[Intl_DxMedPhys] De-identification, was Re: Who owns patient image data?

Wed May 27 01:07:00 EDT 2026

!-------------------------------------------------------------------|
  This Message Is From an External Sender
  This message came from outside your organization.
|-------------------------------------------------------------------!

Sufficiently thorough de-identification, with preservation of research utility,
but sufficient to meet the exclusion criteria of the various countries’ privacy
laws (including US HIPAA PR), may be non-trivial.

See, for example, the summaries in [1][2][3].

The older generation of papers on the risk of facial reconstructions
from CT [4][5][6] including the UMD paper mentioned in the Aunt Minnie
piece, and MR [7][8][9], are probably obsolete from the perspectives of
risk analysis and technical solutions.

More recent papers [10][11][12][13] and their references may be a better
guide.

And don't forget PET [14][15], including faces at the top of whole body
studies.

That said, I understand that there may be patient consent and data use agreement
contractual methods for circumventing the need for such rigor, e.g., where the
sensitive data is needed for the work; these may need to be project-specific rather
than blanket [16][17][18].

Wrt. "ownership", just because it is "legal" doesn't necessarily mean everyone
will perceive it as "ethical" or "moral" [19], nor that what constitutes "legal"
is consistent in the face of fickle social institutions [20(AI-suggested)],
though the HIPAA PR seems resilient so far.

David

1.  Clunie DA, Flanders A, Taylor A, Erickson B, Bialecki B, Brundage D, et al. Report of the Medical Image De-Identification (MIDI) Task Group -- Best Practices and Recommendations. arXiv; 2025. Available from: https://urldefense.com/v3/__https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10081345/__;!!KGKeukY!zuUaAJfQ012UeacyqduCeYE28RMoRD0vH3sq0m8GUz5cImuH3IzjYbCBhI3piG7-3DXUsLaecGsOtW2cBUrAGA86-GSXlOBcXriwmHE$  doi:10.48550/arXiv.2303.10473

2.  Clunie D, Prior F, Rutherford M, Moore S, Parker W, Kondylakis H, et al. Summary of the National Cancer Institute 2023 Virtual Workshop on Medical Image De-identification—Part 1: Report of the MIDI Task Group - Best Practices and Recommendations, Tools for Conventional Approaches to De-identification, International Approaches to De-identification, and Industry Panel on Image De-identification. J Imaging Inform Med. 2024 July 12;38(1):1–15. doi:10.1007/s10278-024-01182-y

3.  Clunie D, Taylor A, Bisson T, Gutman D, Xiao Y, Schwarz CG, et al. Summary of the National Cancer Institute 2023 Virtual Workshop on Medical Image De-identification—Part 2: Pathology Whole Slide Image De-identification, De-facing, the Role of AI in Image De-identification, and the NCI MIDI Datasets and Pipeline. J Imaging Inform Med. 2024 July 9;38(1):16–30. doi:10.1007/s10278-024-01183-x

4.  Chen JJ-S, Juluru K, Morgan T, Moffitt R, Siddiqui KM, Siegel EL. Implications of Surface-Rendered Facial CT Images in Patient Privacy. AJR Am J Roentgenol. 2014 May 21;202(6):1267–71. doi:10.2214/AJR.13.10608

5.  Mazura JC, Juluru K, Chen JJ, Morgan TA, John M, Siegel EL. Facial Recognition Software Success Rates for the Identification of 3D Surface Reconstructed Facial Images: Implications for Patient Privacy and Security. J Digit Imaging. 2012 June;25(3):347–51. doi:10.1007/s10278-011-9429-3

6.  Chen JJ, Siddiqui KM, Fort L, Moffitt R, Juluru K, Kim W, et al. Observer success rates for identification of 3D surface reconstructed facial images and implications for patient privacy and security. In: Proc SPIE Medical Imaging 2007: PACS and Imaging Informatics. San Diego, CA; 2007. p. 65161B-65161B – 8. Available from: https://urldefense.com/v3/__http://proceedings.spiedigitallibrary.org/proceeding.aspx?doi=10.1117*12.717850__;Lw!!KGKeukY!zuUaAJfQ012UeacyqduCeYE28RMoRD0vH3sq0m8GUz5cImuH3IzjYbCBhI3piG7-3DXUsLaecGsOtW2cBUrAGA86-GSXlOBcdWzx92A$  doi:10.1117/12.717850

