DeidentifyConfig

Configures de-id options specific to different types of content. Each submessage customizes the handling of an https://tools.ietf.org/html/rfc6838 media type or subtype. Configs are applied in a nested manner at runtime.

JSON representation
{
  "dicom": {
    object(DicomConfig)
  },
  "fhir": {
    object(FhirConfig)
  },
  "image": {
    object(ImageConfig)
  },
  "annotation": {
    object(AnnotationConfig)
  },
  "text": {
    object(TextConfig)
  },
  "operationMetadata": {
    object(DeidentifyOperationMetadata)
  }
}
Fields
dicom

object(DicomConfig)

Configures de-id of application/DICOM content.

fhir

object(FhirConfig)

Configures de-id of application/FHIR content.

image

object(ImageConfig)

Configures de-identification of image pixels wherever they are found in the sourceDataset.

annotation

object(AnnotationConfig)

Configures how annotations, meaning that the location and infoType of sensitive information findings, are created during de-identification. If unspecified, no annotations are created.

text

object(TextConfig)

Configures de-identification of text wherever it is found in the sourceDataset.

operationMetadata

object(DeidentifyOperationMetadata)

Details about the work the de-identify operation performed.

DicomConfig

Specifies the parameters needed for de-identification of DICOM stores.

JSON representation
{
  "skipIdRedaction": boolean,

  // Union field tag_filter can be only one of the following:
  "keepList": {
    object(TagFilterList)
  },
  "removeList": {
    object(TagFilterList)
  },
  "filterProfile": enum(TagFilterProfile)
  // End of list of possible types for union field tag_filter.
}
Fields
skipIdRedaction

boolean

If true, skip replacing StudyInstanceUID, SeriesInstanceUID, SOPInstanceUID, and MediaStorageSOPInstanceUID and leave them untouched. The Cloud Healthcare API regenerates these UIDs by default based on the DICOM Standard's reasoning: "Whilst these UIDs cannot be mapped directly to an individual out of context, given access to the original images, or to a database of the original images containing the UIDs, it would be possible to recover the individual's identity." http://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3.9.html

Union field tag_filter. Determines tag filtering method (meaning which tags to keep/remove). tag_filter can be only one of the following:
keepList

object(TagFilterList)

List of tags to keep. Remove all other tags.

removeList

object(TagFilterList)

List of tags to remove. Keep all other tags.

filterProfile

enum(TagFilterProfile)

Tag filtering profile that determines which tags to keep/remove.

TagFilterList

List of tags to be filtered.

JSON representation
{
  "tags": [
    string
  ]
}
Fields
tags[]

string

Tags to be filtered. Tags must be DICOM Data Elements, File Meta Elements, or Directory Structuring Elements, as defined at: http://dicom.nema.org/medical/dicom/current/output/html/part06.html#table_6-1,. They may be provided by "Keyword" or "Tag". For example, "PatientID", "00100010".

TagFilterProfile

Profile that determines which tags to keep/remove.

Enums
TAG_FILTER_PROFILE_UNSPECIFIED No tag filtration profile provided. Same as KEEP_ALL_PROFILE.
MINIMAL_KEEP_LIST_PROFILE Keep only tags required to produce valid DICOM.
ATTRIBUTE_CONFIDENTIALITY_BASIC_PROFILE Remove tags based on DICOM Standard's Attribute Confidentiality Basic Profile (DICOM Standard Edition 2018e) http://dicom.nema.org/medical/dicom/2018e/output/chtml/part15/chapter_E.html.
KEEP_ALL_PROFILE Keep all tags.
DEIDENTIFY_TAG_CONTENTS Inspects within tag contents and replaces sensitive text. The process can be configured using the TextConfig. Applies to all tags with the following Value Representation names: AE, LO, LT, PN, SH, ST, UC, UT, DA, DT, AS

FhirConfig

Specifies how to handle de-identification of a FHIR store.

