De-identifies data from the source store and writes it to the destination store. The metadata field type is OperationMetadata. If the request is successful, the response field type is DeidentifyDicomStoreSummary. The LRO result may still be successful if de-identification fails for some DICOM instances. The output DICOM store will not contain these failed resources. The number of resources processed are tracked in Operation.metadata. Error details are logged to Cloud Logging. For more information, see Viewing error logs in Cloud Logging.

Scopes

You will need authorization for at least one of the following scopes to make a valid call:

  • https://www.googleapis.com/auth/cloud-healthcare
  • https://www.googleapis.com/auth/cloud-platform

If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-healthcare. You can set the scope for this method like this: healthcare1-beta1 --scope <scope> projects locations-datasets-dicom-stores-deidentify ...

Required Scalar Argument

  • <source-store> (string)
    • Required. Source DICOM store resource name. For example, projects/{project_id}/locations/{location_id}/datasets/{dataset_id}/dicomStores/{dicom_store_id}.

Required Request Value

The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.

For example, a structure like this:

DeidentifyDicomStoreRequest:
  config:
    annotation:
      annotation-store-name: string
      store-quote: boolean
    dicom:
      filter-profile: string
      keep-list:
        tags: [string]
      remove-list:
        tags: [string]
      skip-id-redaction: boolean
    dicom-tag-config:
      options:
        clean-image:
          additional-info-types: [string]
          exclude-info-types: [string]
          text-redaction-mode: string
        primary-ids: string
      profile-type: string
    fhir:
      default-keep-extensions: boolean
    fhir-field-config:
      options:
        character-mask-config:
          masking-character: string
        crypto-hash-config:
          crypto-key: string
          kms-wrapped:
            crypto-key: string
            wrapped-key: string
        date-shift-config:
          crypto-key: string
          kms-wrapped:
            crypto-key: string
            wrapped-key: string
      profile-type: string
    image:
      additional-info-types: [string]
      exclude-info-types: [string]
      text-redaction-mode: string
    operation-metadata:
      fhir-output:
        fhir-store: string
    text:
      exclude-info-types: [string]
      profile-type: string
    use-regional-data-processing: boolean
  destination-store: string
  filter-config:
    resource-paths-gcs-uri: string
  gcs-config-uri: string

can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.

  • -r .config.annotation annotation-store-name=sea
    • The name of the annotation store, in the form projects/{project_id}/locations/{location_id}/datasets/{dataset_id}/annotationStores/{annotation_store_id}). * The destination annotation store must be in the same project as the source data. De-identifying data across multiple projects is not supported. * The destination annotation store must exist when using DeidentifyDicomStore or DeidentifyFhirStore. DeidentifyDataset automatically creates the destination annotation store.
  • store-quote=true

    • If set to true, the sensitive texts are included in SensitiveTextAnnotation of Annotation.
  • ..dicom filter-profile=et

    • Tag filtering profile that determines which tags to keep/remove.
  • keep-list tags=gubergren

    • Tags to be filtered. Tags must be DICOM Data Elements, File Meta Elements, or Directory Structuring Elements, as defined at: http://dicom.nema.org/medical/dicom/current/output/html/part06.html#table_6-1,. They may be provided by "Keyword" or "Tag". For example, "PatientID", "00100010".
    • Each invocation of this argument appends the given value to the array.
  • ..remove-list tags=justo

    • Tags to be filtered. Tags must be DICOM Data Elements, File Meta Elements, or Directory Structuring Elements, as defined at: http://dicom.nema.org/medical/dicom/current/output/html/part06.html#table_6-1,. They may be provided by "Keyword" or "Tag". For example, "PatientID", "00100010".
    • Each invocation of this argument appends the given value to the array.
  • .. skip-id-redaction=true

    • If true, skip replacing StudyInstanceUID, SeriesInstanceUID, SOPInstanceUID, and MediaStorageSOPInstanceUID and leave them untouched. The Cloud Healthcare API regenerates these UIDs by default based on the DICOM Standard's reasoning: "Whilst these UIDs cannot be mapped directly to an individual out of context, given access to the original images, or to a database of the original images containing the UIDs, it would be possible to recover the individual's identity." http://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3.9.html
  • ..dicom-tag-config.options.clean-image additional-info-types=consetetur

    • Additional InfoTypes to redact in the images in addition to those used by text_redaction_mode. Can only be used when text_redaction_mode is set to REDACT_SENSITIVE_TEXT, REDACT_SENSITIVE_TEXT_CLEAN_DESCRIPTORS or TEXT_REDACTION_MODE_UNSPECIFIED.
    • Each invocation of this argument appends the given value to the array.
  • exclude-info-types=sit
    • InfoTypes to skip redacting, overriding those used by text_redaction_mode. Can only be used when text_redaction_mode is set to REDACT_SENSITIVE_TEXT or REDACT_SENSITIVE_TEXT_CLEAN_DESCRIPTORS.
    • Each invocation of this argument appends the given value to the array.
  • text-redaction-mode=aliquyam

    • Determines how to redact text from image.
  • .. primary-ids=eos

  • .. profile-type=at

    • Base profile type for handling DICOM tags.
  • ..fhir default-keep-extensions=true

    • The behaviour for handling FHIR extensions that aren't otherwise specified for de-identification. If true, all extensions are preserved during de-identification by default. If false or unspecified, all extensions are removed during de-identification by default.
  • ..fhir-field-config.options.character-mask-config masking-character=gubergren

    • Character to mask the sensitive values. If not supplied, defaults to "*".
  • ..crypto-hash-config crypto-key=dolor

    • An AES 128/192/256 bit key. Causes the hash to be computed based on this key. A default key is generated for each Deidentify operation and is used when neither crypto_key nor kms_wrapped is specified. Must not be set if kms_wrapped is set.
  • kms-wrapped crypto-key=aliquyam
    • Required. The resource name of the KMS CryptoKey to use for unwrapping. For example, projects/{project_id}/locations/{location_id}/keyRings/{keyring}/cryptoKeys/{key}.
  • wrapped-key=no

    • Required. The wrapped data crypto key.
  • ...date-shift-config crypto-key=amet.

