Recommended Practices to Avoid PHI Exposure in Online Medical Presentations

The Society for Imaging Informatics in Medicine, the American College of Radiology, and the Radiological Society of North America published an advisory with regards to online medical presentations and the possibility of inadvertent exposure of protected health information (PHI).

Educational presentations created by healthcare experts usually contain medical images; nevertheless, presenters must be sure not to accidentally expose or disclose PHI. Medical images are embedded with patient identifiers to make it easy to match the images with the correct patient. However, web crawling technology can now be used to extract that information, which poses a risk to patient privacy.

Search engines like Google and Bing have web crawling technology that are enabled to perform large-scale extraction of data from stored files. Slide presentations with previously considered de-identified information can now be indexed including patient identifiers because of advances in technology. For instance, extraction of source images from PDF files and PowerPoint slides can be done and the technology used identifies alphanumeric characters, which are embedded in the image pixels.

The indexing process associates that information with the images. When shown in the search engine results, that information will be displayed together with the images.

When a patient searches for his name using Google, for example, the information shown might include an image associated with a diagnostic study performed many years ago. Clicking the image will bring the patient to a website belonging to a professional imaging association, which kept a PDF or PowerPoint file that the group used for educational purposes in the past.

Most likely, the professional imaging association is not aware of the PHI contained in the image. The person who created the file probably didn’t know that the PHI in the presentation was not sufficiently de-identified and that the saved Adobe PDF file did not secure patient privacy.

The radiology groups have published guidance for healthcare providers to teach them how to prevent accidental disclosures of PHI when making online presentations that use medical images for educational reasons.

When creating presentations, only use medical images with no patient identifiers. In case, medical images are embedded with patient identifiers, use a screen capture software to focus on the part of the image needed, excluding the image part with patient identifiers. Another option is to use an anonymization algorithm used in the PACS before saving a slide or active window presentation. It’s also possible to disable patient data overlays prior to exporting the picture.

The radiology groups give some warning when using a presentation software. When using the formatting tools available in Keynote, Powerpoint and Google Slides to crop images and cut out the patient identifiers, doing so does not permanently delete the PHI. When using image editing software like Adobe Photoshop to blacken patient identifiers, doing so is not safe nor compliant for de-identification.

After removing patient identifiers, it is recommended to do one last quality control check to make sure the proper sanitation of the images prior to making them public.

The guidance on removing PHI from medical images before making medical image presentations is available on this link.