ProKnow DICOM services can be set up to automatically anonymize DICOM data prior to upload to ProKnow. The anonymization is customizable via anonymization configuration "rules files" that determine (1) which of the DICOM attributes to anonymize and (2) how to anonymize each attribute for the applicable DICOM service(s).
If you enable auto-anonymization for a DICOM service, you must specify a rules file. See Configuring Services for instructions on how to select the rules file for a service. A rules file can be shared by services running within the same ProKnow DICOM Agent installation.
CAUTION: Do not share a rules file across multiple ProKnow DICOM Agent installations that are uploading to the same ProKnow workspace when using the GeneratePatient rule for (0010,0020) Patient ID and (0010,0010) Patient’s Name or the GenerateUid rule for DICOM UID attributes. Because the ProKnow DICOM Agent database is not shared, different anonymized patient IDs and patient names will be generated for the same original patient ID and patient name and different anonymized UIDs will be generated for the same original UID. This will result in data not being properly associated.
SUGGESTION: If you do have multiple DICOM Agent installations uploading to the same ProKnow workspace (e.g., a network of computers at work using one DICOM Agent installation and all of its services, plus additional installations on personal computers you are running from home), then set up the rules file to product unique Patient IDs by using set prefixes or suffixes to be added to the rest of the ID strings.
The rules files are XML files. You will edit each XML file to define your anonymization configuration and save as a rules file.
The best method to ensure correct format of the rules file is to download the example rules file from the Create Service or Edit Service dialogs. Then, create a copy and edit that new file according to your preferences. See Configuring Services for instructions on how to download the example rules file. It is important to preserve this format, including the labels, so that the file can be properly parsed by the application.
The format of the rules file will allow you to (1) define individual elements and their anonymization rules and (2) define the global rule for changing (e.g., shifting) date/time values for applicable elements.
An XML rules file will contain a list of elements, one for each attribute to be anonymized. If you do not specify an element, then that element’s attributes will always be preserved, i.e., remain unchanged.
See the Table 1. Element Properties for descriptions of the element properties. Only required properties need to be present. The properties can appear in any order. For example, an element to remove the private attribute PET Patient ID look like this:
<Name>PET Patient ID</Name>
Table 1: Element Properties
Global Date/Time Shift
An XML rules file will also contain a specification of a global date/time shift method. This method will be applied to any attribute for which the Shift rule has been specified, which by definition must have a value representation (VR) of either date (DA), time (TM), or date/time (DT).
Using a global date/time shift rule will ensure a uniform shift of the applicable date/timestamps, preserving the temporal relationship of the associated data. Once used, changing this value may impact the temporal relationship between data previously anonymized and future data to be anonymized.
In the downloadable example rules file that you can use as a template, the global date/time shift will be located near the top of the default rules file (preceding the list of Elements). The default setting will be as follows:
The syntax of the value is "sDDDDDHHMMSS" where:
- The "s" character is an optional sign ("+" or "-") indicating the direction of the shift. If omitted, a "+" will be assumed.
- DDDDD is the zero-padded number of days to be shifted.
- HH is the zero-padded number of hours to be shifted.
- MM is the zero-padded number of minutes to be shifted.
- SS is the zero-padded number of seconds to be shifted.
For example, a setting of
will result in shift forward (i.e., positive) in time of 10000 days, 10 hours, 10 minutes, and 10 seconds.
Table 2: Anonymization Rules
Verification of an Anonymization Configuration
CAUTION: Make sure to include an element for every DICOM attribute that may contain PHI/PII that you want to anonymize, including private DICOM attributes. It is important to verify that the rules file works for the variety of DICOM content that may be transmitted to ProKnow DICOM Agent.
To verify, it may help to do the following:
- Use a DICOM browsing tool to examine each variety of DICOM object that will be transmitted to ProKnow DICOM Agent. Be sure to inspect attributes at the root level as well those contained within nested sequences. Make a list of all the attributes you wish to anonymize.
- Define a rules file that anonymizes each attribute in your list with your preferred anonymization method.
- After the rules file has been defined, set up a service that only stores the anonymized DICOM locally (e.g., does not yet upload to ProKnow). Send a number of dataset transmissions through the server to create the anonymized output that is saved locally. Use a DICOM browsing or compare tool to verify that all desired PHI/PII has been removed and the anonymized values are as expected.
- Manually upload representative anonymized datasets to ProKnow to verify that the replaced values are acceptable, i.e., that the rules you used are valid for each attribute and not rejected as invalid DICOM.