Hi everybody,

I have a question about Study/Series/SOP Instance UID retention and whether we need to generate new UIDs within our application.
Our application (used in clinical trials) will store the data after they have been de-identified/anonymized and our sponsors would like to have the ability to trace the images back to their origin if needed.
Our anonymized images are not shared publicly in any way.

According to the confidentiality profile
https://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3.9..html

"However, there are applications that require the ability to maintain an audit trail back to the original images and though there are other mechanisms they may not scale well or be reliably implemented. This Option is provided for use when it is judged that the risk of gaining access to the original information via the UIDs is small relative to the benefit of retaining them."

Does that excerpt mean then that we don't have to generate our own Study, Series and SOP Instance UIDs?

Aside from the need for confidentiality and universal uniqueness, what other need is there for us to generate new UIDs?

Thank you
Theodora Sarver

Le vendredi 23 juin 2023 à 17:30:18 UTC+2, Theodora Sarver a écrit :
> Hi everybody,
>
> I have a question about Study/Series/SOP Instance UID retention and whether we need to generate new UIDs within our application.
> Our application (used in clinical trials) will store the data after they have been de-identified/anonymized and our sponsors would like to have the ability to trace the images back to their origin if needed.
> Our anonymized images are not shared publicly in any way.
>
> According to the confidentiality profile
> https://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3..9.html
>
> "However, there are applications that require the ability to maintain an audit trail back to the original images and though there are other mechanisms they may not scale well or be reliably implemented. This Option is provided for use when it is judged that the risk of gaining access to the original information via the UIDs is small relative to the benefit of retaining them."
>
> Does that excerpt mean then that we don't have to generate our own Study, Series and SOP Instance UIDs?
>
> Aside from the need for confidentiality and universal uniqueness, what other need is there for us to generate new UIDs?
>
> Thank you
> Theodora Sarver

Hello,
My understanding of this part is that indeed, in scenarios where you would need to retain UIDs, you can still claim conformance by declaring this particular profile.

However be careful if you mix original images with de-identified images that still have the original UIDs. The UIDs are what most software solutions use to truly identify unique dicom files. If you send over de-identified images to a workstation that already had the original ones, it's not clear what would happen. Or if at some point you delete the de-identified ones, and the original end up deleted as well because the UIDs were the same. We've had such things happen before and since then we have always generated new UIDs when de-identifying. Even if it made no difference confidentiality-wise.

cheers
Thomas

Le vendredi 30 juin 2023 à 08:45:26 UTC+2, guiot...@gmail.com a écrit :
> Le vendredi 23 juin 2023 à 17:30:18 UTC+2, Theodora Sarver a écrit :
> > Hi everybody,
> >
> > I have a question about Study/Series/SOP Instance UID retention and whether we need to generate new UIDs within our application.
> > Our application (used in clinical trials) will store the data after they have been de-identified/anonymized and our sponsors would like to have the ability to trace the images back to their origin if needed.
> > Our anonymized images are not shared publicly in any way.
> >
> > According to the confidentiality profile
> > https://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E..3.9.html
> >
> > "However, there are applications that require the ability to maintain an audit trail back to the original images and though there are other mechanisms they may not scale well or be reliably implemented. This Option is provided for use when it is judged that the risk of gaining access to the original information via the UIDs is small relative to the benefit of retaining them."
> >
> > Does that excerpt mean then that we don't have to generate our own Study, Series and SOP Instance UIDs?
> >
> > Aside from the need for confidentiality and universal uniqueness, what other need is there for us to generate new UIDs?
> >
> > Thank you
> > Theodora Sarver
> Hello,
> My understanding of this part is that indeed, in scenarios where you would need to retain UIDs, you can still claim conformance by declaring this particular profile.
>
> However be careful if you mix original images with de-identified images that still have the original UIDs. The UIDs are what most software solutions use to truly identify unique dicom files. If you send over de-identified images to a workstation that already had the original ones, it's not clear what would happen. Or if at some point you delete the de-identified ones, and the original end up deleted as well because the UIDs were the same. We've had such things happen before and since then we have always generated new UIDs when de-identifying. Even if it made no difference confidentiality-wise.
>
> cheers
> Thomas

Also if your goal is simply to trace back the original patient, most hospitals just keep a mapping table between the original patient ID and the subject code in the trial. And in lots of cases, this mapping table is just a simple Excel spreadsheet, although I would not recommend this method.

