How to Protect Your Medical Privacy When AI Is Used in Your X-Rays and Scans

If you’ve had an X-ray, CT scan, or MRI recently, there’s a good chance an artificial intelligence tool analyzed your images. AI is becoming standard in radiology—it can speed up readings, flag abnormalities, and even predict disease. But the same technology that helps diagnose you also introduces privacy risks that most patients aren’t told about.

Recent research presented at the Radiological Society of North America (RSNA) has highlighted several ways these risks are real and growing. This article explains what the risks are, what current laws do and don’t cover, and what you can do to protect your medical images from misuse.

What happened

At RSNA conferences in 2025 and 2026, researchers demonstrated that AI can be used to create deepfake medical images—synthetic X-rays or CT scans that look real enough to fool both radiologists and AI detection systems. In one study, AI-generated chest X-rays were indistinguishable from real ones to human experts. The concern is not just about fraud; manipulated images could be inserted into a patient’s record, altering a diagnosis or leading to incorrect treatment.

Another finding: de-identified imaging data—scans stripped of names and other direct identifiers—can be re-identified using AI. A 2024 study showed that facial recognition algorithms applied to CT scans of the head could match a scan to a specific person’s face from a photo. Once re-identified, that data loses the legal protections of anonymization.

Third-party AI vendors often process images outside the hospital’s network. A review of hospital contracts found that many patients are not explicitly asked for consent before their images are sent to cloud-based AI services. If a vendor suffers a breach, the images—and any health insights they contain—could be exposed.

Why it matters

The privacy risks from AI in medical imaging go beyond what most people expect. HIPAA, the main U.S. health privacy law, covers how hospitals and doctors handle your health information. But HIPAA has gaps.

  • Deepfakes are not addressed by HIPAA. If a fake scan is created and stored, it becomes part of your medical record. You could be billed for a condition you don’t have, or denied insurance based on a false finding.
  • Re-identification means that simply removing your name from a scan isn’t enough to protect your identity. AI can link images back to you using bone structure, ear shape, or other anatomical features.
  • Third-party vendors may not be directly bound by HIPAA if they are only providing AI services and not storing or handling data on behalf of the hospital. Patients often have no way to know which vendor processed their images or where that data resides.

The result: you could lose control over who sees your medical images and how they are used, including for research, training AI models, or even marketing.

What readers can do

You don’t have to accept this situation silently. Here are practical steps to safeguard your privacy when undergoing imaging exams.

Before your scan

  1. Ask your doctor or imaging center whether AI will be used to analyze your images. Some facilities have a standard “AI use” checkbox on consent forms. If not, ask specifically: “Will my images be processed by a third-party AI tool? If so, which company? Can I see the privacy policy?”

  2. Request an opt-out of non-essential AI analysis. You have the right to refuse processing of your images for training AI models or research. For clinical AI that aids diagnosis, opting out may affect your care, but you should be informed of the trade-off.

  3. Check your consent forms for language about “de-identified data.” If it says your images may be used for research or development, ask how they are being de-identified and whether AI re-identification safeguards are in place.

After your scan

  1. Get a copy of your imaging report and, if possible, the actual images. The more aware you are of what’s in your record, the easier it is to spot potential tampering. Some hospitals provide online portals where you can view your scans.

  2. Report anything suspicious to your provider’s privacy officer. If you later find a discrepancy between your symptoms and a scan result, or if you suspect a deepfake, ask for the original DICOM data (the raw image file) and a second opinion.

  3. Know your rights under HIPAA. You have the right to request an accounting of disclosures—who has seen your health information. This includes third-party AI vendors. If a vendor is not listed, the hospital may be in violation.

For long-term protection

  1. Support stronger regulations. The current patchwork of laws leaves patients vulnerable. Advocacy groups are pushing for rules that require hospitals to notify patients before using AI, to ban re-identification of de-identified data, and to hold vendors accountable for breaches.

Sources

  • RSNA research presentations (2025-2026) on deepfake medical images and re-identification risks.
  • “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks” – RSNA (2026).
  • HIPAA Privacy Rule, U.S. Department of Health and Human Services.
  • Various studies on facial recognition from CT scans (e.g., Schwarz et al., 2024).
  • Hospital contract analysis by Patient Privacy Rights (2025).

Bottom line: AI in medical imaging offers real benefits, but it also creates privacy risks that current laws don’t fully address. Asking questions, reading consent forms, and knowing your rights are the most effective tools you have. A little caution today can prevent a much bigger problem tomorrow.