JSON representation
{
  "fieldMetadataList": [
    {
      object(FieldMetadata)
    }
  ],
  "defaultKeepExtensions": boolean
}
Fields
fieldMetadataList[]

object(FieldMetadata)

Specifies FHIR paths to match and how to transform them. Any field that is not matched by a FieldMetadata is passed through to the output dataset unmodified. All extensions will be processed according to defaultKeepExtensions. If a field can be matched by more than one FieldMetadata, the first FieldMetadata.Action is applied.

defaultKeepExtensions

boolean

The behaviour for handling FHIR extensions that aren't otherwise specified for de-identification. If true, all extensions are preserved during de-identification by default. If false or unspecified, all extensions are removed during de-identification by default.

FieldMetadata

Specifies FHIR paths to match, and how to handle de-identification of matching fields.

JSON representation
{
  "paths": [
    string
  ],
  "action": enum(Action)
}
Fields
paths[]

string

List of paths to FHIR fields to redact. Each path is a period-separated list where each component is either a field name or FHIR type name. All types begin with an upper case letter. For example, the resource field "Patient.Address.city", which uses a string type, can be matched by "Patient.Address.String". Path also supports partial matching. For example, "Patient.Address.city" can be matched by "Address.city" (Patient omitted). Partial matching and type matching can be combined. For example, "Patient.Address.city" can be matched by "Address.String". For "choice" types (those defined in the FHIR spec with the form: field[x]), use two separate components. For example, "deceasedAge.unit" is matched by "Deceased.Age.unit". Supported types are: AdministrativeGenderCode, Base64Binary, Boolean, Code, Date, DateTime, Decimal, HumanName, Id, Instant, Integer, LanguageCode, Markdown, Oid, PositiveInt, String, UnsignedInt, Uri, Uuid, Xhtml. The sub-type for HumanName(for example HumanName.given, HumanName.family) can be omitted.

action

enum(Action)

Deidentify action for one field.

Action

Whether or not to redact this field, or whether to inspect it for PHI.

Enums
ACTION_UNSPECIFIED No action specified.
TRANSFORM Transform the entire field based on transformations specified in TextConfig. When the specified transformation cannot be applied to a field, RedactConfig is used. For example, a Crypto Hash transformation can't be applied to a FHIR Date field.
INSPECT_AND_TRANSFORM Inspect and transform any found PHI. When AnnotationConfig is provided, annotations of PHI will be generated, except for Date and Datetime.
DO_NOT_TRANSFORM Do not transform.

ImageConfig

Specifies how to handle de-identification of image pixels.

JSON representation
{
  "textRedactionMode": enum(TextRedactionMode)
}
Fields
textRedactionMode

enum(TextRedactionMode)

Determines how to redact text from image.

TextRedactionMode

How to redact text found in images (if at all).

Enums
TEXT_REDACTION_MODE_UNSPECIFIED No text redaction specified. Same as REDACT_NO_TEXT.
REDACT_ALL_TEXT Redact all text.
REDACT_SENSITIVE_TEXT Redact sensitive text. Uses the set of Default DICOM InfoTypes.
REDACT_NO_TEXT Do not redact text.

AnnotationConfig

Specifies how to store annotations during de-identification operation.

JSON representation
{
  "annotationStoreName": string,
  "storeQuote": boolean
}
Fields
annotationStoreName

string

The name of the annotation store, in the form projects/{projectId}/locations/{locationId}/datasets/{datasetId}/annotationStores/{annotationStoreId}).

  • The destination annotation store must be in the same project as the source data. De-identifying data across multiple projects is not supported.
  • The destination annotation store must exist when using dicomStores.deidentify or fhirStores.deidentify. datasets.deidentify automatically creates the destination annotation store.
storeQuote

boolean

If set to true, the sensitive texts are included in SensitiveTextAnnotation of Annotation.

TextConfig

JSON representation
{
  "transformations": [
    {
      object(InfoTypeTransformation)
    }
  ]
}
Fields
transformations[]

object(InfoTypeTransformation)

The transformations to apply to the detected data.

InfoTypeTransformation

A transformation to apply to text that is identified as a specific infoType.

JSON representation
{
  "infoTypes": [
    string
  ],

  // Union field config can be only one of the following:
  "redactConfig": {
    object(RedactConfig)
  },
  "characterMaskConfig": {
    object(CharacterMaskConfig)
  },
  "dateShiftConfig": {
    object(DateShiftConfig)
  },
  "cryptoHashConfig": {
    object(CryptoHashConfig)
  },
  "replaceWithInfoTypeConfig": {
    object(ReplaceWithInfoTypeConfig)
  }
  // End of list of possible types for union field config.
}
Fields
infoTypes[]

string

InfoTypes to apply this transformation to. If this is not specified, this transformation becomes the default transformation, and is used for any infoType that is not specified in another transformation.

