Medical Imaging AI and Your Privacy: What You Should Know

Artificial intelligence is being adopted quickly in radiology. It helps radiologists read scans faster, catch subtle findings, and reduce workloads. But there is a less discussed side: how your medical images might be reused to train AI models, and what that means for your privacy. Recent commentary from the Radiological Society of North America (RSNA) warns that medical imaging AI opens a Pandora’s box of privacy-related risks. If you are a patient undergoing an X-ray, CT, or MRI, it is worth understanding what is happening with your data and what you can do about it.

What Happened

In May 2026, the RSNA published an article highlighting how the widespread use of AI in medical imaging creates new privacy vulnerabilities. The core issue is not that AI itself is malicious, but that the way imaging data is collected, stored, and reused for algorithm training can expose patient information in ways that traditional safeguards do not fully cover.

Radiology AI systems are often trained on large datasets of medical images. To protect privacy, hospitals and researchers typically remove obvious identifiers such as names and social security numbers—a process called de-identification. However, the RSNA piece points out that de-identification is not foolproof. Researchers have shown that facial features, tattoos, or even the unique shape of a person’s spine can be used to re-identify individuals from medical images. Moreover, once an image is used to train an AI model, that model may inadvertently retain identifiable patterns, and the data can be shared with third parties in ways patients never consented to.

The article does not name a specific breach or incident; instead it outlines structural risks as AI becomes embedded in everyday radiology. It is a call for the field to address these gaps before they lead to widespread harm.

Why It Matters

For patients, this means that a routine scan ordered by your doctor could end up contributing to commercial AI products or research databases you never knew about. Your imaging data is highly sensitive—it can reveal not only your health conditions but also your body’s unique geometry. If that data is re-identified or leaked, it could lead to insurance discrimination, employment bias, or personal embarrassment.

Existing privacy laws offer only partial protection. HIPAA, the main U.S. health privacy law, covers how healthcare providers handle your medical records, but it has limits. HIPAA does not fully regulate the use of de-identified data for AI training if the data is stripped of identifiers in a way that meets its standards. Once data is considered de-identified under HIPAA, it can be used and shared with few restrictions. Meanwhile, the EU’s GDPR gives individuals more control over their data, including the right to object to processing for algorithmic training, but it is not always straightforward to exercise that right in a medical imaging context.

The RSNA’s warning is timely because AI adoption is accelerating without clear rules on consent, data retention, or patient notice. Many patients are never asked if they want their images used for AI training. The default assumption is often that it is allowed, which is not the same as informed consent.

What Readers Can Do

You do not have to be a privacy expert to take practical steps. Here are things you can do before and during your next imaging appointment.

  1. Ask your provider about AI use. Before your scan, ask: “Will my images be used to train any AI models? If so, can I opt out?” Some hospitals have policies allowing you to restrict secondary use of your data. The answer may vary, but asking sends a signal that privacy matters to patients.

  2. Check the privacy policy. Many hospitals publish a notice of privacy practices. Look for sections about “research,” “de-identified data,” or “third-party sharing.” If the language is vague, ask for clarification. You have a right to know how your data is handled.

  3. Request an AI-free reading if possible. This is not always possible, but in some facilities you can request that your images be read only by a human radiologist without AI assistance. This may mean your data is less likely to be used for training, though it may not be guaranteed.

  4. Understand your HIPAA rights. Under HIPAA, you have the right to request an accounting of disclosures of your health information. This can help you learn who has received your data. However, disclosures for AI training under a de-identification exemption may not be included, so this is not a complete solution.

  5. Consider state and EU protections if applicable. Some U.S. states (e.g., California, Washington) have broader privacy laws that cover health data beyond HIPAA. If you live in the EU or are treated there, GDPR gives you stronger rights to object. Be aware of where your imaging is done and what laws apply.

  6. Monitor data breach notifications. If a hospital or imaging center you used has a data breach, they are required to notify you. Take those notifications seriously and consider freezing your credit if sensitive personal information (not just images) was exposed.

No single step will eliminate all risk, but being proactive puts you in a better position. As AI continues to evolve, it is likely that patient consent and transparency will improve—but only if patients keep asking.

Sources

  • Radiological Society of North America (RSNA), “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” May 2026.
  • U.S. Department of Health and Human Services, “HIPAA Privacy Rule,” hhs.gov.
  • European Parliament, “General Data Protection Regulation (GDPR),” 2016.
  • Prior research on re-identification of medical images (e.g., studies by researchers at universities and institutes cited in the RSNA article).