On Friday, June 30, 2023 at 2:47:11 AM UTC-4, guiot...@gmail.com wrote:
> Le vendredi 30 juin 2023 à 08:45:26 UTC+2, guiot...@gmail.com a écrit :
> > Le vendredi 23 juin 2023 à 17:30:18 UTC+2, Theodora Sarver a écrit :
> > > Hi everybody,
> > >
> > > I have a question about Study/Series/SOP Instance UID retention and whether we need to generate new UIDs within our application.
> > > Our application (used in clinical trials) will store the data after they have been de-identified/anonymized and our sponsors would like to have the ability to trace the images back to their origin if needed.
> > > Our anonymized images are not shared publicly in any way.
> > >
> > > According to the confidentiality profile
> > > https://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3.9.html
> > >
> > > "However, there are applications that require the ability to maintain an audit trail back to the original images and though there are other mechanisms they may not scale well or be reliably implemented. This Option is provided for use when it is judged that the risk of gaining access to the original information via the UIDs is small relative to the benefit of retaining them."
> > >
> > > Does that excerpt mean then that we don't have to generate our own Study, Series and SOP Instance UIDs?
> > >
> > > Aside from the need for confidentiality and universal uniqueness, what other need is there for us to generate new UIDs?
> > >
> > > Thank you
> > > Theodora Sarver
> > Hello,
> > My understanding of this part is that indeed, in scenarios where you would need to retain UIDs, you can still claim conformance by declaring this particular profile.
> >
> > However be careful if you mix original images with de-identified images that still have the original UIDs. The UIDs are what most software solutions use to truly identify unique dicom files. If you send over de-identified images to a workstation that already had the original ones, it's not clear what would happen. Or if at some point you delete the de-identified ones, and the original end up deleted as well because the UIDs were the same. We've had such things happen before and since then we have always generated new UIDs when de-identifying. Even if it made no difference confidentiality-wise.
> >
> > cheers
> > Thomas
> Also if your goal is simply to trace back the original patient, most hospitals just keep a mapping table between the original patient ID and the subject code in the trial. And in lots of cases, this mapping table is just a simple Excel spreadsheet, although I would not recommend this method.

Thank you all for your responses. Much appreciated

Le mercredi 5 juillet 2023 à 16:54:23 UTC+2, Theodora Sarver a écrit :
> On Friday, June 30, 2023 at 2:47:11 AM UTC-4, guiot...@gmail.com wrote:
> > Le vendredi 30 juin 2023 à 08:45:26 UTC+2, guiot...@gmail.com a écrit :
> > > Le vendredi 23 juin 2023 à 17:30:18 UTC+2, Theodora Sarver a écrit :
> > > > Hi everybody,
> > > >
> > > > I have a question about Study/Series/SOP Instance UID retention and whether we need to generate new UIDs within our application.
> > > > Our application (used in clinical trials) will store the data after they have been de-identified/anonymized and our sponsors would like to have the ability to trace the images back to their origin if needed.
> > > > Our anonymized images are not shared publicly in any way.
> > > >
> > > > According to the confidentiality profile
> > > > https://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3.9.html
> > > >
> > > > "However, there are applications that require the ability to maintain an audit trail back to the original images and though there are other mechanisms they may not scale well or be reliably implemented. This Option is provided for use when it is judged that the risk of gaining access to the original information via the UIDs is small relative to the benefit of retaining them."
> > > >
> > > > Does that excerpt mean then that we don't have to generate our own Study, Series and SOP Instance UIDs?
> > > >
> > > > Aside from the need for confidentiality and universal uniqueness, what other need is there for us to generate new UIDs?
> > > >
> > > > Thank you
> > > > Theodora Sarver
> > > Hello,
> > > My understanding of this part is that indeed, in scenarios where you would need to retain UIDs, you can still claim conformance by declaring this particular profile.
> > >
> > > However be careful if you mix original images with de-identified images that still have the original UIDs. The UIDs are what most software solutions use to truly identify unique dicom files. If you send over de-identified images to a workstation that already had the original ones, it's not clear what would happen. Or if at some point you delete the de-identified ones, and the original end up deleted as well because the UIDs were the same. We've had such things happen before and since then we have always generated new UIDs when de-identifying. Even if it made no difference confidentiality-wise.
> > >
> > > cheers
> > > Thomas
> > Also if your goal is simply to trace back the original patient, most hospitals just keep a mapping table between the original patient ID and the subject code in the trial. And in lots of cases, this mapping table is just a simple Excel spreadsheet, although I would not recommend this method.
> Thank you all for your responses. Much appreciated
Dear all,
you have probably noticed the massive spam on this group. It makes it impossible to actually use it, and there doesn't seem to be an easy fix.
I have thus created a new group available here: https://groups.google.com/g/it-protocols-dicom
but new users must be granted access. If, like me, you think the DICOM Google group has been and still is useful, don't hesitate to join.
I'm updating a bunch of threads with this same message in the hopes you'll receive the update by email. Apologies if you receive this multiple times.
Cheers
Thomas