Union field config.

config can be only one of the following:

redactConfig

object(RedactConfig)

Config for text redaction.

characterMaskConfig

object(CharacterMaskConfig)

Config for character mask.

dateShiftConfig

object(DateShiftConfig)

Config for date shift.

cryptoHashConfig

object(CryptoHashConfig)

Config for crypto hash.

replaceWithInfoTypeConfig

object(ReplaceWithInfoTypeConfig)

Config for replace with InfoType.

RedactConfig

Define how to redact sensitive values. Default behaviour is erase. For example, "My name is Jane." becomes "My name is ."

CharacterMaskConfig

Mask a string by replacing its characters with a fixed character.

JSON representation
{
  "maskingCharacter": string
}
Fields
maskingCharacter

string

Character to mask the sensitive values. If not supplied, defaults to "*".

DateShiftConfig

Shift a date forward or backward in time by a random amount which is consistent for a given patient and crypto key combination.

JSON representation
{
  "cryptoKey": string,
  "kmsWrapped": {
    object(KmsWrappedCryptoKey)
  }
}
Fields
cryptoKey

string (bytes format)

An AES 128/192/256 bit key. Causes the shift to be computed based on this key and the patient ID. A default key is generated for each de-identification operation and is used when neither cryptoKey nor kmsWrapped is specified. Must not be set if kmsWrapped is set.

A base64-encoded string.

kmsWrapped

object(KmsWrappedCryptoKey)

KMS wrapped key. Must not be set if cryptoKey is set.

KmsWrappedCryptoKey

Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. The key must grant the Cloud IAM permission cloudkms.cryptoKeyVersions.useToDecrypt to the project's Cloud Healthcare Service Agent service account.

For more information, see Creating a wrapped key.

JSON representation
{
  "wrappedKey": string,
  "cryptoKey": string
}
Fields
wrappedKey

string (bytes format)

Required. The wrapped data crypto key.

A base64-encoded string.

cryptoKey

string

Required. The resource name of the KMS CryptoKey to use for unwrapping. For example, projects/{projectId}/locations/{locationId}/keyRings/{keyring}/cryptoKeys/{key}.

CryptoHashConfig

Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. Outputs a base64-encoded representation of the hashed output. For example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=.

JSON representation
{
  "cryptoKey": string,
  "kmsWrapped": {
    object(KmsWrappedCryptoKey)
  }
}
Fields
cryptoKey

string (bytes format)

An AES 128/192/256 bit key. Causes the hash to be computed based on this key. A default key is generated for each Deidentify operation and is used when neither cryptoKey nor kmsWrapped is specified. Must not be set if kmsWrapped is set.

A base64-encoded string.

kmsWrapped

object(KmsWrappedCryptoKey)

KMS wrapped key. Must not be set if cryptoKey is set.

ReplaceWithInfoTypeConfig

When using the INSPECT_AND_TRANSFORM action, each match is replaced with the name of the infoType. For example, "My name is Jane" becomes "My name is [PERSON_NAME]." The TRANSFORM action is equivalent to redacting.

DeidentifyOperationMetadata

Details about the work the de-identify operation performed.

JSON representation
{
  "fhirOutput": {
    object(FhirOutput)
  }
}
Fields
fhirOutput

object(FhirOutput)

Details about the FHIR store to write the output to.

FhirOutput

Details about the FHIR store to write the output to.

JSON representation
{
  "fhirStore": string
}
Fields
fhirStore

string

Name of the output FHIR store, which must already exist. You must grant the healthcare.fhirResources.update permission on the destination store to your project's Cloud Healthcare Service Agent service account. The destination store must set [enableUpdateCreate][FhirStore.enable_update_create] to true. The destination store must use FHIR version R4. Writing these resources will consume FHIR operations quota from the project containing the source data. De-identify operation metadata is only generated for DICOM de-identification operations.