Many radiology PowerPoints inadvertently put private health information at risk
Anyone who has ever used PowerPoint to present educational radiology materials might want to check their files again to ensure patients’ private health information (PHI) remains secure.
New work published in Current Problems in Diagnostic Radiology suggests that many of these files are still readily available online, and numerous contain PHI that is “easily accessible.” In fact, for certain file types, up to 40% contain attainable PHI, authors of the paper caution.
“When properly deidentified, these radiographic imaging files are valuable and do not pose any privacy concerns for patients. However, when these images are not properly managed, patient information can be uncovered; raising concerns about patient privacy and potential legal consequences for healthcare systems and academic institutions,” co-authors David Stern, BA, and William Weadock, MD, both from the Department of Abdominal Radiology at University of Michigan Medical Center, advised.
The group’s work builds on previous research published by Weadock et al in 2008. In internet time, 16 years could be perceived as an entire lifetime—after all, iPhones were still in their infancy when the initial research took place. While the need for protection of privacy has not changed since 2008, the ability to safeguard it has. As such, the team sought to determine if online accessibility of PHI has changed since Wi-Fi has become a near vital resource to everyday living for many.
For the study, the team conducted eight Google searches related to medical imaging, zeroing in on results that contained PowerPoint files. Each file was manually inspected for the presence of clinical images, with those containing imaging further assessed for full or partial PHI. Full PHI included patients’ full names, medical registration numbers, study date and geographic markers smaller than a state.
The searches “Magnetic Resonance Imaging filetype:ppt” and “Cardiac CT CAT Scan filetype:ppt” yielded 146 results, with 7.6% having full PHI accessible. The “Radiology Chest X-ray filetype:ppt” search resulted in accessible partial PHI in 40% of the PowerPoints and full PHI in 29%; “Post-Operative CT Scan filetype:ppt” contained accessible PHI in 29% of the presentations that populated.
The group noted that they were unable to uncover the majority of PHI found in the presentations via the PowerPoint crop tool. Once a presentation is discovered online and downloaded, it can be cropped and uncropped as users wish, often providing the option to revert an image to its original size and format, which likely contain PHI.
“This effectively eliminates any editing that may have been done to radiographic images and allows for PHI to be visible on the slide," the authors explained. "This method is easy to learn and takes only basic proficiency with Microsoft PowerPoint.”
When “pptx” was used instead of “ppt” to save files, PHI was less readily available, the group added. This was an improvement from the prior study’s findings.
Protecting private health information in educational materials
The formats files are saved in play an important role in protecting patient information, the group noted. One of the simplest, yet most effective steps users can take to ensure privacy is to save PowerPoint files using Adobe Acrobat formatting (file extension .pdf) before sharing the presentation publicly. This removes the option for images to be reformatted or cropped after the file has been saved.
There are also document inspector features in Microsoft that review presentations for private information that might not be visible in the final product but was, at some point, present in the materials used to create slides. What’s more, there are additional features that allow users to format pictures so that they remain permanently cropped. This would prevent others from uncropping photos to reveal PHI at a later time.
The group went on to name numerous additional safeguards that can be utilized to protect PHI, but also highlighted the role PACS vendors can play. Ideally, the group suggested radiology vendors should create programs that do not include PHI in image pixels. Having PHI removed entirely from images would prevent the issue from occurring before files are ever downloaded for PowerPoint presentations.
“While progress has been made, work remains to continue to educate users on how to properly protect patient information in PowerPoint files,” the group noted. “Appropriately protecting private healthcare information is essential for patient safety and can prevent unintentional HIPPA violations.”
The study abstract is available here.
In addition to her background in journalism, Hannah also has patient-facing experience in clinical settings, having spent more than 12 years working as a registered rad tech. She joined Innovate Healthcare in 2021 and has since put her unique expertise to use in her editorial role with Health Imaging.