, the purpose of a clinical project is to obtain a second opinion on a treatment recommendation, meaning it is imperative to match the right patient to the right images and verify the outcome. In these cases, the data is absolutely not anonymous. 

Is that a problem? No. But first, you would have to obtain written consent from a well-informed patient, and second, you would have to make sure that the data processor provides a technical and organizational GDPR-compliant environment. And if data must be shared for such a purpose, one should pseudonymize the data sets as much as possible. Pseudonymization means that identifying information (name, date of birth, etc.) is removed or replaced, reducing the possibility of tracing it back to the patient.

Where can I find personal information in DICOM data?

When viewing medical images with a DICOM viewer, one does not necessarily see the personal information immediately. As described above, a patient’s personal data, but possibly also that of the operator, is part of the well-defined DICOM tags. Viewers can usually make these DICOM headers or metadata visible and even allow them to be edited.

Another source where personal data can be part of the DICOM data are the so-called “burned-in annotations”. The following example shows that the patient’s name and date of birth: As you can see the personal information Max Mustermann, born on 19 August 1938 – don’t worry, this is a fake person – is part of the pixel information and can only be removed with special tools, usually by drawing black boxes over the visible information.

Figure 1: Burned-in annotations in echocardiography

Also, DICOM studies often contain series which hold patient reports or dicomized letters with patient private information. These reports are normally in series marked with modalities like PR, SR or OT.

Depending on the needs of a clinical project, the user must be cautious and decide which information shall be shared or not. Finally, we want to mention, that the reconstruction or 3D rendering of images by an increasing special resolution, can lead to a patient identification. If for example CT or MRI slices of a head from a patient are rendered, the facial features can be reconstructed and allowing the identification of patients.

It’s our article’s objective to increase the awareness of healthcare professionals dealing with medical images and as such with personal patient information or often called Private Health Information (PHI). However, you might be glad to hear, that exchanging does not need to be complicated at all, for example with the use our dicomdrop- and decidemedical-tools.

You would like to learn about different ways to exchange DICOM files? Then stay with us: In part 3 of our DICOM explained-series, we will explain the different options available for DICOM-exchange and will tell you more about their pros and cons.

For more information on our ClinFlows-solutions, visit our website or get in touch via info(at)!