7.  Bischoff-Grethe A, Ozyurt IB, Busa E, Quinn BT, Fennema-Notestine C, Clark CP, et al. A technique for the deidentification of structural brain MR images. Hum Brain Mapp. 2007 Sept;28(9):892–903. doi:10.1002/hbm.20312

8.  Budin F, Zeng D, Ghosh A, Bullitt E. Preventing Facial Recognition When Rendering MR Images of the Head in Three Dimensions. Med Image Anal. 2008 June;12(3):229–39. doi:10.1016/j.media.2007.10.008

9.  Prior FW, Brunsden B, Hildebolt C, Nolan TS, Pringle M, Vaishnavi SN, et al. Facial Recognition From Volume-Rendered Magnetic Resonance Imaging Data. IEEE Trans Inf Technol Biomed. 2009 Jan;13(1):5–9. doi:10.1109/TITB.2008.2003335

10.  Steeg K, Bohrer E, Schäfer SB, Vu VD, Scherberich J, Windfelder AG, et al. Re-identification of anonymised MRI head images with publicly available software: investigation of the current risk to patient privacy. eClinicalMedicine. 2024 Dec;78:102930. doi:10.1016/j.eclinm.2024.102930

11.  Wang D, Lee SH, Wang T, Xiao Y. Assessment of Defacing Techniques on Medical Images for Radiation Therapy: Implications for Patient Privacy and Data Utility. International Journal of Radiation Oncology, Biology, Physics. 2026 Mar 22;0(0). Available from: https://urldefense.com/v3/__https://www.redjournal.org/article/S0360-3016(26)00507-9/abstract__;!!KGKeukY!zuUaAJfQ012UeacyqduCeYE28RMoRD0vH3sq0m8GUz5cImuH3IzjYbCBhI3piG7-3DXUsLaecGsOtW2cBUrAGA86-GSXlOBc13UBtKA$  doi:10.1016/j.ijrobp.2026.03.023

12.  Kang SU, Kim I, Park SW, Kim WJ, Jang J-W, Sung K. De-identification Strategy and Re-identification Risks for Facial Computed Tomography Images via Deep Learning. J Digit Imaging Inform med. 2026 Feb 25; Available from: https://urldefense.com/v3/__https://doi.org/10.1007/s10278-026-01858-7__;!!KGKeukY!zuUaAJfQ012UeacyqduCeYE28RMoRD0vH3sq0m8GUz5cImuH3IzjYbCBhI3piG7-3DXUsLaecGsOtW2cBUrAGA86-GSXlOBcZa1pubg$  doi:10.1007/s10278-026-01858-7

13.  Schwarz CG, Choe M, Rossi S, Das SR, Ittyerah R, Fletcher E, et al. Implementation and validation of face de-identification (de-facing) in ADNI4. Alzheimers Dement. 2024 Nov;20(11):8048–61. doi:10.1002/alz.14303

14.  Schwarz CG, Kremers WK, Lowe VJ, Savvides M, Gunter JL, Senjem ML, et al. Potential for Re-Identifying Brain PET Research Participants using Face Recognition. Alzheimer’s & Dementia. 2022;18(S1):e063652. doi:10.1002/alz.063652

15.  Schwarz CG, Kremers WK, Lowe VJ, Savvides M, Gunter JL, Senjem ML, et al. Face recognition from research brain PET: An unexpected PET problem. NeuroImage. 2022 Sept;258:119357. doi:10.1016/j.neuroimage.2022.119357

16.  Kotsenas AL, Balthazar P, Andrews D, Geis JR, Cook TS. Rethinking Patient Consent in the Era of Artificial Intelligence and Big Data. Journal of the American College of Radiology. 2021 Jan;18(1):180–4. doi:10.1016/j.jacr.2020.09.022

