Index
-
DeidentifyService(interface) -
CharacterMaskConfig(message) -
CryptoHashConfig(message) -
DateShiftConfig(message) -
DeidentifyConfig(message) -
DeidentifyConfig.DicomConfig(message) -
DeidentifyConfig.DicomConfig.TagFilterList(message) -
DeidentifyConfig.DicomConfig.TagFilterProfile(enum) -
DeidentifyConfig.FhirConfig(message) -
DeidentifyConfig.FhirConfig.FieldMetadata(message) -
DeidentifyConfig.FhirConfig.FieldMetadata.Action(enum) -
DeidentifyConfig.ImageConfig(message) -
DeidentifyConfig.ImageConfig.TextRedactionMode(enum) -
DeidentifyConfig.TextConfig(message) -
DeidentifyDicomStoreRequest(message) -
DeidentifyDicomStoreSummary(message) -
DeidentifyFhirStoreRequest(message) -
DeidentifyFhirStoreRequest.FhirFilter(message) -
DeidentifyFhirStoreRequest.FhirFilter.Resources(message) -
DeidentifyFhirStoreSummary(message) -
DeidentifySummary(message) -
InfoTypeTransformation(message) -
KmsWrappedCryptoKey(message) -
RedactConfig(message) -
ReplaceWithInfoTypeConfig(message)
DeidentifyService
A service for de-identifying healthcare data.
rpc DeidentifyDicomStore(
DeidentifyDicomStoreRequest
) returns ( Operation
)
De-identifies data from the source store and writes it to the destination store. The metadata
field type is OperationMetadata
. If the request is successful, the response
field type is DeidentifyDicomStoreSummary
. If errors occur, error
is set. The LRO result may still be successful if de-identification fails for some DICOM instances. The output DICOM store will not contain these failed resources. Failed resource totals are tracked in Operation.metadata
. Error details are also logged to Cloud Logging (see Viewing error logs in Cloud Logging
).
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/cloud-healthcare -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
rpc DeidentifyFhirStore(
DeidentifyFhirStoreRequest
) returns ( Operation
)
De-identifies data from the source store and writes it to the destination store. The metadata
field type is OperationMetadata
. If the request is successful, the response
field type is DeidentifyFhirStoreSummary
. If errors occur, error
is set. Error details are also logged to Cloud Logging (see Viewing error logs in Cloud Logging
).
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/cloud-healthcare -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
CharacterMaskConfig
Mask a string by replacing its characters with a fixed character.
| Fields | |
|---|---|
masking_character
|
Character to mask the sensitive values. If not supplied, defaults to "*". |
CryptoHashConfig
Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. Outputs a base64-encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=
).
| Fields | |
|---|---|
crypto_key
|
An AES 128/192/256 bit key. Causes the hash to be computed based on this key. A default key is generated for each Deidentify operation and is used when neither |
kms_wrapped
|
KMS wrapped key. Must not be set if |
DateShiftConfig
Shift a date forward or backward in time by a random amount which is consistent for a given patient and crypto key combination.
| Fields | |
|---|---|
crypto_key
|
An AES 128/192/256 bit key. The date shift is computed based on this key and the patient ID. If the patient ID is empty for a DICOM resource, the date shift is computed based on this key and the study instance UID. If |
kms_wrapped
|
KMS wrapped key. If |
DeidentifyConfig
Configures de-id options specific to different types of content. Each submessage customizes the handling of an https://tools.ietf.org/html/rfc6838 media type or subtype. Configs are applied in a nested manner at runtime.
| Fields | |
|---|---|
dicom
|
Configures de-id of application/DICOM content. |
fhir
|
Configures de-id of application/FHIR content. |
image
|
Configures de-identification of image pixels wherever they are found in the source_dataset. |
text
|
Configures de-identification of text wherever it is found in the source_dataset. |
use_regional_data_processing
|
Ensures in-flight data remains in the region of origin during de-identification. Using this option results in a significant reduction of throughput, and is not compatible with |
DicomConfig
Specifies the parameters needed for de-identification of DICOM stores.
skip_id_redaction
bool
If true, skip replacing StudyInstanceUID, SeriesInstanceUID, SOPInstanceUID, and MediaStorageSOPInstanceUID and leave them untouched. The Cloud Healthcare API regenerates these UIDs by default based on the DICOM Standard's reasoning: "Whilst these UIDs cannot be mapped directly to an individual out of context, given access to the original images, or to a database of the original images containing the UIDs, it would be possible to recover the individual's identity." http://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3.9.html
tag_filter
. Determines tag filtering method (meaning which tags to keep/remove). tag_filter
can be only one of the following:keep_list
List of tags to keep. Remove all other tags.
remove_list
List of tags to remove. Keep all other tags.
filter_profile
Tag filtering profile that determines which tags to keep/remove.
