The American College of Radiology has released a new report detailing best practices for organizations preparing and sharing health data needed to develop artificial intelligence tools.
Back in 2019, the ACR organized a Data Sharing Workgroup that identified five broad areas important to collaboration when using patient data. The full report addresses these findings and is broken down into two parts. Each was published Friday in JACR, the college’s flagship journal.
“The preparation required for data sharing can often consume much of the time in creating a data-sharing relationship because of its ethical and IT complexity—several safeguards to patient privacy exist, and ensuring anonymity is important in maintaining trust among patients and protecting entities seeking to share data securely,” Juan Carlos Batlle, MD, MBA, chief of radiology at Doctors Hospital in Coral Gables, Florida, and co-authors wrote. “This article lays out the methods commonly used to those ends.”
Sharing health data must be a secure and reliable process. Knowing the many rules, regulations and legal frameworks for doing so can be challenging, the authors noted.
Data protection rules are outlined under HIPAA and establish the concept of protected health information (PHI)—data that can identify an individual. But de-identifying patient data can ensure information no longer falls under HIPPAA protections.
Organizations should use the Safe Harbor method to confirm data is anonymous, which includes removing 18 categories of info.
“Once a data set has been de-identified by Safe Harbor, however, it can be legally shared freely and even publicly,” the authors wrote.
Data sharing may also be subject to the European Union’s General Data Protection Regulation. GDPR may apply to residents living or traveling in the U.S., the authors noted.
States such as California are also beginning to consider and pass laws related to data privacy.
2. Radiology-specific issues
On a similar note, organizations must decide whether to de-identify or anonymize health data. Each requires different processes, the authors explained. The decision depends on use cases, whether info will leave the radiology practice, and the data itself.
De-identifying image data requires replacing DICOM image headers that correspond to safe harbor identifiers. Free and paid software can achieve this, including the RSNA Clinical Trial Processor and DICOM Library.
At the same time, radiology reports are specifically challenging, Batlle et al. noted, mainly because there are no consistent headers or formats across documents.
The most common PHI point in reports is the date of service. And the team stressed the importance of using tools specific to the specialty when de-identifying patient data.
De-identified PHI doesn’t require an individual’s permission to be used in studies, quality improvement projects or for commercial purposes. Research cases do require informed consent agreements, as outlined by HHS, but can be waived by review boards in certain instances.
A parallel framework may be needed for overseeing data sharing agreements, the authors noted. Agreements between rad practices and patients may be one solution. Having technologists brief patients during imaging or obtaining patients’ signatures prior to exams may also prove effective.
More keys to consider are the time span of consent, episode of care, ability to opt-out at any time and removal of data points as requested by patients.
“Ultimately, a thoughtful, considered approach to data stewardship and responsible data sharing must take into account the patient’s viewpoint, and to that end, a structure for achieving and maintaining oversight over obtained or presumed consent should exist,” the authors wrote.