17.  Batlle JC, Dreyer K, Allen B, Cook T, Roth CJ, Kitts AB, et al. Data Sharing of Imaging in an Evolving Health Care World: Report of the ACR Data Sharing Workgroup, Part 1: Data Ethics of Privacy, Consent, and Anonymization. Journal of the American College of Radiology. 2021 Dec;18(12):1646–54. doi:10.1016/j.jacr.2021.07.014

18.  Moulaei K, Akhlaghpour S, Fatehi F. Patient consent for the secondary use of health data in artificial intelligence (AI) models: A scoping review. International Journal of Medical Informatics. 2025 June 1;198:105872. doi:10.1016/j.ijmedinf.2025.105872

19.  McKay F, Treanor D, Hallowell N. Inalienable data: Ethical imaginaries of de-identified health data ownership. SSM - Qual Res Health. 2023 Dec 1;4:100321. doi:10.1016/j.ssmqr.2023.100321

20.  Harvard Law Review. Waiving Chevron Deference. Harvard Law Review. 2019 Mar 8;132(5):1520–41.

On 5/26/26 3:45 PM, Jayse Weaver via Intl_dxmedphys_wd_osu_list wrote:
> At least in the U. S. , patients only have the rights to access their imaging data under HIPAA, and the provider retains ownership of the actual data. My understanding is that as long as the data is de-identified, patient consent is not required
> At least in the U.S., patients only have the rights to access their imaging data under HIPAA, and the provider retains ownership of the actual data. My understanding is that as long as the data is de-identified, patient consent is not required at all for the provider to sell it.
> 
> I recalled this pre-AI article (AuntMinnie write up here <https://urldefense.com/v3/__https://www.auntminnie.com/imaging-informatics/advanced-visualization/article/15609566/patients-can-be-identified-based-on-3d-reconstructions__;!!KGKeukY!2ZziBAuty3fhstZQYoQVMvS9hUdQ1QATPTTYWAG7AZurJiV80t0mZnT-lG1ByrR4bErMJ7eL42L-47n3FnkFYsCS7pJgYDfayXcfnfjzF5venPdF$>) about facial recognition from 3D surface renderings using CT. There probably is potential for an AI algorithm to do a far better job than humans at matching a photo/video to a 3D rendering. The theoretical risk for harm would be greater if the de-identified CT were readily linked to more health information from an EHR.
> 
> As with other AI-related legal questions (like liability for missed cancers in AI-only screening), the legal and ethical frameworks are still lagging behind rapid commercial development.
> 
> *-----*
> 
> *Jayse M. Weaver, Ph.D.* (he/him)
> 
> Associate Physicist – Diagnostic Services Medical Physics
> 
> Assistant Professor – Diagnostic Radiology and Nuclear Medicine
> 
> Rush University Medical Center
> 
> RUSH
> 
> 
> 
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Intl_dxmedphys_wd_osu_list <intl_dxmedphys_wd_osu_list-bounces at lists.osu.edu> on behalf of Bob Pizzutiello via Intl_dxmedphys_wd_osu_list <intl_dxmedphys_wd_osu_list at lists.osu.edu>
> *Sent:* Tuesday, May 26, 2026 2:00 PM
> *To:* intl_dxmedphys_wd_osu_list at lists.osu.edu <intl_dxmedphys_wd_osu_list at lists.osu.edu>
> *Subject:* [Intl_DxMedPhys] Who owns patient image data?
> 
> I have heard that some big data companies are looking to purchase deidentified image and possibly EMR data from hospitals and imaging centers.
> 
> Who actually owns this data? It seems to me that patients pay for the imaging service and should have some or full ownership, but perhaps there is fine print in the release forms that assign ownership elsewhere.
> 
> I have some uneasiness about this, since huge companies could arguably develop tech to identify individuals, and enable nefarious use of that data.
> 
> Does anyone know?
> 
> Thanks
> Bob
>  From Bob Pizzutiello, typos courtesy iPhone