TagFilterList
List of tags to be filtered.
| Fields | |
|---|---|
tags[]
|
Tags to be filtered. Tags must be DICOM Data Elements, File Meta Elements, or Directory Structuring Elements, as defined at: http://dicom.nema.org/medical/dicom/current/output/html/part06.html#table_6-1, . They may be provided by "Keyword" or "Tag". For example "PatientID", "00100010". |
TagFilterProfile
Profile that determines which tags to keep/remove.
| Enums | |
|---|---|
TAG_FILTER_PROFILE_UNSPECIFIED
|
No tag filtration profile provided. Same as KEEP_ALL_PROFILE. |
MINIMAL_KEEP_LIST_PROFILE
|
Keep only tags required to produce valid DICOM. |
ATTRIBUTE_CONFIDENTIALITY_BASIC_PROFILE
|
Remove tags based on DICOM Standard's Attribute Confidentiality Basic Profile (DICOM Standard Edition 2018e) http://dicom.nema.org/medical/dicom/2018e/output/chtml/part15/chapter_E.html . |
KEEP_ALL_PROFILE
|
Keep all tags. |
DEIDENTIFY_TAG_CONTENTS
|
Inspects within tag contents and replaces sensitive text. The process can be configured using the TextConfig. Applies to all tags with the following Value Representation names: AE, LO, LT, PN, SH, ST, UC, UT, DA, DT, AS |
FhirConfig
Specifies how to handle de-identification of a FHIR store.
| Fields | |
|---|---|
field_metadata_list[]
|
Specifies FHIR paths to match and how to transform them. Any field that is not matched by a FieldMetadata is passed through to the output dataset unmodified. All extensions will be processed according to |
default_keep_extensions
|
The behaviour for handling FHIR extensions that aren't otherwise specified for de-identification. If true, all extensions are preserved during de-identification by default. If false or unspecified, all extensions are removed during de-identification by default. |
FieldMetadata
Specifies FHIR paths to match, and how to handle de-identification of matching fields.
| Fields | |
|---|---|
paths[]
|
List of paths to FHIR fields to be redacted. Each path is a period-separated list where each component is either a field name or FHIR type name, for example: Patient, HumanName. For "choice" types (those defined in the FHIR spec with the form: field[x]) we use two separate components. For example, "deceasedAge.unit" is matched by "Deceased.Age.unit". Supported types are: AdministrativeGenderCode, Base64Binary, Boolean, Code, Date, DateTime, Decimal, HumanName, Id, Instant, Integer, LanguageCode, Markdown, Oid, PositiveInt, String, UnsignedInt, Uri, Uuid, Xhtml. |
action
|
Deidentify action for one field. |
Action
Whether or not to redact this field, or whether to inspect it for PHI.
| Enums | |
|---|---|
ACTION_UNSPECIFIED
|
No action specified. |
TRANSFORM
|
Transform the entire field. |
INSPECT_AND_TRANSFORM
|
Inspect and transform any found PHI. |
DO_NOT_TRANSFORM
|
Do not transform. |
ImageConfig
Specifies how to handle de-identification of image pixels.
| Fields | |
|---|---|
text_redaction_mode
|
Determines how to redact text from image. |
TextRedactionMode
How to redact text found in images (if at all).
| Enums | |
|---|---|
TEXT_REDACTION_MODE_UNSPECIFIED
|
No text redaction specified. Same as REDACT_NO_TEXT. |
REDACT_ALL_TEXT
|
Redact all text. |
REDACT_SENSITIVE_TEXT
|
Redact sensitive text. Uses the set of Default DICOM InfoTypes . |
REDACT_NO_TEXT
|
Do not redact text. |
TextConfig
| Fields | |
|---|---|
transformations[]
|
The transformations to apply to the detected data. Deprecated. Use |
additional_transformations[]
|
Transformations to apply to the detected data, overridden by |
exclude_info_types[]
|
InfoTypes to skip transforming, overriding |
DeidentifyDicomStoreRequest
Creates a new DICOM store with sensitive information de-identified.
source_store
string
Required. Source DICOM store resource name. For example, projects/{project_id}/locations/{location_id}/datasets/{dataset_id}/dicomStores/{dicom_store_id}
.
destination_store
string
Required. The name of the DICOM store to create and write the redacted data to. For example, projects/{project_id}/locations/{location_id}/datasets/{dataset_id}/dicomStores/{dicom_store_id}
.
