Awkward, illegal patient info sneaks into PowerPoint files

Radiologists should take much greater care over the patient information contained in their PowerPoint files, according to researchers from the University of Michigan.

"Think twice before publicly releasing PowerPoint files," said Dr. Frank Londy, lead author of an informatics education exhibit at RSNA 2008. "Review common locations for hidden PHI (private health information) prior to releasing a PowerPoint. Knowledge of the problems can prevent inadvertent disclosure of PHI."

E-mail and the Internet have made public release of PPT presentations very easy. In the U.S., the Health Insurance Portability and Accountability Act prohibits the unauthorized release of PHI. Lack of knowledge and the idiosyncrasies of Microsoft's PPT program may result in the accidental release of such information, however.

Before PPT files are made available for download or transferred to others, consider converting the files to other formats, including PDF and video, Londy said.

An article by the Michigan group (Radiology 2008;249:285-293) reported that 25% of radiology PPT files downloaded from the Internet contain PHI.

"Anecdotally, we have seen PHI in presentations at national and local continuing medical education meetings, in e-mailed PPT files, and in PPT files on the Internet," Londy said.

PHI in radiology images includes dates (date and time of study and date of birth) and unique identifying numbers (exam ID, patient identification number, accession number). Some data, such as patient name on an image, are clearly traceable to an individual.

The common locations of PHI include images, notes field, text, video, file names, and embedded text. DICOM images may have overlay that contains PHI, and other problems may occur with inserted images. Placing an object over PHI in an image conceals the PHI in presentation mode, but not in edit mode, where the object can be easily moved to reveal the information.

"Images that contain PHI are often cropped in PPT. Authors may not realize that the cropped areas are not deleted; they are merely hidden. The images can later be uncropped, revealing the previously hidden PHI," Londy said.

Londy recommends telling 3D workstation and PACS companies that including PHI in screen captures is often not necessary. Each institution should develop a clear policy on placing PPT files on the Internet and educate colleagues and staff about potential PHI disclosures, he said. Enabling the option in PPT to save files as "read only" eliminates the ability to manipulate images and text.

Londy offered a checklist for presenters:

• Crop image prior to inserting into slide

• If you use the removed cropped areas feature in PPT, check to be certain it worked

• Don't include PHI in image filenames

• Check image hyperlinks for PHI

• Don't put PHI in notes field

• Don't use PHI in video filename or in folder names

• Don't try to hide PHI on a slide

• Don't place PHI off the edge of slides

For more information from the Diagnostic Imaging and SearchMedica archives:

Medical de-identification system addresses health records privacy issues