The RDCRN instance of Ambra uses a variety of methods to safe-guard against PHI leakage. These methods fall under multiple categories: DICOM Tag De-identification in-browser before upload, study quarantine requiring manual approval, and further server-side DICOM tag de-identification prior to sharing outside the clinical site.

One important note is that the Patient Name field is NOT de-identified until the imaging study gets into Ambra. Although the patient name will we replaced with a provided study id (local id or participant id), we keep the supplied patient name field on upload so that it is available in the quarantine space as a way to provide secondary confirmation that the name and ids match.

In-Browser DICOM Tag De-Identification:

Images are uploaded to Ambra via an upload page within the Ambra system. All uploads, at a minimum, have a list of 340 DICOM tags de-identified in the browser prior to file upload. These DICOM tags are specified in the NEMA Application Level Confidentiality Profile Attributes table.

We follow the Basic Application Level Confidentiality Profile (Code Value = 113100) with the following selected modification:

• Clean Pixel Data Option (Code Value = 113101)

• Clean Structured Content Option (Code Value = 113104)

• Clean Descriptors Option (Code Value = 113105)

• Retain Longitudinal Temporal Information Modified Dates Option (Code Value = 113107)

• Retain Patient Characteristics Option (Code Value = 113108)

• Retain Device Identity Option (Code Value = 113109)

• Retain UIDs Option (Code Value = 113110)

The upload page on Ambra will modify the DICOM tags specified on the client-side, prior to the images reaching the Ambra servers.

Study Quarantine and Manual Approval

All imaging studies uploaded to Ambra are quarantined and require manual approval before being fully stored in the Ambra system. This allows uploaders and their clinical sites the ability to ensure PHI has been removed from the image prior to approval. At this stage, the patient name is temporarily saved in a separate field, and the patient name is automatically replaced by the provided local or participant ID.

One key aspect of this checking for PHI is reviewing the images themselves to ensure that PHI is not embedded into the pixels of any of the images. Structured Reports are a common source for PHI such as names, dates, and addresses. The workflow for masking these pixels is described in our Pixel-Based Redaction portion of our user guide. Additionally, pixels can be masked on the client-side during the upload process.

Server-Side DICOM De-Identification

After a study is approved, it is released into the clinical site’s folder. At this point, the study is still only accessible by the members of the clinical site, DMCC administrators, and Ambra/Intelerad personnel. They study goes through a final de-identification step that removes these final DICOM tags:

• StudyID

• AccessionNumber

• AcquisitionComments

• AcquisitionContextSequence

• AcquisitionDate

• AdmissionID

• PatientID

• PersonName

• ReasonForStudy

• VisitComments

Only after this de-identification workflow runs successfully are the imaging studies shared outside of the clinical site space.