DICOM PS3.15 2017b - Security and System Management Profiles

E Attribute Confidentiality Profiles

This Annex describes Profiles and Options to address the removal and replacement of Attributes within a DICOM Dataset that may potentially result in leakage of Individually Identifiable Information (III) about the patient or other individuals or organizations involved in acquisition.

Profiles are provided to address the balance between the removal of information and the need to retain information so that the Datasets remain useful for their intended purpose.

Options are used in addition to profiles to prevent a combinatorial expansion of different Profiles.

E.1 Application Level Confidentiality Profiles

Application Level Confidentiality Profiles address the following aspects of security:

  • Data Confidentiality at the application layer.

Other aspects of security not addressed by these profiles, that may be addressed elsewhere in the standard include:

  • Confidentiality in other layers of the DICOM model;

  • Data Integrity.

These Profiles are targeted toward creating a special purpose, de-identified version of an already-existing Data Set. It is not intended to replace the original SOP Instance from which the de-identified SOP Instance is created, nor is it intended to act as the primary representation of clinical Data Sets in image archives. The de-identified SOP Instances are useful, for example, in creating teaching or research files, performing clinical trials, or submission to registries where the identity of the patient and other individuals is required to be protected. In some cases, it is also necessary to provide a means of recovering identity by authorized personnel.

E.1.1 De-identifier

An Application may claim conformance to an Application Level Confidentiality Profile and Options as a de-identifier if it protects and retains allAttributes as specified in the Profile and Options. Protection in this context is defined as the following process:

  1. The application may create one or more instances of the Encrypted Attributes Data Set and copy Attributes to be protected into the (single) item of the Modified Attributes Sequence (0400,0550) of one or more of the Encrypted Attributes Data Set instances.

    Note

    1. A complete reconstruction of the original Data Set may not be possible; however, Attributes (e.g., SOP Instance UID) in the Modified Attributes Sequence of an Encrypted Attributes Data Set may refer back to the original SOP Instance holding the original Data Set.

    2. It is not required that the Encrypted Attributes Data Set be created; indeed, there may be circumstances where the Dataset is expected to be archived long enough that any contemporary encryption technology may be inadequate to provide long term protection against unauthorized recovery of identification.

    3. Other mechanisms to assist in identity recovery or longitudinal consistency of replaced UIDs or dates and times are deprecated in favor of the Encrypted Attributes Data Set mechanism that is intended for this purpose. For example, if it is desired to include an encrypted hash of the Patient's Name, it should not be encoded in a separate private attribute implemented for that purpose, but should be included in the Encrypted Attributes Data Set and encoded using the standard mechanism. This allows for compatibility between different implementations and provides security based on the quality and control of the encryption keys. Note also, that unencrypted hashes are considerably less secure and should be avoided, since they are vulnerable to trivial dictionary based attacks.

  2. Each Attribute to be protected shall then either be removed from the dataset, or have its value replaced by a different "replacement value" that does not allow identification of the patient.

    Note

    1. It is the responsibility of the de-identifier to ensure that this process does not negatively affect the integrity of the Information Object Definition, i. e. Dummy values may be necessary for Type 1 Attributes that are protected but may not be sent with zero length, and are to be stored or exchanged in encrypted form by applications that may not be aware of the security mechanism.

    2. The standard does not mandate the use of any particular dummy value, and indeed it may have some meaning, for example in a data set that may be used for teaching purposes, where the real patient identifying information is encrypted for later retrieval, but a meaningful alternative form of identification is provided. For example, a dummy Patient's Name (0010,0010) may convey the type of pathology in a teaching case. It is the responsibility of the de-identifier software or human operator to ensure that the dummy values cannot be used to identify the patient.

    3. It is the responsibility of the de-identifier to ensure the consistency of dummy values for Attributes such as Study Instance UID (0020,000D) or Frame of Reference UID (0020,0052) if multiple related SOP Instances are protected. Indeed, all Attributes of every entity about the Instance level should remain consistent for all Instances protected, e.g., Patient ID for the Patient entity, Study ID for the Study entity, Series Number for the Series entity.

    4. Some profiles do not allow selective protection of parts of a Sequence of Items. If an Attribute to be protected is contained in a Sequence of Items, the complete Sequence of Items may need to be protected.

    5. The de-identifier should ensure that no identifying information that is burned in to the image pixel data either because the modality does not generate such burned in identification in the first place, or by removing it through the use of the Clean Pixel Data Option; see Section E.3. If non-pixel data graphics or overlays contain identification, the de-identifier is required to remove them, or clean them if the Clean Graphics option is supported. See Section E.3.3 The means by which burned in or graphic identifying information is located and removed is outside the scope of this standard.