    • An AES 128/192/256 bit key. The date shift is computed based on this key and the patient ID. If the patient ID is empty for a DICOM resource, the date shift is computed based on this key and the study instance UID. If crypto_key is not set, then kms_wrapped is used to calculate the date shift. If neither is set, a default key is generated for each de-identify operation. Must not be set if kms_wrapped is set.
  • kms-wrapped crypto-key=ipsum
    • Required. The resource name of the KMS CryptoKey to use for unwrapping. For example, projects/{project_id}/locations/{location_id}/keyRings/{keyring}/cryptoKeys/{key}.
  • wrapped-key=lorem

    • Required. The wrapped data crypto key.
  • .... profile-type=accusam

    • Base profile type for handling FHIR fields.
  • ..image additional-info-types=gubergren

    • Additional InfoTypes to redact in the images in addition to those used by text_redaction_mode. Can only be used when text_redaction_mode is set to REDACT_SENSITIVE_TEXT, REDACT_SENSITIVE_TEXT_CLEAN_DESCRIPTORS or TEXT_REDACTION_MODE_UNSPECIFIED.
    • Each invocation of this argument appends the given value to the array.
  • exclude-info-types=sadipscing
    • InfoTypes to skip redacting, overriding those used by text_redaction_mode. Can only be used when text_redaction_mode is set to REDACT_SENSITIVE_TEXT or REDACT_SENSITIVE_TEXT_CLEAN_DESCRIPTORS.
    • Each invocation of this argument appends the given value to the array.
  • text-redaction-mode=at

    • Determines how to redact text from image.
  • ..operation-metadata.fhir-output fhir-store=sit

    • Name of the output FHIR store, which must already exist. You must grant the healthcare.fhirResources.update permission on the destination store to your project's Cloud Healthcare Service Agent service account. The destination store must set enableUpdateCreate to true. The destination store must use FHIR version R4. Writing these resources will consume FHIR operations quota from the project containing the source data. De-identify operation metadata is only generated for DICOM de-identification operations.
  • ...text exclude-info-types=duo

    • InfoTypes to skip transforming, overriding profile.
    • Each invocation of this argument appends the given value to the array.
  • profile-type=sit

    • Base profile type for text transformation.
  • .. use-regional-data-processing=false

    • Ensures in-flight data remains in the region of origin during de-identification. Using this option results in a significant reduction of throughput, and is not compatible with LOCATION or ORGANIZATION_NAME infoTypes. If the deprecated DicomConfig or FhirConfig are used, then LOCATION must be excluded within TextConfig, and must also be excluded within ImageConfig if image redaction is required.
  • .. destination-store=et

    • Required. The name of the DICOM store to create and write the redacted data to. For example, projects/{project_id}/locations/{location_id}/datasets/{dataset_id}/dicomStores/{dicom_store_id}. * The destination dataset must exist. * The source dataset and destination dataset must both reside in the same location. De-identifying data across multiple locations is not supported. * The destination DICOM store must not exist. * The caller must have the necessary permissions to create the destination DICOM store.
  • filter-config resource-paths-gcs-uri=rebum.

    • The Cloud Storage location of the filter configuration file. The gcs_uri must be in the format gs://bucket/path/to/object. The filter configuration file must contain a list of resource paths separated by newline characters (\n or \r\n). Each resource path must be in the format "/studies/{studyUID}[/series/{seriesUID}[/instances/{instanceUID}]]" The Cloud Healthcare API service account must have the roles/storage.objectViewer Cloud IAM role for this Cloud Storage location.
  • .. gcs-config-uri=dolor

    • Cloud Storage location to read the JSON cloud.healthcare.deidentify.DeidentifyConfig from, overriding the default config. Must be of the form gs://{bucket_id}/path/to/object. The Cloud Storage location must grant the Cloud IAM role roles/storage.objectViewer to the project's Cloud Healthcare Service Agent service account. Only one of config and gcs_config_uri can be specified.

About Cursors

The cursor position is key to comfortably set complex nested structures. The following rules apply:

  • The cursor position is always set relative to the current one, unless the field name starts with the . character. Fields can be nested such as in -r f.s.o .
  • The cursor position is set relative to the top-level structure if it starts with ., e.g. -r .s.s
  • You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify -r struct.sub_struct=bar.
  • You can move the cursor one level up by using ... Each additional . moves it up one additional level. E.g. ... would go three levels up.

Optional Output Flags

The method's return value a JSON encoded structure, which will be written to standard output by default.

  • -o out
    • out specifies the destination to which to write the server's result to. It will be a JSON-encoded structure. The destination may be - to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.

Optional General Properties

The following properties can configure any call, and are not specific to this method.

  • -p $-xgafv=string

    • V1 error format.
  • -p access-token=string

    • OAuth access token.
  • -p alt=string

    • Data format for response.
  • -p callback=string

    • JSONP
  • -p fields=string

    • Selector specifying which fields to include in a partial response.
  • -p key=string

    • API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • -p oauth-token=string

    • OAuth 2.0 token for the current user.
  • -p pretty-print=boolean

    • Returns response with indentations and line breaks.
  • -p quota-user=string

    • Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • -p upload-type=string

    • Legacy upload protocol for media (e.g. "media", "multipart").
  • -p upload-protocol=string

    • Upload protocol for media (e.g. "raw", "multipart").