DICOM explained Part 2: GDPR, Security and Personal Information – The Challenges with DICOM Data

In part 1 of our DICOM explained-series, you already learned that imaging plays an important role in modern medicine and that the focus is on files in DICOM format. You got to know what is behind the abbreviation DICOM, how it is used in healthcare, how a DICOM file is structured and that the DICOM headers and tags contain a lot of personal data. In part 2 of our DICOM series, we will go into detail about the latter and explain what problems the data contained can cause when working with DICOMs in practice.

Of course, it has many advantages that DICOM images contain a lot of technical and personal data (you don’t remember exactly which ones? Then go back and take a look into part 1 of our DICOM explained-series here). However, this is also problematic at the same time: If DICOMs are sent unencrypted by mail on a CD, for example – as it is still regularly done today, e.g., as part of a study or to obtain a second opinion – they can be directly assigned to the patient; and this is, of course, not in compliance with data protection laws. Who would want their neighbor to find out unintentionally that they suffer from a certain illness? Especially since the General Data Protection Regulation (GDPR) came into force in May 2018, there are many discussions and unknowns that lead to uncertainty among clinicians and healthcare workers who work with medical images. There are many aspects to consider, but here we will focus on personal identifiable data in DICOM images and its technical aspects.

DICOM data: Anonymization vs. pseudonymization

In this context, there are two terms that are often misused when talking about privacy protection of medical images. “anonymization” and “pseudonymization.” Anonymization means that there is no way to retrieve or identify the patient if you only have the medical images. Often physicians or study nurses use this term when informing the patient that “all data will be completely anonymized,” for example, in the context of clinical trials or eligibility testing by outside medical experts. However, the recipient of the images, a core lab or central reader, in most cases needs to know the date of the exam and from which location the images were sent, as these identifiers are an essential parameter of the clinical trial or project. Often, the purpose of a clinical project is to obtain a second opinion on a treatment recommendation, meaning it is imperative to match the right patient to the right images and verify the outcome. In these cases, the data is absolutely not anonymous. 

Is that a problem? No. But first, you would have to obtain written consent from a well-informed patient, and second, you would have to make sure that the data processor provides a technical and organizational GDPR-compliant environment. And if data must be shared for such a purpose, one should pseudonymize the data sets as much as possible. Pseudonymization means that identifying information (name, date of birth, etc.) is removed or replaced, reducing the possibility of tracing it back to the patient.

Where can I find personal information in DICOM data?

When viewing medical images with a DICOM viewer, one does not necessarily see the personal information immediately. As described above, a patient’s personal data, but possibly also that of the operator, is part of the well-defined DICOM tags. Viewers can usually make these DICOM headers or metadata visible and even allow them to be edited.

Another source where personal data can be part of the DICOM data are the so-called “burned-in annotations”. The following example shows that the patient’s name and date of birth: As you can see the personal information Max Mustermann, born on 19 August 1938 – don’t worry, this is a fake person – is part of the pixel information and can only be removed with special tools, usually by drawing black boxes over the visible information.

Figure 1: Burned-in annotations in echocardiography

Also, DICOM studies often contain series which hold patient reports or dicomized letters with patient private information. These reports are normally in series marked with modalities like PR, SR or OT.

Depending on the needs of a clinical project, the user must be cautious and decide which information shall be shared or not. Finally, we want to mention, that the reconstruction or 3D rendering of images by an increasing special resolution, can lead to a patient identification. If for example CT or MRI slices of a head from a patient are rendered, the facial features can be reconstructed and allowing the identification of patients.

It’s our article’s objective to increase the awareness of healthcare professionals dealing with medical images and as such with personal patient information or often called Private Health Information (PHI). However, you might be glad to hear, that exchanging does not need to be complicated at all, for example with the use our dicomdrop- and decidemedical-tools.

You would like to learn about different ways to exchange DICOM files? Then stay with us: In part 3 of our DICOM explained-series, we will explain the different options available for DICOM-exchange and will tell you more about their pros and cons.

For more information on our ClinFlows-solutions, visit our website or get in touch via info(at)!

Clients decidemedical DICOM

Leading medical device maker chooses ClinFlows’ decidemedical application for complex European clinical trial

A leading medical technology company headquartered in the US, trusts in ClinFlows’ decidemedical solution for its upcoming EU Trial. Via the web-based platform, the complete patient screening process of the study including the subsequent 5-year follow-up phase will be organized and conducted: All medical images (DICOM) and documents will be handed in, reviewed, and evaluated in a GDPR-compliant manner via ClinFlows’ online service.

“We are excited to see this complex exchange of medical images and study documents, within such groundbreaking clinical trial, realized on our decidemedical platform, involving multiple prominent researchers in the cardiovascular space”, says Uwe Gladbach, founder and CEO of ClinFlows.