  3. Each Attribute specified to be retained shall be retained. At the discretion of the de-identifier, Attributes may be added to the dataset to be protected.

    Note

    As an example, the Attribute Patient's Age (0010,1010) might be introduced as a replacement for Patient's Birth Date (0010,0030) if the patient's age is of importance, and the profile permits it.

  4. If used, all instances of the Encrypted Attributes Data Set shall be encoded with a DICOM Transfer Syntax, encrypted, and stored in the dataset to be protected as an Item of the Encrypted Attributes Sequence (0400,0500). The encryption shall be done using RSA [RFC2313] for the key transport of the content-encryption keys. A de-identifier conforming to this security profile may use either AES or Triple-DES for content-encryption. The AES key length may be any length allowed by the RFCs. The Triple-DES key length is 168 bits as defined by ANSI X9.52. Encoding shall be performed according to the specifications for RSA Key Transport and Triple DES Content Encryption in RFC3370 and for AES Content Encryption in RFC3565.

    Note

    1. Each item of the Encrypted Attributes Sequence (0400,0500) consists of two Attributes, Encrypted Content Transfer Syntax UID (0400,0510) containing the UID of the Transfer Syntax that was used to encode the instance of the Encrypted Attributes Data Set, and Encrypted Content (0400,0520) containing the block of data resulting from the encryption of the Encrypted Attributes Data Set instance.

    2. RSA key transport of the content-encryption keys is specified as a requirement in the European Prestandard ENV 13608-2: Health Informatics - Security for healthcare communication - Part 2: Secure data objects.

  5. No requirements on the size of the asymmetric key pairs used for RSA key transport are defined in this confidentiality scheme. Implementations claiming conformance to the Basic Application Level Confidentiality Profile as a de-identifier shall always protect (e.g., encrypt and replace) the SOP Instance UID (0008,0018) Attribute as well as all references to other SOP Instances, whether contained in the main dataset or embedded in an Item of a Sequence of Items, that could potentially be used by unauthorized entities to identify the patient.

    Note

    In the case of a SOP Instance UID embedded in an item of a sequence, this means that the enclosing Attribute in the top-level data set must be encrypted in its entirety.

  6. The attribute Patient Identity Removed (0012,0062) shall be replaced or added to the dataset with a value of YES, and one or more codes from CID 7050 “De-identification Method” corresponding to the profile and options used shall be added to De-identification Method Code Sequence (0012,0064). A text string describing the method used may also be inserted in or added to De-identification Method (0012,0063), but is not required.

  7. If the Dataset being de-identified is being stored within a DICOM File, then the File Meta Information including the 128 byte preamble, if present, shall be replaced with a description of the de-identifying application. Otherwise, there is a risk that identity information may leak through unmodified File Meta Information or preamble. See PS3.10.

The Attributes listed in Table E.1-1 for each profile are contained in Standard IODs, or may be contained in Standard Extended IODs. An implementation claiming conformance to an Application Level Confidentiality Profile as a de-identifier shall protect or retain all instances of the Attributes listed in Table E.1-1, whether contained in the main dataset or embedded in an Item of a Sequence of Items. The following action codes are used in the table:

  • D - replace with a non-zero length value that may be a dummy value and consistent with the VR

  • Z - replace with a zero length value, or a non-zero length value that may be a dummy value and consistent with the VR

  • X - remove

  • K - keep (unchanged for non-sequence attributes, cleaned for sequences)

  • C - clean, that is replace with values of similar meaning known not to contain identifying information and consistent with the VR

  • U - replace with a non-zero length UID that is internally consistent within a set of Instances

  • Z/D - Z unless D is required to maintain IOD conformance (Type 2 versus Type 1)

  • X/Z - X unless Z is required to maintain IOD conformance (Type 3 versus Type 2)

  • X/D - X unless D is required to maintain IOD conformance (Type 3 versus Type 1)

  • X/Z/D - X unless Z or D is required to maintain IOD conformance (Type 3 versus Type 2 versus Type 1)

  • X/Z/U* - X unless Z or replacement of contained instance UIDs (U) is required to maintain IOD conformance (Type 3 versus Type 2 versus Type 1 sequences containing UID references)

These action codes are applicable to both Sequence and non-Sequence attributes; in the case of Sequences, the action is applicable to the Sequence and all of its contents. Cleaning a sequence ("C" action) may entail either changing values of attributes within that Sequence when the meaning of the Sequence within the context of its use in the IOD is understood, or recursively applying the profile rules to each Dataset in each Item of the Sequence. Keeping a Sequence ("K" action) requires recursively applying the profile rules to each Dataset in each Item of the Sequence (for example, in order to remap any UIDs contained within that sequence).

