Data anonymization, data storage and data transfer are regulated by GDPR in the EU and HIPAA in the US. A good example of this approach is the Safe Harbor standard in the HIPAA Privacy Rule. It specifies 18 data elements that need to be removed or encrypted. If this is done properly, the data is considered anonymized in accordance with HIPAA.
This list includes:
Names of patients, nurses, doctors; Geographic locations; All elements of dates (except the year) that are related to an individual; Telephone, cellphone, and/or fax numbers; Email addresses; IP addresses; Social Security Numbers; Medical record number; Health plan beneficiary numbers; Device identifiers and serial numbers; Certificate/license numbers; Account numbers; Vehicle identifiers and serial numbers, including license plates; Website URLs; Full-face photos; Biometric identifiers (e.g., fingerprints, voice prints, and retinal images); Any unique identifying numbers, characteristics, or codes.
For image data anonymization, specific de-identification tools are used. After anonymisation, all image data goes through a quality control process to confirm that no personal identifiers are left.