The online submission and review of required data allows fast turn around times between the study teams, when it comes to subject eligibility checks – also very beneficial for the patients to be treated in a timely manner.

ClinFlows’ decidemedical platform has registered users from 96 countries worldwide and is in use since more than 10 years.


DICOM explained Part 1: What is DICOM, DICOM Tags and Data Sets?

Imaging techniques play an important role in many areas of modern medicine. This applies to diagnostics and therapy, but also to research, for example, in the context of clinical trials. The most important medical image format is DICOM. 

Within clinical projects, utilizing our ClinFlows’ solutions to exchange medical images, we frequently meet users (physicians, study nurses and coordinators) who are not that familiar with the topic “DICOM”. Time for us as DICOM experts to start a series in which we explain the format and obstacles that come when dealing with it (spoiler: among others, it’s about personal data!).

In the coming time, we will gradually publish articles here in which we explain the most important background and facts about DICOM data. We start today with part 1 of our DICOM explained-series, in which you will learn what is behind the abbreviation, how the DICOM format is structured, what makes it so characteristic and what it is used for in healthcare.

DICOM: the format behind the five letters

JPEG, TIFF, PNG – almost everyone knows these file formats of images. DICOM is also an image format, but it is used primarily in the medical industry. The abbreviation DICOM stands for “Digital Imaging and Communications in Medicine”. The term already makes it clear that the format not only includes the respective image data, the pixels or its storage as a specific file format, but that the DICOM standard includes further information, which we will explain in more detail later. The DICOM standard has its origins in the 1970s, when it was still called the ACR/NEMA standard and was initiated by the American College of Radiology and the National Electrical Manufacturers Association. DICOM as we know it today has only existed since 1992. The use of this image format is intended to facilitate and standardize the exchange of medical image data.

DICOM: Open standard to exchange medical images

The DICOM format is one of the so-called open standards, openly accessible and usable by anyone. This allows many medical professionals in the fields of research and clinical practice, diagnostics and therapy to exchange, view and perform measurements of medical images independently of manufacturers.

What are DICOM Headers, DICOM Tags and Data Sets?

A set of medical images in DICOM format usually has the following overall structure: Patient – Exam – Series – Images. That is, a patient undergoes a study or examination, such as a computed tomography (CT) scan. This examination consists of several series, and each series contains multiple images (hundreds or thousands) or multiple frames (like a video, e.g., for echocardiographies).

A DICOM medical image file, such as a single CT slice, consists of two distinct parts. One is the medical image itself, the other is the DICOM header. The DICOM header is a block of data that contains specific information that complements the image, called DICOM tags. This usually includes relevant patient data such as name, age, gender and date of birth, but also a lot of technical data and parameters, such as the device used to generate the images, the names of the surgeon and the administered drugs such as contrast agents, as well as data on the imaging technique, such as pixels, matrix size or the dimensions of the image. This usually facilitates the assignment of an image to a patient. In medical jargon, this data is referred to as attributes. Depending on the image and the circumstances, certain information is mandatory, while other attributes are optional. In addition, the DICOM header has DIN standards, which are defined by law.

What are DICOM Tags good for?

The DICOM Tags are organized as a constant and standardized series; thus, they are used in the management of information belonging to medical image data. The DICOM Tags are assigned as metadata elements to each image object in medicine. These can be segmentations, definitions of surfaces, and registration numbers for the images. The format is used for both standardization and storage of the files, as well as a uniform communication protocol for sharing. As data elements, tags consist of an attribute that is used for identification. Usually they are composed of hexadecimal numbers (XXXX,XXXX) with a comma in the middle. If necessary, a further subdivision into the group and element number is possible. In this way, DICOM tags are easier to read, and patient data can be printed directly on them when developing X-ray images. In this way, the X-ray image and the associated data are combined digitally in one file.

What DICOM Tags are available?

There are a variety of DICOM tags that assist in organizing medical image data as well as searching for them. These include, for example:

Accession Number0008,0050
Procedure Creation Date0014,4076
Patient’s Birth Name0010,1005
Operator’s Name0007,1070
Patient’s ID0010,0020
Patient’s Birth Date0010,0030
Patient’s Body Mass Index0010,1022
Table 1, DICOM Tags

Thanks to the numbers, an extremely large amount of information can be assigned to the images, which is immediately recognized by the medical authorities. By the way: A full list of all DICOM tags can be found at MITA (The Medical Imaging Technology Association) or NEMA here.

In the next part of our DICOM explained series, we will dive deeper into the topic: Among others, you will learn more about the problems that the data contained in DICOM files pose for working with them. Stay tuned!