A requirement for an Option, when implemented, overrides any requirement for the underlying Profile.

Note

  1. The Attributes listed in Table E.1-1 may not be sufficient to guarantee confidentiality of patient identity. In particular, identifying information may be contained in Private Attributes, new Standard Attributes, Retired Standard Attributes and additional Standard Attributes not present in Standard Composite IODs (as defined in PS3.3) but used in Standard Extended SOP Classes. Table E.1-1 indicates those Attributes that are used in Standard Composite IODs as well as those Attributes that are Retired. Also included in Table E.1-1 are some Elements that are not normally found in a Dataset, but are used in Commands, Directories and Meta Information Headers, but that could be misused within Private Sequences. Textual Content Items of Structured Reports, textual annotations of Presentation States, Curves and Overlays are specifically addressed. It is the responsibility of the de-identifier to ensure that all identifying information is removed.

  2. It should be noted that conformance to an Application Level Confidentiality Profile does not necessarily guarantee confidentiality. For example, if an attacker already has access to the original images, the Pixel Data could be matched, though the probability and impact of such a threat may be deemed to be negligible. If the Encrypted Attributes Sequence is used, it should be understood that any encryption scheme may be vulnerable to attack. Also, an organization's Security Policy and Key Management policy are recognized to have a much greater impact on the effectiveness of protection.

  3. National and local regulations, which may vary, might require that additional attributes be de-identified, though the Profiles and Options have been designed to be sufficient to satisfy known regulations without compromising the usefulness of the de-identified instances for their intended purpose.

  4. Table E.1-1 is normative, but it is subject to extension as the DICOM Standard evolves and other similar Attributes are added to IODs. De-identifiers may take this extensibility into account, for example, by considering handling all dates and times on the basis of their Value Representation of DT, DA or TM, rather than just those date and time Attributes lists.

  5. The Profiles and Options do not specify whether the design of a de-identifier should be to remove what is know to be a risk of identity leakage, or to retain only what is known to be safe. The former approach may fail when the standard is extended, or when a vendor adds unanticipated standard or private attributes, whilst the latter requires an extensive, if not complete, comparison of each instance with the Information Object Definitions in PS3.3 to avoid discarding required or useful information. Table E.1-1 defines the minimum actions required for conformance.

  6. De-identification of Private SOP Classes is not defined.

  7. The "C" (clean) action is specified not only for string VRs, but also for Code Sequences, since the use of private or local codes and non-standard code meanings may potentially cause identity leakage.

  8. The Digital Signatures Sequences needs to be removed because it contains the certificate of the signer; theoretically the signature could be verified and the object re-signed by the de-identifier itself with its own certificate, but this is not required by the Standard.

  9. In general, there are no CS VR Attributes in this table, since it is usually safe to assume that code strings do not contain identifying information.

  10. In general, there are no Code Sequence Attributes in this table, since it is usually safe to assume that coded sequence entries, including private codes, do not contain identifying information. Exceptions are codes for providers and staff.

  11. The Clean Pixel Data and Clean Recognizable Visual Features Options are not listed in this table, since they are defined by descriptions of operations on the Pixel Data itself. The Clean Pixel Data option may be applied to the Pixel Data within the Icon Image Sequence, or more likely the Icon Image Sequence may be recreated entirely once the Pixel Data of the main Dataset has been cleaned. The Icon Image Sequence is to be removed when its Pixel Data cannot be cleaned.

  12. The Original Attributes Sequence (0400,0561) (which in turn contains the Modified Attributes Sequence (0400,0550) ) generally needs to be removed, because it may contain unencrypted copies of other Attributes that may have been modified (e.g., coerced to use local identifiers and names during import of foreign images); an alternative approach would be to selectively modify its contents. This is distinct from the use of the Modified Attributes Sequence (0400,0550) within the Encrypted Attributes Sequence (0400,0500).

  13. Table E.1-1 distinguishes Attributes that are in standard Composite IODs defined in PS3.3 from those that are not; some Attributes are defined in PS3.3 for other IODs, or have a specific usage other than in the top level Dataset of a Composite IOD, but are (mis-) used by implementers in instances as a Standard Extended SOP Class at other levels than as defined by the Standard. Any such Attributes encountered may be removed without compromising the conformance of the instance with the standard IOD. For example, Verifying Observer Sequence (0040,A073) is only defined in structured report IODs and hence is described in Table E.1-1 as D since it is Type 1C; if encountered in an image instance, it should simply be removed (treated as X).

