GetDATA
Compliance

De-identification of Medical Imaging: A Step-by-Step Checklist

GetDATA Team · · 1 min read

De-identification is more than deleting a name

Sharing imaging data for research means removing identifiers from two places at once: the DICOM header tags and any text burned into the pixels themselves. Miss either and you have leaked PHI.

The step-by-step checklist

  • Strip or replace patient-identifying DICOM tags (name, MRN, dates, institution, device serials).
  • Detect and redact burned-in annotations and overlays on the image.
  • Deface or skull-strip head CT/MRI where facial reconstruction is a re-identification risk.
  • Preserve research-relevant fields (modality, slice thickness, pixel spacing) so studies remain interpretable.
  • Document the method and tooling so downstream users can audit it.

HIPAA Safe Harbor and GDPR

Under HIPAA Safe Harbor, eighteen identifier categories must be removed; GDPR treats truly anonymised data as out of scope but holds pseudonymised data to a higher bar. Know which regime applies before you share.

Make it a shared baseline

GetDATA requests state anonymisation requirements up front, so providers and researchers agree on a compliance baseline before any data changes hands.

#de-identification#gdpr#hipaa

Need a specific medical dataset?

Post a request describing exactly what you need — modality, labels, format and volume — and verified hospitals and labs fulfill it with compliant, de-identified data.

Browse open requestsSign up to post a request