Medical Imaging AI and Your Privacy: What You Need to Know to Keep Your Health Data Safe

Medical Imaging AI and Your Privacy: What You Need to Know to Keep Your Health Data Safe

Artificial intelligence is being adopted quickly in radiology, helping doctors detect tumors, fractures, and other conditions from CT scans, MRIs, and X-rays. The technology can improve accuracy and speed, but it also introduces new privacy risks that many patients are not aware of. A recent report from the Radiological Society of North America (RSNA) highlights these concerns, describing medical imaging AI as opening “a Pandora’s box of privacy-related risks.” Understanding what’s at stake can help you make more informed decisions about your health data.

What Happened: The RSNA Report on Imaging AI and Privacy

The RSNA report, titled Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks, outlines several vulnerabilities that arise when AI tools are used to analyze medical images. The report notes that patient scans are often shared with third-party vendors for AI development, sometimes without explicit patient consent. Even when data is “de-identified,” researchers have shown that it can sometimes be re-linked to individual patients by combining it with other available information, such as demographic details or genetic records.

Another key finding is that current privacy protections like HIPAA (Health Insurance Portability and Accountability Act) do not always cover AI vendors. HIPAA applies only to covered entities—healthcare providers, insurers, and their business associates—but a company that merely builds or trains an AI model on patient images may not be legally bound by HIPAA if it does not directly handle protected health information in the traditional sense. This creates a gap in oversight.

Why It Matters for Patients

When you get an MRI or CT scan, you likely expect that your images will be kept private and used only for your medical care. In many cases, they are. But if the hospital or imaging center shares your scans with an AI company to improve its algorithms, your images could end up stored on servers outside of the healthcare system. If that company experiences a data breach—or uses your data for research or commercial purposes without your knowledge—you may have little recourse.

The risk of re-identification is especially important. Even if the vendor removes your name and date of birth, advanced techniques can sometimes match a scan to your identity by cross-referencing it with other databases. Once re-identified, the images become permanent records of your health that could affect insurance rates, employment, or even personal relationships if leaked.

For patients, the core issue is transparency: most consent forms for imaging procedures do not clearly state whether AI will be used on your data, by whom, and for how long.

What Readers Can Do: Practical Steps to Protect Your Medical Data

You can take several concrete actions to reduce your privacy risk without avoiding needed medical imaging.

Ask your doctor or imaging center about AI use. Before your scan, ask whether AI will be used to analyze the images, and if so, whether your data will be shared with any external company. Request to see the consent form covering data use. If it is vague, ask for clarification. You have a right to understand how your health information will be handled.

Check if there is an opt-out option. Some institutions allow patients to request that their images not be used for research or AI training. This may require signing a separate form. The option is not always offered, but it is worth asking.

Review HIPAA rights. Under HIPAA, you can request a copy of your medical records, including images. You can also ask for an accounting of disclosures—who your data has been shared with and for what purpose. While this does not cover every third party (especially if they fall outside HIPAA), it can reveal whether your scans have been sent to an AI vendor.

Be cautious with consent forms for research. Many imaging studies ask permission to use leftover data for future research. Read the fine print. If you are uncomfortable with broad data sharing, you can decline the research consent while still receiving the clinical scan.

Follow up after a breach. If your healthcare provider has a data breach, they are usually required to notify you. Take any such notice seriously and monitor your medical records for signs of misuse, such as false claims or charges for services you did not receive.

Stay informed about state laws. Some states have passed laws that extend privacy protections beyond HIPAA, such as California’s CPRA and Washington’s My Health My Data Act. These may give you additional rights to limit the sale or use of your health data by technology companies.

Sources

• RSNA report: Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks (Radiological Society of North America, 2026)
• Additional RSNA coverage on LLM cybersecurity threats in radiology (May 2025)
• HHS Office for Civil Rights, HIPAA Privacy Rule