Table E.1-1. Application Level Confidentiality Profile Attributes

Attribute Name

Tag

Retired (from PS3.6)

In Std. Comp. IOD (from PS3.3)

Basic Profile

Retain Safe Private Option

Retain UIDs Option

Retain Device Ident. Option

Retain Patient Chars. Option

Retain Long. Full Dates Option

Retain Long. Modif. Dates Option

Clean Desc. Option

Clean Struct. Cont. Option

Clean Graph. Option

Accession Number

(0008,0050)

N

Y

Z

Acquisition Comments

(0018,4000)

Y

N

X

C

Acquisition Context Sequence

(0040,0555)

N

Y

X

C

Acquisition Date

(0008,0022)

N

Y

X/Z

K

C

Acquisition DateTime

(0008,002A)

N

Y

X/D

K

C

Acquisition Device Processing Description

(0018,1400)

N

Y

X/D

C

Acquisition Protocol Description

(0018,9424)

N

Y

X

C

Acquisition Time

(0008,0032)

N

Y

X/Z

K

C

Actual Human Performers Sequence

(0040,4035)

N

N

X

Additional Patient's History

(0010,21B0)

N

Y

X

C

Address (Trial)

(0040,A353)

Y

N

X

Admission ID

(0038,0010)

N

Y

X

Admitting Date

(0038,0020)

N

N

X

K

C

Admitting Diagnoses Code Sequence

(0008,1084)

N

Y

X

C

Admitting Diagnoses Description

(0008,1080)

N

Y

X

C

Admitting Time

(0038,0021)

N

N

X

K

C

Affected SOP Instance UID

(0000,1000)

N

N

X

K

Allergies

(0010,2110)

N

N

X

C

C

Arbitrary

(4000,0010)

Y

N

X

Author Observer Sequence

(0040,A078)

N

Y

X

Branch of Service

(0010,1081)

N

N

X

Cassette ID

(0018,1007)

N

Y

X

K

Comments on the Performed Procedure Step

(0040,0280)

N

Y

X

C

Concatenation UID

(0020,9161)

N

Y

U

K

Confidentiality Constraint on Patient Data Description

(0040,3001)

N

N

X

Consulting Physician Identification Sequence

(0008,009D)

N

Y

X

Consulting Physician's Name

(0008,009C)

N

Y

Z

Content Creator's Name

(0070,0084)

N

Y

Z

Content Creator's Identification Code Sequence

(0070,0086)

N

Y

X

Content Date

(0008,0023)

N

Y

Z/D

K

C

Content Sequence

(0040,A730)

N

Y

X

C

Content Time

(0008,0033)

N

Y

Z/D

K

C

Context Group Extension Creator UID

(0008,010D)

N

Y

U

K

Contrast Bolus Agent

(0018,0010)

N

Y

Z/D

C

Contribution Description

(0018,A003)

N

Y

X

C

Country of Residence

(0010,2150)

N

N

X

Creator Version UID

(0008,9123)

N

Y

U

K

Current Observer (Trial)

(0040,A307)

Y

N

X

Current Patient Location

(0038,0300)

N

N

X

Curve Data

(50xx,xxxx)

Y

N

X

C

Curve Date

(0008,0025)

Y

Y

X

K

C

Curve Time

(0008,0035)

Y

Y

X

K

C

Custodial Organization Sequence

(0040,A07C)

N

Y

X

Data Set Trailing Padding

(FFFC,FFFC)

N

Y

X

Derivation Description

(0008,2111)

N

Y

X

C

Detector ID

(0018,700A)

N

Y

X/D

K

Device Serial Number

(0018,1000)

N

Y

X/Z/D

K

Device UID

(0018,1002)

N

Y

U

K

K

Digital Signature UID

(0400,0100)

N

Y

X

Digital Signatures Sequence

(FFFA,FFFA)

N

Y

X

Dimension Organization UID

(0020,9164)

N

Y

U

K

Discharge Diagnosis Description

(0038,0040)

Y

N

X

C

Distribution Address

(4008,011A)

Y

N

X

Distribution Name

(4008,0119)

Y

N

X

Dose Reference UID

(300A,0013)

N

Y

U

K

End Acquisition DateTime

(0018,9517)

N

Y

X/D

K

C

Ethnic Group

(0010,2160)

