v0.7.0 · MIT · open source · DOI 10.5281/zenodo.20267651

DICOM anonymization with an audit trail your DPO can verify.

PS3.15 Basic Profile + UID coherence + a verbatim-cited GDPR/HIPAA compliance manifest. MIT-licensed Python CLI, runs offline, no telemetry, single dependency.

View the code Try the demo Reserve early access

Compliance manifest

Every PS3.15 action (X / Z / U / D) that runs on your study is mapped to the literal text of the regulation that authorizes it — GDPR Art. 4(5), HIPAA Safe Harbor §164.514(b)(2), EU AI Act Art. 10. Re-verified against EUR-Lex / eCFR / gdpr-info.eu on 2026-05-13. SHA-256 chain over the audit log + manifest so an auditor can verify integrity from the JSON alone.

v0.7.0

Deterministic per-patient date shifting for longitudinal cohorts (--date-shift, PS3.15 Retain Modified Dates), a genuinely fail-closed multilingual face gate, and a tightened independent verifier. Changelog.

v0.3.5 highlights

Install

pip install dcm-anonymizer
# CLI command is dcm-anon; PyPI dist is dcm-anonymizer
# because dcm-anon is similar-name-blocked by PyPI.

GDPR Art. 35 requires a DPIA for any large-scale processing of special-category health data. EDPB pseudonymisation guidelines and HHS OCR de-identification guidance both push de-id to the source site. Without a machine-verifiable mapping between technical action and regulatory clause, "we anonymized correctly" is hand-waving. dcm-anon emits that mapping.

Reserve early access (hosted batch)

The OSS CLI is and will stay free, and it is the complete, working product today — install it and use it. A hosted service (dcm-anon-vault, self-hostable now via Docker/Fly.io) is in preparation as a managed tier for teams that want hosted deployment, multi-user API keys, DICOM SR content scanning, and retained SHA-256 audit logs. It is not purchasable yet and there is nothing to pay for — paid pricing will be published only when the managed tier and its DPA actually ship. This page is for gauging interest and shaping that roadmap, not for taking your money.

Drop me a line with a one-paragraph context: what you're trying to anonymize, what regulatory regime you're under, and what the gap is today. I read every one and reply within a week.

Email reserve Open an issue instead

Or email dcm.anonimizer@gmail.com directly.

This is an engineering tool. It implements PS3.15 correctly and produces auditable artifacts that your DPO / IRB / notified-body reviewer can verify. It is NOT legal advice and does NOT certify compliance — that's your QMS and counsel's call.

GDPR output classification: pseudonymous, not anonymous, per Art. 4(5). HIPAA mode: Safe Harbor only (§164.514(b)(2)); not a substitute for Expert Determination. Operated from the EU.

Built by César Pereiro · UPV biomed alumni · async only, no calls during validation phase.

GitHub · PyPI · HF Space · HN thread · Related TFG (fairness in SaMD)