Protecting Patient Information in Medical Presentations

The following is an abbreviated overview of the information disseminated by the Radiological Society of North America (RSNA), the American College of Radiology (ACR) and the Society for Imaging Informatics in Medicine (SIIM) in August 2020 about protecting patient information in medical presentations.

Search engines can extract patient identifiers in PowerPoint™ slide presentations that were believed to have been anonymized.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.  Radiologists often use patient images in their teaching presentations.  In order to be HIPAA compliant, those presentations must not contain any PHI (Patient Health Information) that can be used to identify individual patients.  

Beware: Search engines (e.g. Google, Bing and others) can extract and index patient identifiers in PowerPoint™ slide presentations and Adobe® PDF files that were believed to have been anonymized.  The information can be embedded in the image pixels.  This can lead to the following (for example):

When a patient searches her name in a search engine, images from a diagnostic imaging study performed 4 years earlier appears. When she clicks on the images, she is directed to the website of a professional imaging association that stored an Adobe® PDF file as part of an educational presentation. The association was unaware that the file contained PHI. The author of the file was unaware that PHI had not been sufficiently de-identified prior to creating the original presentation in PowerPoint™ format, and that saving the file in Adobe® PDF format also had not preserved privacy.

To prevent a breach of HIPAA, think of dancing the Do-Si-Do, aka Dosey Doe, otherwise known as Do’s and Don’ts

By following these “do’s” and “don’ts” you will prevent the situation described above and assure HIPAA compliance:

Don’t . . .

  • Use a font color that is the same as the background color (changing font color so the text/PHI blends into the background does not remove the information, rather it just makes it invisible in the slide presentation mode) 
  • Put an object over the PHI (this just masks but does not remove the information)
  • Crop the image without deleting the cropped portion of the image (cropping the image using the PowerPoint™ tool does not remove the information and “cropping” can be undone later by another user of the file)

Do . . .

  • Capture images without any PHI (this is the best way to avoid a HIPAA breach)
  • Consider using third-party image processing software (e.g., IrfanView, Adobe Photoshop) that can cut out the PHI and save just the image data, if your image has PHI in the pixel data
  • Make sure all slides have no PHI data in the cropped areas – use specific presentation software functions designed to permanently remove cropped content if applicable
  • Make sure all slides have no PHI data in the notes sections or in areas beyond the displayable slide

 What Constitutes PHI?

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age)
  • Telephone, cellphone, and fax numbers
  • Email addresses
  • IP addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Device identifiers and serial numbers
  • Certificate/license numbers
  • Account numbers
  • Vehicle identifiers and serial numbers including license plates
  • Website URLs
  • Full face photos and comparable images
  • Biometric identifiers (including finger and voice prints)
  • Any unique identifying numbers, characteristics, or codes

 Note: It is YOUR  responsibility as the individual sharing the medical case to ensure that images and any other data has been properly de-identified and that any legal constraints for sharing data have been met.  For a more detailed explanation of how to apply the “do’s” and “don’ts”, see the full article here

Second Note:  MRI Online follows robust guidelines for protecting patient information.