N

Y

X

K

Expected Completion DateTime

(0040,4011)

N

N

X

K

C

Failed SOP Instance UID List

(0008,0058)

N

N

U

K

Fiducial UID

(0070,031A)

N

Y

U

K

Filler Order Number / Imaging Service Request

(0040,2017)

N

Y

Z

Frame Comments

(0020,9158)

N

Y

X

C

Frame of Reference UID

(0020,0052)

N

Y

U

K

Gantry ID

(0018,1008)

N

Y

X

K

Generator ID

(0018,1005)

N

Y

X

K

Graphic Annotation Sequence

(0070,0001)

N

Y

D

C

Human Performers Name

(0040,4037)

N

N

X

Human Performers Organization

(0040,4036)

N

N

X

Icon Image Sequence(see Note 12)

(0088,0200)

N

Y

X

Identifying Comments

(0008,4000)

Y

N

X

C

Image Comments

(0020,4000)

N

Y

X

C

Image Presentation Comments

(0028,4000)

Y

N

X

Imaging Service Request Comments

(0040,2400)

N

N

X

C

Impressions

(4008,0300)

Y

N

X

C

Instance Coercion DateTime

(0008,0015)

N

Y

X

K

C

Instance Creator UID

(0008,0014)

N

Y

U

K

Institution Address

(0008,0081)

N

Y

X

Institution Code Sequence

(0008,0082)

N

Y

X/Z/D

Institution Name

(0008,0080)

N

Y

X/Z/D

Institutional Department Name

(0008,1040)

N

Y

X

Insurance Plan Identification

(0010,1050)

Y

N

X

Intended Recipients of Results Identification Sequence

(0040,1011)

N

N

X

Interpretation Approver Sequence

(4008,0111)

Y

N

X

Interpretation Author

(4008,010C)

Y

N

X

Interpretation Diagnosis Description

(4008,0115)

Y

N

X

C

Interpretation ID Issuer

(4008,0202)

Y

N

X

Interpretation Recorder

(4008,0102)

Y

N

X

Interpretation Text

(4008,010B)

Y

N

X

C

Interpretation Transcriber

(4008,010A)

Y

N

X

Irradiation Event UID

(0008,3010)

N

Y

U

K

Issuer of Admission ID

(0038,0011)

N

Y

X

Issuer of Patient ID

(0010,0021)

N

Y

X

Issuer of Service Episode ID

(0038,0061)

N

Y

X

Large Palette Color Lookup Table UID

(0028,1214)

Y

N

U

K

Last Menstrual Date

(0010,21D0)

N

N

X

K

C

MAC

(0400,0404)

N

Y

X

Media Storage SOP Instance UID

(0002,0003)

N

N

U

K

Medical Alerts

(0010,2000)

N

N

X

C

Medical Record Locator

(0010,1090)

N

N

X

Military Rank

(0010,1080)

N

N

X

Modified Attributes Sequence

(0400,0550)

N

N

X

Modified Image Description

(0020,3406)

Y

N

X

Modifying Device ID

(0020,3401)

Y

N

X

Modifying Device Manufacturer

(0020,3404)

Y

N

X

Name of Physician(s) Reading Study

(0008,1060)

N

Y

X

Names of Intended Recipient of Results

(0040,1010)

N

N

X

Observation Date (Trial)

(0040,A192)

Y

N

X

K

C

Observation Subject UID (Trial)

(0040,A402)

Y

N

U

K

Observation Time (Trial)

(0040,A193)

Y

N

X

K

C

Observation UID

(0040,A171)

N

Y

U

K

Occupation

(0010,2180)

N

Y

X

C

Operators' Identification Sequence

(0008,1072)

N

Y

X/D

Operators' Name

(0008,1070)

N

Y

X/Z/D

Original Attributes Sequence

(0400,0561)

N

Y

X

Order Callback Phone Number

(0040,2010)

N

N

X

Order Callback Telecom Information

(0040,2011)

N

N

X

Order Entered By

(0040,2008)

N

N

X

Order Enterer Location

(0040,2009)

N

N

X

Other Patient IDs

(0010,1000)

N

Y

X

Other Patient IDs Sequence

(0010,1002)

N

Y

X

Other Patient Names

(0010,1001)

N

Y

X

Overlay Comments

(60xx,4000)

Y

N

X

C

Overlay Data

(60xx,3000)

N

Y

X

C

Overlay Date

(0008,0024)

Y

Y

X

K

C

Overlay Time

(0008,0034)