- The destination dataset must exist.
- The source dataset and destination dataset must both reside in the same location. De-identifying data across multiple locations is not supported.
- The destination DICOM store must not exist.
- The caller must have the necessary permissions to create the destination DICOM store.
config
Deidentify configuration. Only one of config
and gcs_config_uri
can be specified.
gcs_config_uri
string
Cloud Storage location to read the JSON cloud.healthcare.deidentify.DeidentifyConfig
from, overriding the default config. Must be of the form gs://{bucket_id}/path/to/object
. The Cloud Storage location must grant the Cloud IAM role roles/storage.objectViewer
to the project's Cloud Healthcare Service Agent service account. Only one of config
and gcs_config_uri
can be specified.
filter_config
Filter configuration.
DeidentifyDicomStoreSummary
This type has no fields.
Contains a summary of the DeidentifyDicomStore operation.
DeidentifyFhirStoreRequest
Creates a new FHIR store with sensitive information de-identified.
source_store
string
Required. Source FHIR store resource name. For example, projects/{project_id}/locations/{location_id}/datasets/{dataset_id}/fhirStores/{fhir_store_id}
.
destination_store
string
Required. The name of the FHIR store to create and write the redacted data to. For example, projects/{project_id}/locations/{location_id}/datasets/{dataset_id}/fhirStores/{fhir_store_id}
.
- The destination dataset must exist.
- The source dataset and destination dataset must both reside in the same location. De-identifying data across multiple locations is not supported.
- The destination FHIR store must exist.
- The caller must have the healthcare.fhirResources.update permission to write to the destination FHIR store.
config
Deidentify configuration. Only one of config
and gcs_config_uri
can be specified.
gcs_config_uri
string
Cloud Storage location to read the JSON cloud.healthcare.deidentify.DeidentifyConfig
from, overriding the default config. Must be of the form gs://{bucket_id}/path/to/object
. The Cloud Storage location must grant the Cloud IAM role roles/storage.objectViewer
to the project's Cloud Healthcare Service Agent service account. Only one of config
and gcs_config_uri
can be specified.
resource_filter
A filter specifying the resources to include in the output. If not specified, all resources are included in the output.
skip_modified_resources
bool
If true, skips resources that are created or modified after the de-identify operation is created.
FhirFilter
Filter configuration.
Union field filter
.
filter
can be only one of the following:
resources
List of resources to include in the output. If this list is empty or not specified, all resources are included in the output.
Resources
A list of FHIR resources.
| Fields | |
|---|---|
resources[]
|
List of resources IDs. For example, "Patient/1234". |
DeidentifyFhirStoreSummary
This type has no fields.
Contains a summary of the DeidentifyFhirStore operation.
DeidentifySummary
This type has no fields.
Contains a summary of the Deidentify operation.
InfoTypeTransformation
A transformation to apply to text that is identified as a specific info_type.
info_types[]
string
InfoTypes to apply this transformation to. If this is not specified, the transformation applies to any info_type.
Union field config
.
config
can be only one of the following:
redact_config
Config for text redaction.
character_mask_config
Config for character mask.
date_shift_config
Config for date shift.
crypto_hash_config
Config for crypto hash.
replace_with_info_type_config
Config for replace with InfoType.
KmsWrappedCryptoKey
Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. The key must grant the Cloud IAM permission cloudkms.cryptoKeyVersions.useToDecrypt
to the project's Cloud Healthcare Service Agent service account.
For more information, see Creating a wrapped key .
| Fields | |
|---|---|
wrapped_key
|
Required. The wrapped data crypto key. |
crypto_key
|
Required. The resource name of the KMS CryptoKey to use for unwrapping. For example, |
RedactConfig
This type has no fields.
Define how to redact sensitive values. Default behaviour is erase. For example, "My name is Jane." becomes "My name is ."
ReplaceWithInfoTypeConfig
This type has no fields.
When using the INSPECT_AND_TRANSFORM
action, each match is replaced with the name of the info_type. For example, "My name is Jane" becomes "My name is [PERSON_NAME]." The TRANSFORM
action is equivalent to redacting.
