June 2, 2026 · 6 min read

DICOM De-Identification That Clinicians Actually Trust

Most DICOM anonymizers strip everything — including the data researchers and clinicians need. Aira takes a different approach: remove what identifies a person, keep what serves medicine.

The Problem with Aggressive Anonymization

A radiologist sends a CT scan for a second opinion. The anonymizer strips the patient name (good), the date of birth (bad), the study date (worse), and the body weight (useless). Now the receiving physician can't calculate age at diagnosis, can't correlate with prior studies, and can't adjust dosimetry calculations.

This happens because most tools treat every DICOM tag the same: if it could identify someone, delete it. But a date of birth without a name, ID, or address identifies no one. It's just a date.

What Aira Removes

Aira implements the DICOM PS3.15 Annex E de-identification profile — the actual standard, not a homebrew list. 52 tags are handled across 6 action types:

  • Removed (30 tags) — Patient name, ID, address, phone, ethnicity, occupation, physician names, institution name and address, medical record locator
  • Hashed (6 tags) — UIDs (Study, Series, SOP, Frame of Reference), accession number, study ID. Valid DICOM 2.25.* UIDs, not ANON-hex placeholders
  • Scan-removed (5 tags) — Descriptions and comments scanned for PHI before deciding to keep or remove
  • Private tags — All vendor-specific tags (odd group numbers) stripped entirely

What Aira Keeps

With name, ID, address, institution, and physician removed, these fields alone cannot re-identify a patient. They stay because clinicians need them:

  • Date of birth — Age calculations, longitudinal tracking, cohort matching
  • Gender — Not PHI per HIPAA Safe Harbor. Clinically essential.
  • Age, height, weight — Dosimetry, BMI calculations, treatment planning
  • Study date and time — When the scan happened matters. Shifting dates breaks longitudinal studies.
  • Series and acquisition dates — Temporal context for multi-phase studies
  • Protocol name — Which imaging protocol was used. Not identifying.

Conformance Tags

After de-identification, Aira stamps the file with three conformance tags that downstream systems (PACS, research platforms, regulatory tools) look for:

  • (0012,0062) Patient Identity Removed = YES
  • (0012,0063) De-identification Method — free text listing which actions were applied
  • (0012,0064) De-identification Method Code Sequence — CID 7050 coded entries (Basic Profile, Clean Descriptors, Retain Patient Characteristics)
  • (0028,0301) Burned In Annotation = NO

Without these tags, a de-identified DICOM file is just a DICOM file with missing data. With them, it's a certified de-identified file that any system can verify.

Pixel Redaction

Metadata scrubbing isn't enough. Burned-in text on the image itself — patient names in ultrasound overlays, MRN numbers on X-ray corners — survives metadata removal. Aira uses Microsoft Presidio's DICOM redactor with OCR to detect and black-box burned-in PHI in the pixel data.

Cryptographic Receipt

Every de-identification operation produces an Ed25519-signed receipt with an RFC 3161 timestamp. The receipt commits: input hash, output hash, which tags were modified, and the de-identification profile used. If the file is later altered, the receipt chain breaks.

Try It

Upload a DICOM file at airaproof.com/dashboard/sanitize. Choose “redact” mode. Download the de-identified file and compare in any DICOM viewer — names gone, dates preserved, conformance tags present.

Or use the API:

curl -X POST https://api.airaproof.com/api/v1/sanitize/file \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -F "file=@study.dcm" \
  -F "policy=hipaa" \
  -F "mode=redact" \
  -F "include_pixel_redaction=true"
Get started free →Read the docs