Y

Y

X

K

C

Palette Color Lookup Table UID

(0028,1199)

N

Y

U

K

Participant Sequence

(0040,A07A)

N

Y

X

Patient Address

(0010,1040)

N

N

X

Patient Comments

(0010,4000)

N

Y

X

C

Patient ID

(0010,0020)

N

Y

Z

Patient Sex Neutered

(0010,2203)

N

Y

X/Z

K

Patient State

(0038,0500)

N

N

X

C

C

Patient Transport Arrangements

(0040,1004)

N

N

X

Patient's Age

(0010,1010)

N

Y

X

K

Patient's Birth Date

(0010,0030)

N

Y

Z

Patient's Birth Name

(0010,1005)

N

N

X

Patient's Birth Time

(0010,0032)

N

Y

X

Patient's Institution Residence

(0038,0400)

N

N

X

Patient's Insurance Plan Code Sequence

(0010,0050)

X

Patient's Mother's Birth Name

(0010,1060)

N

N

X

Patient's Name

(0010,0010)

N

Y

Z

Patient's Primary Language Code Sequence

(0010,0101)

X

Patient's Primary Language Modifier Code Sequence

(0010,0102)

X

Patient's Religious Preference

(0010,21F0)

N

N

X

Patient's Sex

(0010,0040)

N

Y

Z

K

Patient's Size

(0010,1020)

N

Y

X

K

Patient's Telecom Information

(0010,2155)

N

N

X

Patient's Telephone Numbers

(0010,2154)

N

N

X

Patient's Weight

(0010,1030)

N

Y

X

K

Performed Location

(0040,0243)

N

N

X

Performed Procedure Step Description

(0040,0254)

N

Y

X

C

Performed Procedure Step End Date

(0040,0250)

N

Y

X

K

C

Performed Procedure Step End DateTime

(0040,4051)

N

N

X

K

C

Performed Procedure Step End Time

(0040,0251)

N

Y

X

K

C

Performed Procedure Step ID

(0040,0253)

N

Y

X

Performed Procedure Step Start Date

(0040,0244)

N

Y

X

K

C

Performed Procedure Step Start DateTime

(0040,4050)

N

N

X

K

C

Performed Procedure Step Start Time

(0040,0245)

N

Y

X

K

C

Performed Station AE Title

(0040,0241)

N

N

X

K

Performed Station Geographic Location Code Sequence

(0040,4030)

N

N

X

K

Performed Station Name

(0040,0242)

N

N

X

K

Performed Station Name Code Sequence

(0040, 4028)

N

N

X

K

Performing Physician Identification Sequence

(0008,1052)

N

Y

X

Performing Physicians' Name

(0008,1050)

N

Y

X

Person Address

(0040,1102)

N

Y

X

Person Identification Code Sequence

(0040,1101)

N

Y

D

Person Name

(0040,A123)

N

Y

D

Person's Telecom Information

(0040,1104)

N

Y

X

Person's Telephone Numbers

(0040,1103)

N

Y

X

Physician Approving Interpretation

(4008,0114)

Y

N

X

Physician(s) Reading Study Identification Sequence

(0008,1062)

N

Y

X

Physician(s) of Record

(0008,1048)

N

Y

X

Physician(s) of Record Identification Sequence

(0008,1049)

N

Y

X

Placer Order Number / Imaging Service Request

(0040,2016)

N

Y

Z

Plate ID

(0018,1004)

N

Y

X

K

Pre-Medication

(0040,0012)

N

N

X

C

Pregnancy Status

(0010,21C0)

N

N

X

K

Presentation Display Collection UID

(0070,1101)

N

Y

U

K

Presentation Sequence Collection UID

(0070,1102)

N

Y

U

K

Procedure Step Cancellation DateTime

(0040,4052)

N

N

X

K

C

Private attributes

(gggg,eeee) where gggg is odd

N

N

X

C

Protocol Name

(0018,1030)

N

Y

X/D

C

Reason for Omission Description

(300C,0113)

N

Y

X

C

Reason for the Imaging Service Request

(0040,2001)

Y

N

X

C

Reason for Study

(0032,1030)

Y

N

X

C

Referenced Digital Signature Sequence

(0400,0402)

N

Y

X

Referenced Frame of Reference UID

(3006,0024)

N

Y

U

K

Referenced General Purpose Scheduled Procedure Step Transaction UID

(0040,4023)

Y

N

U

K

Referenced Image Sequence

(0008,1140)

N

Y

X/Z/U*

K

Referenced Observation UID (Trial)

(0040,A172)

