NEW!

DICOM De-Identifier

Remove Protected Health Information (PHI) from DICOM files for free. HIPAA Safe Harbor compliant, all processing in your browser.

🔒 All processing happens locally in your browser. Your medical data never leaves your device. HIPAA-compatible.

Upload DICOM File

Drag a file here or click to select

Supports .dcm, .dicom, .ima (max 100MB)

PHI Scan Results

Keywords

dicom de-identificationdicom anonymizerdicom phi removalhipaa dicommedical image anonymizationdicom privacy

Need something else?

🩻

Try DICOM Tag Viewer

View, search, and compare DICOM tags and metadata from medical imaging files online for free. No registration needed.

🩻

Try DICOM Image Viewer

View DICOM medical images in your browser with windowing controls, multi-frame support, and zoom. Free, private, no upload.

How to use

Upload a DICOM (.dcm) file using the file selector or drag-and-drop.

Review the PHI scan results — the tool automatically detects patient names, dates, IDs, and other protected data.

Select which PHI categories to remove and choose whether to clear values or replace with placeholders.

Click De-identify and download the cleaned file.

Features

Automatic PHI Detection

Scans all tags against HIPAA Safe Harbor identifiers and categorizes found PHI into patient demographics, dates, IDs, and more.

Flexible De-identification Modes

Choose to clear PHI values entirely or replace them with standardized placeholders, depending on your research protocol requirements.

Private Tag Removal

Optionally strips all vendor-specific private tags (odd group numbers) that may contain proprietary patient-identifiable data.

100% Browser-Based

No upload to any server. DICOM files are processed entirely in your browser — PHI never leaves your machine.

Why Choose This Tool?

Complete Privacy — Zero Network Transmission

Unlike cloud-based anonymizers, this tool processes DICOM files entirely within your browser using JavaScript. No pixel data, patient demographics, or metadata ever leaves your device. There is no server, no cloud storage, and no temporary cache. This eliminates the risk of accidental PHI disclosure and avoids the need for Business Associate Agreements with third-party services.

HIPAA Safe Harbor Aligned

The tool's PHI detection covers all 18 HIPAA Safe Harbor identifiers that can appear in DICOM tags: patient name, dates, medical record numbers, accession numbers, institution names, physician names, and more. You can selectively de-identify by category, giving you fine-grained control over what is removed while preserving clinically relevant metadata.

No Installation or Approval Required

Open the tool in any modern browser and start working immediately. There are no desktop installers, license keys, or IT procurement cycles. Research coordinators and clinical engineers can use it from hospital workstations, VPN laptops, or personal devices without requesting admin privileges.

Transparent and Auditable

After de-identification, the tool reports exactly how many tags were modified and how many private tags were removed. You can verify the results by inspecting the downloaded file in our DICOM Tag Viewer. This transparency supports audit trails required by IRB protocols and institutional data governance policies.

DICOM De-Identification: A Guide for Research and Compliance

Why De-Identification Matters

Medical imaging datasets are invaluable for clinical research, AI model training, and multi-site collaborations. However, DICOM files embed dozens of tags containing Protected Health Information (PHI) — patient names, dates of birth, medical record numbers, referring physician names, and institutional identifiers. Sharing these files without proper de-identification violates HIPAA, GDPR, and most institutional data-governance policies.

HIPAA Safe Harbor Method

The HIPAA Privacy Rule defines two de-identification methods. The Safe Harbor method requires removing 18 categories of identifiers, including names, geographic data smaller than a state, dates (except year), phone numbers, email addresses, Social Security numbers, medical record numbers, and biometric identifiers. In the DICOM context, this translates to specific tags: (0010,0010) Patient Name, (0010,0030) Patient Birth Date, (0010,0020) Patient ID, (0008,0050) Accession Number, and many others.

Categories of PHI in DICOM

Patient Demographics: Name, birth date, sex, age, weight, address, and ethnic group.
Patient Identifiers: Patient ID, other patient IDs, insurance plan, and social security numbers embedded in comments.
Institutional Information: Institution name, department, station name.
Physician Information: Referring physician name, performing physician, operator name.
Dates and Times: Study date, series date, acquisition date, content date — all can be combined with other data to re-identify patients.
Study and Accession IDs: Accession number, study ID — often used as cross-references in hospital systems.
Private Tags: Vendor-specific tags (odd group numbers) may contain proprietary patient-identifiable data that standard de-identification profiles miss.

Empty vs. Placeholder Mode

When de-identifying, you can choose to clear values (set them to empty strings) or replace them with standardized placeholders like "ANONYMIZED" or "19000101". The placeholder approach preserves the tag structure and data types, which can be important for downstream software that expects non-empty values. The empty approach is more aggressive and may be preferred when maximum privacy is required.

