Illegal patient info sneaks into PowerPoint files

Radiologists should take much greater care over the patient information contained in their PowerPoint files, according to researchers from the University of Michigan.

"Think twice before publicly releasing PowerPoint files," said Dr. Frank Londy, lead author of an informatics education exhibit at RSNA 2008. "Review common locations for hidden PHI (private health information) prior to releasing a PowerPoint. Knowledge of the problems can prevent inadvertent disclosure of PHI."

E-mail and the Internet have made public release of PowerPoint presentations very easy. In the U.S., the Health Insurance Portability and Accountability Act prohibits the unauthorized release of PHI. Lack of knowledge and the idiosyncrasies of Microsoft’s PowerPoint program may result in the accidental release of such information, however.

Before PowerPoint files are made available for download or transferred to others, consider converting the files to other formats, including PDF and video, Londy said.

An article by the Michigan group (Radiology 2008;249:285-293) reported 25% of radiology PPT files downloaded from the Internet contain PHI.

"Anecdotally, we have seen PHI in presentations at national and local continuing medical education meetings, in e-mailed PPT files, and in PPT files on the Internet," Londy said. PHI in radiology images includes dates (date and time of study and date of birth) and unique identifying numbers (exam ID, patient identification number, accession number).

Some data, such as a patient’s name on an image, are clearly traceable to an individual.

The common locations of PHI include images, notes field, text, video, file names, and embedded text. DICOM images may have an overlay that contains PHI, and other problems may occur with inserted images. Placing an object over PHI in an image conceals the PHI in presentation mode, but not in edit mode, where the object can easily be moved to reveal the information.

"Images that contain PHI are often cropped in PowerPoint. Authors may not realize that the cropped areas are not deleted; they are merely hidden. The images can later be uncropped, revealing the previously hidden PHI," Londy said.

Londy recommends telling 3D workstation and PACS companies that including PHI in screen captures is often not necessary. Each institution should develop a clear policy for placing PowerPoint files on the Internet and educate colleagues and staff about potential PHI disclosures, he said. Enabling the option in PowerPoint to save files as "read only" eliminates the ability to manipulate images and text.