Where DICOM Anonymization Happens in XNAT
DICOM Anonymization is designed to keep PHI out of archived DICOM files and corresponding metadata. However, PHI can be stored in log files and temporary instances of XML files during the archiving process. See Limits of DICOM Anonymization in XNAT for more details.
XNAT needs to examine and alter the contents of image objects. Uses include:
- Remove Protected Health Information (PHI)
- Re-identify with experiment-required identifiers
- Enable automatic mapping of Image objects into XNAT's Project/Subject/Session data model.
Anonymization During Image Upload
XNAT provides the opportunity to apply two separate passes of anonymization to arriving images. If, when, and where these passes occur depends upon site-level configuration , project-specific configuration, image-upload method, and the destination of the uploaded images within XNAT.
Upload Method | Destination | Location | Site-wide | Project-specific |
---|---|---|---|---|
DICOM C-Store | Prearchive | Server | X | |
DICOM C-Store | Archive | Server | X | X |
XNAT Desktop Upload Assistant | Archive | Client | X | X |
Compressed Image Uploader | Prearchive | Server | X | |
Compressed Image Uploader | Archive | Server | X | X |
XNAT API | Archive | Server | X | X |
Destination: Images may be sent directly to the archive or to an intermediate stop, the prearchive, which allows for review of the images before committing them to the archive
Site-wide anonymization: If enabled, all uploads have this anonymization applied first.
Project-specific: If enabled, this anonymization is applied after site-wide anonymization, when the session moves into the archive. Images going first into the prearchive will not have this anonymization applied as part of the upload process. Project-specific anonymization will be applied to prearchived images, but only after manually sending the images to the archive (See https://flywheelio.atlassian.net/wiki/spaces/XNAT16/pages/2507805882).
Location: Anonymization may occur on either the client or server side of the image upload. Regardless of location, the same anonymiztion procedures are applied. Anonymiztion is not repeated server side if it occurs client side.
For a more detailed description of image upload processing, particularly in regard to how XNAT uses anonymiztion to map uploaded images into its project/subject/session data model, see Image Upload Processing Steps and How XNAT Scans DICOM to Map to Project/Subject/Session.
Anonymization During Move of Images from Prearchive to Archive
XNAT allows images to be uploaded to two locations: directly to the archive or to a staging area called the prearchive. XNAT requires users to do a manual step to move images from the prearchive to the archive (See Using the Prearchive). This manual step triggers the application of project-specific anonymization. This is the same project-specific anonymization that occurs automatically when upload is direct to the archive.
Anonymization During Metadata Edits
XNAT scans DICOM objects for certain elements that are used to map the objects to specific projects, subjects, and sessions (See How XNAT Scans DICOM to Map to Project/Subject/Session). Thus, there is an expectation that these elements within the objects match the data XNAT uses for project ID, subject label, and session label. When this data is edited, XNAT reruns project-specific anonymization on relevant DICOM objects with the intention of keeping these elements in sync. The following edits will invoke anonymization.
- Changing a subject's label.
- Changing a session's label.
- Moving a session to another project.
- Assigning a session to another subject.