...

• Insider attack
• Outsider attack
• Schwartz et al experiment is difficult to extrapolate from but has a lot of impact on the common understanding of the capabilities of AI.
• Real-world numbers: How many people in the US with gliomas to compare with? 100,000 over a 5-year period, 65 median age.
• If we train on reconstructions, how can you quantify reconstructions?
• Literature needed to inform the HIPAA regulation writers.
• Neuroimaging bias in this context. The wrong conclusions can be reached quickly.
• HIPAA has the statistical arm and the 18 elements arm. Peoples faces may not be useful in a specific context that can be shown statistically.
• Do we need to write a paper or do an experiment? Can we do experiments with data that could risk its status?
• We need a statistical expert who is familiar with quantifying reidentification risk.
• Judy would love to run experiments.
• Could we do experiments with TCIA data? License, data use agreements...
• Judy said she was able to get her IRB to approve experiments with head-neck data.
• Create a sub-group of this task group to plan these experiments.
• Can we apply Facebook's re-id algorithm to a "very large" site (with enough patients to achieve statistical validity on its own)? Federated experiment that aggregates findings to avoid risking re-identification of any individual institution's data. Could get approval for something like this.  
• Brian Bialecki: coordinating centers that know the location of the sites submitting the data, even if they don't retain the patients identities, could be used to reject/narrow matches, since a match to a different geographic location than the catchment region of the site could be assumed to be a false positive.

January 11, 2022 Meeting

WebEx recording of the 01/11/2022 meeting

Interim Report Best Practices And Recommendations Extract as of 20220107

• Fred asked if the report should be focused on the US given that the details can differ geographically.
• Data created from European persons may not satisfy GDPR.
• We should highlight when this is true, along with caveats and any possible workarounds.
• Fred likes the ideas of universal guidelines to recommend to the EU.
• We will share the report with international colleagues once it the report is fleshed out.
• California regulations exclude healthcare data. 
• Is it fair to focus on ethical and moral concerns as well as the legal concerns? We're trying to reduce the actual re-id risk and harm.
• So far we're focused on DICOM images.
• Kathy: Say anything about raw data signals?
• Wyatt: DICOM SR objects and embedded PDFs? Non-image objects, RT plans.
• Need a more precise definition for unrecognized. It is the opposite of "what is known to be safe."
• Specify what constitutes due diligence as you conduct your risk analysis. Can't help the unknown unknowns.
• Make the definition of collection clear. Collection doesn't communicate "version."
• "Release" not as good as "collection."
• "Indirect" and "direct" identifiers, sensitive information–a disease that may make someone discriminate against you or function as an indirect identifier.
• Ideally, you'd want to quantify the percentage of data elements you will be retaining.
• The paper will highlight the uncertainty.
• Steve: Address optional attributes as well.
• Calibration information can identify the machine used.
• Consistency of acquisition protocols.
• Need to consider and determine which options to the profile are selected. 
• Part 15 and best practices are different.
• Only got through item 6 in the Summary of Best Practices. Will pick this up at the next meeting. To save time, team members can send David their comments in writing.

Action: Review the Interim Report and email David Clunie your comments.