Using MIRC as a Using MIRC as a Research Data Research Data CollectorCollector

Lawrence Tarbox, Ph.D.Lawrence Tarbox, Ph.D.

Electronic Radiology LabElectronic Radiology LabMallinckrodt Institute of RadiologyMallinckrodt Institute of RadiologyWashington University in St. Louis School of Washington University in St. Louis School of MedicineMedicine

Requisite Financial Requisite Financial DisclosureDisclosure

• The author receives financial support from RSNA for work in IHE testing tools and connectathon management.

• The author consults with Siemens Medical Solutions on standardization issues (DICOM).

• The author’s retirement fund currently includes a small amount of Siemens, AG stock.

None of the above impacts today’s topic.

Research Dataset Research Dataset AcquisitionAcquisition

From John Perry’s Presentation:• MIRC feature developed with

Mallinckrodt Institute of Radiology• Allows internal researchers to

acquire DICOM images from modalities, store and manage them without using the clinical PACS– Bridges internal networks– Tracks access of PHI for HIPAA

compliance

Problem StatementProblem Statement

• Clinical scanners are often used for research purposes– Researcher-directed acquisitions– Clinical cases of research interest

• Not all researchers have access to the clinical PACS

• Research computer systems and networks often are outside of the HIPAA protected environment

Current SolutionCurrent Solution

• Whenever possible, techs are asked to enter the researcher’s name as the “referring physician”

• Techs asked to not put PHI in study/series descriptions

• Scanners are configured with a MIRC server as a DICOM destination, making it easy for techs to send research data to the MIRC server

• MIRC server remains in the HIPAA protected environment

• Researchers are given controlled access to the MIRC server to pick up their data

Research DataflowResearch DataflowHospital Network Medical School Network

Images containing PHI

Retrieve de-identified images

Retrieve de-identified images via VPNOpen Network

MIRC SetupMIRC Setup

• On receipt, DICOM data is stored both– as received (potentially with PHI)– deidentified/anonymized (no PHI)

• Research data is not published automatically (i.e., is not available to other MIRC servers)

• Protected Health Information (PHI) is not shown in query results list

• User login required to access data• Potential access to PHI is logged for audit

purposes, as required by HIPAA

HIPAA Audit LogsHIPAA Audit Logs

• No audit log entry for queries, since no PHI is shown in list returned

• Patient data accessed audit log entry when user clicks on a query list entry

• Patient data export audit log entry if user downloads non-deidentified data

• Logs both – stored locally on the MIRC server, and – optionally transmitted via http to a log

collection service (RFC 3881 format)

Most Researchers just click here

Queries are allowed, but are limited

Title includes modality and date

Author is referring physician

“Accessed” audit record generated

when title is clicked, logon required

XML template specifies content

of entries

“Export” audit record generated when zip file of

DICOM objects is downloaded

XML template specifies layout

and content

XML template specifies layout

and content

Audit Log ExamplesAudit Log Examples2005-01-13T18:25:04 - Access by MIRCuser @10.39.168.180 SIUID:

1.2.124.113532.128.252.220.117.20030306.133901.10766096

Pt ID: 05-10786-9 Name: PATIENT^NAME

2005-01-13T18:26:14 - Export by MIRCuser @10.39.168.180 SIUID:

1.2.124.113532.128.252.220.117.20030306.133901.10766096

Pt ID: 05-10786-8 Name: PATIENT^NAME

DiscussionDiscussion

• Over 90 GB of data have gone through the collector

• 10 to 20 studies a week• Expanding to include raw data

(sinograms) from scanners