HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations

The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations.

Healthcare professionals often create presentations that include medical images for educational purposes; however, care must be taken to ensure that protected health information is not accidentally exposed or disclosed. Medical images contain embedded patient identifiers to ensure the images can be easily matched with the right patient but advances in web crawling technology is now allowing that information to be extracted, which places patient privacy at risk.

The web crawling technology used by search engines such as Google and Bing have enabled the large-scale extraction of information from previously stored files. Advances in the technology now allow information in slide presentations that was previously considered to be de-identified to be indexed, which can include patient identifiers. Source images can be extracted from PowerPoint presentations and PDF files, for example, and the technology can recognize alphanumeric characters that are embedded in the image pixels.

As part of the indexing process, that information becomes associated with the images and search engine searches using a search term containing the information in those images will result in the files being displayed in the search engine results.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

If a patient performs a search using their name, for example, an image from a diagnostic study conducted several years previously could be displayed in the search engine results. A click on the image would direct the patient to a website of a professional imaging association that had stored a PowerPoint presentation or Adobe PDF file that was used internally in the past for education purposes.

The professional imaging association would likely be unaware that the image contained any protected health information, the author of the file would be unlikely to be aware that the PHI had not been sufficiently de-identified when the presentation was created, and that saving the presentation as an Adobe PDF file had not ensured patient privacy.

The radiology organizations have offer guidance to healthcare organizations to help them avoid accidental PHI disclosures when creating online presentations containing medical images for educational purposes.

When creating presentations, only medical images that do not include any patient identifiers should be used. If medical images have embedded patient identifiers, screen capture software should be used to capture the part of the medical image that displays the area of interest, omitting the part of the image that contains patient identifiers. Alternatively, an anonymization algorithm embedded in the PACS should be used prior to saving a screen or active window representation or patient information overlays should be disabled before exporting the image.

The radiology organizations warn against the use of formatting tools in the presentation software – PowerPoint, Keynote, Google Slides etc – for cropping the images so as not to display any patient identifiers, as this practice will not permanently remote PHI from the images. They also warn that the use of image editing software such as Adobe Photoshop to blackout patient identifiers is also not a safe and compliant practice for de-identification.

After patient identifiers have been removed, a final quality control check is recommended to ensure that the images have been properly sanitized before they are made public.

You can view the guidance on the removal of PHI from medical images prior to creating medical image presentations on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.