Y

N

U

K

Referenced Patient Alias Sequence

(0038, 0004)

N

N

X

Referenced Patient Photo Sequence

(0010,1100)

N

Y

X

Referenced Patient Sequence

(0008,1120)

N

Y

X

X

Referenced Performed Procedure Step Sequence

(0008,1111)

N

Y

X/Z/D

K

Referenced SOP Instance MAC Sequence

(0400,0403)

N

Y

X

Referenced SOP Instance UID

(0008,1155)

N

Y

U

K

Referenced SOP Instance UID in File

(0004,1511)

N

N

U

K

Referenced Study Sequence

(0008,1110)

N

Y

X/Z

K

Referring Physician's Address

(0008,0092)

N

N

X

Referring Physician Identification Sequence

(0008,0096)

N

Y

X

Referring Physician's Name

(0008,0090)

N

Y

Z

Referring Physician's Telephone Numbers

(0008,0094)

N

N

X

Region of Residence

(0010,2152)

N

N

X

Related Frame of Reference UID

(3006,00C2)

N

Y

U

K

Request Attributes Sequence

(0040,0275)

N

Y

X

C

Requested Contrast Agent

(0032,1070)

N

N

X

C

Requested Procedure Comments

(0040,1400)

N

N

X

C

Requested Procedure Description

(0032,1060)

N

Y

X/Z

C

Requested Procedure ID

(0040,1001)

N

N

X

Requested Procedure Location

(0040,1005)

N

N

X

Requested SOP Instance UID

(0000,1001)

N

N

U

K

Requesting Physician

(0032,1032)

N

N

X

Requesting Service

(0032,1033)

N

N

X

Responsible Organization

(0010,2299)

N

Y

X

Responsible Person

(0010,2297)

N

Y

X

Results Comments

(4008,4000)

Y

N

X

C

Results Distribution List Sequence

(4008,0118)

Y

N

X

Results ID Issuer

(4008,0042)

Y

N

X

Reviewer Name

(300E,0008)

N

Y

X/Z

Scheduled Human Performers Sequence

(0040,4034)

N

N

X

Scheduled Patient Institution Residence

(0038,001E)

Y

N

X

Scheduled Performing Physician Identification Sequence

(0040,000B)

N

N

X

Scheduled Performing Physician Name

(0040,0006)

N

N

X

Scheduled Procedure Step End Date

(0040,0004)

N

N

X

K

C

Scheduled Procedure Step End Time

(0040,0005)

N

N

X

K

C

Scheduled Procedure Step Description

(0040,0007)

N

Y

X

C

Scheduled Procedure Step Location

(0040,0011)

N

N

X

K

Scheduled Procedure Step Modification DateTime

(0040,4010)

N

N

X

K

C

Scheduled Procedure Step Start Date

(0040,0002)

N

N

X

K

C

Scheduled Procedure Step Start DateTime

(0040,4005)

N

N

X

K

C

Scheduled Procedure Step Start Time

(0040,0003)

N

N

X

K

C

Scheduled Station AE Title

(0040,0001)

N

N

X

K

Scheduled Station Geographic Location Code Sequence

(0040,4027)

N

N

X

K

Scheduled Station Name

(0040,0010)

N

N

X

K

Scheduled Station Name Code Sequence

(0040,4025)

N

N

X

K

Scheduled Study Location

(0032,1020)

Y

N

X

K

Scheduled Study Location AE Title

(0032,1021)

Y

N

X

K

Series Date

(0008,0021)

N

Y

X/D

K

C

Series Description

(0008,103E)

N

Y

X

C

Series Instance UID

(0020,000E)

N

Y

U

K

Series Time

(0008,0031)

N

Y

X/D

K

C

Service Episode Description

(0038,0062)

N

Y

X

C

Service Episode ID

(0038,0060)

N

Y

X

Smoking Status

(0010,21A0)

N

N

X

K

SOP Instance UID

(0008,0018)

N

Y

U

K

Source Image Sequence

(0008,2112)

N

Y

X/Z/U*

K

Source Serial Number

(3008,0105)

N

Y

X

K

Special Needs

(0038,0050)

N

N

X

C

Start Acquisition DateTime

(0018,9516)

N

Y

X/D

K

C

Station Name

(0008,1010)

N

Y

X/Z/D

K

Storage Media File-set UID

(0088,0140)

N

Y

U

K

Study Comments

(0032,4000)

Y

N

X

C

Study Date

(0008,0020)

N

Y

Z

K

C

Study Description

(0008,1030)

N

Y

X

C

Study ID

(0020,0010)

