Legal

Image Submission & HIPAA Policy

SlabED enforces HIPAA-grade standards for all OCT image submissions to protect patient privacy. Read this before submitting any scan.

Last updated: March 27, 2026

⚠️

Scan submission is a planned future feature

The scan submission feature is not yet available. This policy establishes the legal framework that will govern it when it launches. The de-identification requirements described here will be strictly enforced from day one.

1. Our Position Under HIPAA

SlabED operates as an educational platform, not a covered entity under HIPAA (we do not provide healthcare services or process insurance claims). However, because our platform handles OCT images that could contain patient data, we voluntarily enforce HIPAA Safe Harbor de-identification standards as a non-negotiable condition of use.

This protects your patients. Retinal OCT imaging contains data that may be uniquely identifying — fundus morphology can function similarly to a biometric identifier. Never submit an identifiable scan.

2. What Is HIPAA Safe Harbor De-Identification?

Under HIPAA's Safe Harbor method (45 CFR § 164.514(b)), an image or dataset is considered de-identified when all 18 categories of identifiers have been removed. For OCT submissions, this means:

  • No patient name, initials, or date of birth embedded in the image or DICOM metadata
  • No dates of service, exam dates, or ages over 89
  • No medical record numbers, device serial numbers, or accession numbers
  • No geographic data smaller than state level
  • No phone numbers, email addresses, or account numbers
  • No device identifiers, URLs, or IP addresses
  • No photographs or full-face images (not applicable to OCT, but noted for completeness)
  • No other unique identifiers that could allow re-identification

3. Your Responsibilities as a Submitter

Before submitting any OCT image or case to SlabED, you are required to:

  • Strip all DICOM metadata: Export images as anonymized JPEG/PNG files, or use your device's de-identification export tool to remove all embedded patient data.
  • Verify the image visually: Confirm no patient information appears as overlaid text (name, DOB, MRN) in any corner or margin of the image.
  • Assign a case code: Replace any patient reference with a non-identifiable code (e.g., "Case-2026-001").
  • Confirm you have authorization: Ensure submission complies with your institution's data sharing policies and, where applicable, patient consent for educational use.

By submitting an image, you certify under penalty of account termination that the image contains no PHI.

4. SlabED's Verification Process

Upon submission, SlabED will apply the following checks:

  • Automated metadata scan: We check EXIF and DICOM metadata for common PHI fields and flag files that contain identifiable data.
  • OCR text detection: We run optical character recognition to detect any overlaid text in the image that could contain patient information.
  • Manual review: Images flagged by automated checks are reviewed by a team member before being made available on the platform.

These checks are a safety net, not a substitute for your responsibility to de-identify before submitting.

5. If PHI Is Detected

If we detect or reasonably suspect that a submitted image contains PHI:

  1. Immediate removal: The image is quarantined and removed from any accessible area of the platform within 1 hour of detection.
  2. Account warning: The submitting user is notified by email with details of what was detected and why it was flagged.
  3. Permanent deletion: The file is permanently deleted from our systems within 24 hours of confirmed PHI detection.
  4. Account suspension: Repeated or egregious PHI submissions will result in permanent account termination.
  5. No breach notification triggered: Because SlabED is not a covered entity and we delete detected PHI without access or disclosure, this generally does not constitute a HIPAA breach on our part. However, you remain responsible for any breach on your end.

6. No BAA Required (But Here's Why)

A Business Associate Agreement (BAA) is required when a covered entity shares PHI with a business associate. Because SlabED:

  • Does not provide healthcare services or process insurance claims
  • Does not accept PHI (only de-identified images are permitted)
  • Is not acting as a business associate in the HIPAA legal sense

...a BAA is not applicable. If your institution nonetheless requires one as a condition of faculty or resident participation, contact us at legal@slabed.health to discuss.

7. De-Identification Quick Reference

Before submitting, run through this checklist:

Exported as JPEG/PNG (not DICOM)
All EXIF/metadata stripped
No patient name visible in image
No date of birth or exam date visible
No MRN, accession number, or device serial number
No institution name or location data
Assigned anonymous case code
Confirmed with your institution's data policy

8. Contact for HIPAA Concerns

If you have questions about our data handling practices, need to report a suspected PHI submission, or believe patient data was exposed, contact us immediately at privacy@slabed.health. We respond to urgent privacy concerns within 24 hours.

Terms of Service → Privacy Policy →