Create a De-ID Profile
In Flywheel, de-identification is configured using a de-ID profile. A de-ID profile is a set of instructions for what to do with metadata that may include PHI.
This article explains how to create a de-ID profile to remove or transform sensitive DICOM data. There is also a reference guide detailing all possible data transformations with examples.
Disclaimer
This feature is not guaranteed to satisfy any specific regulatory or compliance requirements. It is your responsibility to ensure that you set the appropriate configuration parameters and evaluate the end result to determine whether it is acceptable for your use cases and any regulatory or compliance requirements you may have.
What is the De-ID Profile?
A de-ID profile is a set of instructions for what to do with metadata that may include PHI. De-ID profiles can de-identify standard DICOM tags such as PatientName, StudyDate, and PatientAge, as well as private tags unique to your institution.
In general, there are 2 levels of de-identification:
- File settings: At this level, the de-identification settings apply to all DICOM data by default. For example:
remove-private-tags
to remove all non-standard DICOM tags.recurse-sequence
, which cascades de-identification transformations down an entire sequence of nested tags.
- Fields settings: These settings give you finer control over what specific DICOM tags are de-identified and HOW they are de-identified.
- This setting takes precedent over the file settings, so you can add exceptions to a rule.
- For example: you can set
remove-private-tags
totrue
at the file level, but then choose to keep a specific custom tag by using the field transformationkeep
.
How does it work with Flywheel?
All upload methods offer the option to use a profile to de-identify data at the edge of the Flywheel platform. De-identifying at the edge means only de-identified data is uploaded to Flywheel. Then each time you import data into Flywheel — whether by the Connector, CLI, Web Uploader, or SDK– your data is de-identified according to your profile.
See the de-identification overview article for more details.
Instructions
Download the Flywheel CLI
Creating and testing de-ID profiles is easiest with the Flywheel CLI. Learn more about how to download the CLI and sign in to your Flywheel account.
Generate a De-id Template
To begin, we will generate a de-id template. In later steps we will update the template to fit your data
- Open the Terminal or Windows Command Prompt app on your computer.
- Navigate to the Flywheel CLI.
- Enter the following command:
- Windows:
fw deid create C:\Users\[username]\Documents\deid_profile.yaml
- Mac/Linux:
fw deid create ~/Documents/deid_profile.yaml
- Windows:
-
You will see the following message:
Sample template successfully created
-
Open the
deid_profile.yaml
file in a plain text editor such as TextEdit, notepad, or Sublime. You will see the following template:
Determine how your data needs to be de-identified
Disclaimer
You are responsible for ensuring the de-identified data is acceptable for your use cases and meets any regulatory or compliance requirements you have.
One important piece to consider when determining your de-identification needs is that Flywheel uses certain DICOM tags to organize the images in groups, projects, subjects, sessions, and acquisitions during the import process.
The following are the default DICOM tags Flywheel uses to sort DICOM images. Your Flywheel site may use different tags for sorting data, so check with your institution's Flywheel admin for the specific sorting tags.
We do not recommend removing the sorting tags altogether when de-identifying data. Instead, use one of the other transformation methods such as replace-with
. This allows Flywheel to automatically group related DICOM images while still de-identifying data.
Keyword | Tag | Flywheel Field |
---|---|---|
Patient ID | (0010,0020) | Group ID (When uploading via Connector) Project Label (When uploading via Connector) Subject ID |
Study Instance UID | (0020,000D) | Session UID |
Study Description | (0008,1030) | Session Label |
Series Instance UID | (0020,000E) | Acquisition UID |
Series Description | (0008, 103E) | Acquisition Label |
Update the YAML File
Once you have determined how you want to de-identify your data, the next step is to update the YAML file.
- Update the YAML file with the appropriate transformations.
- Confirm that your profile is valid YAML. You can use an online tool like YAML Lint.
Test
Test your de-ID profile locally before uploading sensitive data to Flywheel.
Example de-id Profiles
Create a Keeplist
One option for removing many DICOM tags is to create a keeplist using remove-undefined
. This means that any DICOM tags not specified under fields
are removed. This example also shows a few basic transformations of the fields in the keeplist:
Create a Blocklist
Let's say you have the following requirements for your data:
- Remove some fields that have PII and are not needed in Flywheel.
- Accomplish this by listing the tags under fields and adding
remove: true
. This creates a blocklist.
- Accomplish this by listing the tags under fields and adding
- Offset dates by a consistent number.
- Accomplish this by using
date-increment
.
- Accomplish this by using
- Use the default sorting tags in your environment and want to replace the value of some fields with "REDACTED" or a hash.
- Keep one private DICOM tag to use in Flywheel, but remove the rest
- Accomplish this with
remove-private-tags
- Accomplish this with
Here's an example of a de-ID profile that would satisfy the above requirements:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 |
|
Next steps
See our article to learn how to test your de-ID profile locally before uploading sensitive data to Flywheel.