N

Y

Z

Study ID Issuer

(0032,0012)

Y

N

X

Study Instance UID

(0020,000D)

N

Y

U

K

Study Time

(0008,0030)

N

Y

Z

K

C

Synchronization Frame of Reference UID

(0020,0200)

N

Y

U

K

Target UID

(0018,2042)

N

Y

U

K

Telephone Number (Trial)

(0040,A354)

Y

N

X

Template Extension Creator UID

(0040,DB0D)

Y

N

U

K

Template Extension Organization UID

(0040,DB0C)

Y

N

U

K

Text Comments

(4000,4000)

Y

N

X

Text String

(2030,0020)

N

N

X

Timezone Offset From UTC

(0008,0201)

N

Y

X

K

C

Topic Author

(0088,0910)

Y

N

X

Topic Keywords

(0088,0912)

Y

N

X

Topic Subject

(0088,0906)

Y

N

X

Topic Title

(0088,0904)

Y

N

X

Tracking UID

(0062,0021)

N

Y

U

K

Transaction UID

(0008,1195)

N

N

U

K

UID

(0040,A124)

N

Y

U

Verbal Source (Trial)

(0040,A352)

Y

N

X

Verbal Source Identifier Code Sequence (Trial)

(0040,A358)

Y

N

X

Verifying Observer Identification Code Sequence

(0040,A088)

N

Y

Z

Verifying Observer Name

(0040,A075)

N

Y

D

Verifying Observer Sequence

(0040,A073)

N

Y

D

Verifying Organization

(0040,A027)

N

Y

X

Visit Comments

(0038,4000)

N

N

X

C


E.1.2 Re-identifier

An Application may claim conformance to an Application Level Confidentiality Profile as a re-identifier if it is capable of removing the protection from a protected SOP instance given that the recipient keys required for the decryption of one or more of the Encrypted Content (0400,0520) Attributes within the Encrypted Attributes Sequence (0400,0500) of the SOP instance are available. Removal of protection in this context is defined as the following process:

  1. The application shall decrypt, using its recipient key, one instance of the Encrypted Content (0400,0520) Attribute within the Encrypted Attributes Sequence (0400,0500) and decode the resulting block of bytes into a DICOM dataset using the Transfer Syntax specified in the Encrypted Content Transfer Syntax UID (0400,0510). Re-identifiers claiming conformance to this profile shall be capable of decrypting the Encrypted Content using either AES or Triple-DES in all possible key lengths specified in this profile.

    Note

    If the application is able to decode more than one instance of the Encrypted Content (0400,0520) Attribute within the Encrypted Attributes Sequence (0400,0500), it is at the discretion of the application to choose any one of them.

  2. The application shall move all Attributes contained in the single item of the Modified Attributes Sequence (0400,0550) of the decoded dataset into the main dataset, replacing "dummy value" Attributes that may be present in the main dataset.

    Note

    1. Re-identification does not imply a complete reconstruction of the original SOP Instance, since it is not required that all Attributes being protected be part of the Encrypted Attributes Data Set. If the original UIDs are part of the Encrypted Attributes Data Set, they might be usable to gain access to the original, unprotected SOP Instance.

    2. The presence of an encrypted data set that cannot be decrypted indicates that some or all of the attribute values in the message may not be real (they are dummies). Therefore, the recipient must not assume that any value in the message is diagnostically relevant.

  3. The attribute Patient Identity Removed (0012,0062) shall be replaced or added to the dataset with a value of NO and De-identification Method (0012,0063) and De-identification Method Code Sequence (0012,0064) shall be removed.

E.1.3 Conformance Requirements

The Conformance Statement of an application that claims conformance to an Application Level Confidentiality Profile shall describe:

  • which Attributes are removed during protection;

  • which Attributes are replaced by dummy values and how the dummy values are generated;

  • which Attributes are included in Encrypted Attributes Data Sets for later re-identification, and any pertinent details about how keys are selected for performing the encryption;

  • the scope across which the application is able to ensure referential integrity of replacement values for references such as SOP Instance UID, Frame of Reference UID, etc. if multiple SOP instances are protected (e.g., across multiple Studies, consistent replacement if the same Study processed more than once, etc.);

  • which Attributes and Attribute values are inserted during protection of a SOP instance;

  • which Transfer Syntaxes are supported for encoding/decoding of the Encrypted Attributes Data Set;

  • which Options are supported;

  • any additional restrictions (e. g. key sizes for public keys).

DICOM PS3.15 2017b - Security and System Management Profiles