DICOM Confidentiality Profiles (PS3.15)

Beyond HIPAA Safe Harbor, the DICOM standard itself defines formal confidentiality profiles in Part 15, Annex E. The Basic Application Level Confidentiality Profile specifies actions (D = replace with dummy, Z = zero-length, X = remove, K = keep) for over 300 standard attributes. Supplementary profiles include Retain Safe Private Option (keeps marked-safe private tags), Retain UIDs Option (preserves Study/Series/SOP Instance UIDs for longitudinal tracking), Retain Patient Characteristics Option (keeps age, sex, and body measurements when needed for research), and Retain Device Identity Option (preserves equipment serial numbers for calibration studies).

Choosing the right profile combination depends on your use case. Multi-site clinical trials typically apply the Basic Profile with Retain UIDs so that follow-up scans can be linked. AI training datasets often use the Basic Profile without any retain options for maximum privacy. Understanding these profiles helps you configure de-identification rules that meet both regulatory requirements and research needs simultaneously.

Re-identification Risks and Mitigation

Even after removing all 18 HIPAA Safe Harbor identifiers, residual re-identification risks remain. Unique imaging characteristics — such as dental structures in head CTs, surgical implant serial numbers visible in pixel data, or rare pathology patterns — can potentially link de-identified images back to individuals. Quasi-identifiers like combinations of age, sex, and geographic region can narrow down patients when cross-referenced with external datasets.

Mitigation strategies include date shifting (applying a random but consistent offset to all dates within a patient's study set), k-anonymity verification (ensuring at least k records share the same quasi-identifier values), and pixel scrubbing (detecting and redacting burned-in text overlays using OCR-based tools). For high-risk datasets containing facial structures or rare conditions, consider applying defacing algorithms that remove recognizable facial geometry from volumetric head scans while preserving brain anatomy.

Best Practices

Always verify de-identification results by re-inspecting the output file. Check that burned-in annotations on pixel data (ultrasound headers, CR overlays) are handled separately, as tag-level de-identification does not modify pixel data. Maintain a log of which categories were removed and which mode was used. For multi-site research, agree on a common de-identification profile before exchanging datasets to ensure consistency across institutions.

When building de-identification workflows, establish a documented standard operating procedure (SOP) that specifies which profile to apply, which retain options to enable, and how to handle edge cases like corrupted tags or missing values. Archive the SOP alongside your de-identified datasets so that future auditors and collaborators can reproduce the exact process. Periodically review your approach as new DICOM supplements and regulatory guidance are published.

Frequently Asked Questions

Does this tool upload my DICOM files to a server?

No. All processing happens entirely in your browser using JavaScript. Your DICOM file is read into local memory, PHI is detected and removed locally, and the de-identified file is generated on your device. No data is transmitted over the network at any point.

Which PHI tags does the tool detect?

The tool scans for all HIPAA Safe Harbor identifiers that can appear in DICOM metadata: patient name, birth date, patient ID, accession number, institution name, referring and performing physician names, study and series dates, and more — over 40 tags across 7 categories.

What is the difference between empty and placeholder mode?

In empty mode, PHI tag values are cleared to empty strings. In placeholder mode, values are replaced with standardized substitutes like 'ANONYMIZED' for names or '19000101' for dates. Placeholder mode preserves data types and lengths, which helps when downstream software expects non-empty values.

Does the tool remove burned-in annotations from pixel data?

No. This tool operates at the DICOM tag (metadata) level only. Burned-in text overlays on ultrasound images, CR films, or secondary capture images require separate pixel-level redaction. Always check your imaging modality's output for burned-in PHI.

Can I select which categories of PHI to remove?

Yes. The tool categorizes detected PHI into patient demographics, identifiers, institutional info, physician info, dates, study IDs, and other. You can check or uncheck each category independently to control exactly what gets de-identified.

What happens to private (vendor-specific) tags?

You can optionally remove all private tags (tags with odd group numbers). These vendor-specific tags may contain proprietary patient data that is not covered by standard DICOM de-identification profiles. The option is enabled by default.

Is the output file a valid DICOM file?

Yes. The tool modifies tag values in-place while preserving the DICOM file structure, transfer syntax, and pixel data. It also sets the Patient Identity Removed (0012,0062) and De-identification Method (0012,0063) tags as required by the DICOM standard.

Can I use this for IRB-approved research?

The tool implements tag-level de-identification aligned with HIPAA Safe Harbor. However, each IRB may have additional requirements. Always verify the output meets your specific protocol and document your de-identification process. The tool's result summary helps support audit trail documentation.

What file formats are supported?

Standard DICOM Part 10 files with .dcm, .dicom, or .ima extensions. Both explicit and implicit VR encodings in little-endian and big-endian byte orders are supported.

Is there a file size limit?

There is no hard limit, but files are loaded into browser memory. Most clinical images (10–100 MB) process quickly. Files above 500 MB may be slow on devices with limited RAM.

Sources

Reviewed by Healthcare IT Editorial Team — Clinical Informatics Specialists

Last reviewed: 2026-03-17

dicom-tools 2026-03-17

DICOM De-Identification: How to Safely Remove PHI from Medical Images

Learn how to safely remove Protected Health Information from DICOM files for research sharing. Covers tag-level PHI, burned-in annotations, and audit workflows.

Learn more