Key Takeaways
- HIPAA protects your medical imaging privacy: Your CT scans, MRIs, X-rays are protected health information (PHI)
- You have the right to access your imaging records: Get copies of your scans, request corrections
- Healthcare providers must protect your images: Secure storage, encryption, access controls
- Imaging can be shared for treatment, payment, operations: Without your permission (except in emergencies)
- You authorize other disclosures: Sharing with specialists, family members, researchers requires your written consent
- You can request restrictions: Limit how your information is used or shared
- Breaches must be reported: If your imaging data is exposed, you must be notified
- You can file complaints: If your privacy rights are violated
How We Created This HIPAA Guide
Our HIPAA guidance is based on federal regulations, healthcare compliance standards, and patient rights documentation.
Data Sources Analyzed:
| Source | Type of Data | How Used |
|---|---|---|
| HHS (Department of Health & Human Services) | HIPAA regulations, guidance | Legal requirements |
| OCR (Office for Civil Rights) | Enforcement rules, case settlements | Real-world compliance issues |
| Healthcare provider policies | Implementation procedures | How HIPAA works in practice |
| Patient complaint data | Common violations, issues | What patients experience |
| Healthcare IT standards | Technical safeguards | Data security requirements |
What Is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act of 1996) is a federal law that:
Privacy Rule:
- Protects your personal health information (PHI)
- Gives you rights over your health information
- Sets limits on who can access your information
Security Rule:
- Requires healthcare providers to protect electronic PHI (ePHI)
- Mandates safeguards for data security
- Specifies technical, physical, administrative protections
Enforcement Rule:
- Penalties for HIPAA violations
- Fines up to $1.5 million per violation per year
- Criminal penalties for intentional misuse
What PHI (Protected Health Information) Includes
Medical imaging PHI includes:
| Information Type | Examples |
|---|---|
| Your images | CT scans, MRIs, X-rays, ultrasound (DICOM files) |
| Patient information embedded in images | Name, ID, birthdate, exam date |
| Radiology reports | Written interpretation of your images |
| Imaging orders | Doctor's request for imaging |
| Billing information | Charges, insurance, CPT codes |
| Appointment records | Dates, times, providers |
All of this is PHI and protected by HIPAA.
Your HIPAA Rights for Medical Imaging
Right to Access Your Imaging Records
You have the right to get:
| Record Type | Timeline | Cost |
|---|---|---|
| DICOM images (CT, MRI, X-ray) | Within 30 days | Reasonable cost-based fee |
| Radiology reports | Within 30 days | Usually free (first copy) |
| Imaging logs (what imaging you've had) | Within 30 days | Usually free |
How to request your imaging records:
- Submit written request: To healthcare provider's Privacy Office
- Specify what you want: "All CT scans from 2020-2026"
- Specify format: DICOM CD, electronic download, paper report
- Provider has 30 days: To respond (60 days if extension needed)
- Pay fee (if any): Usually $25-$75 for CD + labor
Provider cannot deny your request (except in limited circumstances):
- Psychotherapy notes (different standard)
- Information prepared for lawsuit/legal proceeding
- Provider believes access would harm you or others (rare; must be documented)
Right to Request Corrections
If your imaging records are wrong (inaccurate or incomplete):
You can request correction:
- Submit written request: "My records show CT scan on 3/15/2026 but it was 3/15/2025"
- Provider must respond within 60 days
- If provider agrees: Must correct record and notify you
- If provider disagrees: Must inform you of your right to add statement of disagreement
What can be corrected:
- ✅ Wrong dates: Scan date, birthdate, exam date
- ✅ Wrong information: Patient name, ID, other demographics
- ✅ Incomplete information: Missing scan series, reports
What cannot be corrected:
- ❌ Professional judgment: Radiologist's interpretation (can add statement of disagreement)
- ❌ Accurate information: If it's correct, provider won't change it
Right to Know How Your Information Is Used/Disclosed
You have the right to know:
| Information | Provider Must Give You |
|---|---|
| Uses | How your imaging PHI is used (treatment, payment, operations) |
| Disclosures | Who your imaging PHI was shared with (outside of treatment, payment, operations) |
| Last 6 years | Full accounting of disclosures (free copy every 12 months) |
How to request accounting:
- Submit written request: "Who saw my imaging records in last 6 years?"
- Provider responds within 60 days with list of disclosures
- Free for one request every 12 months
- Reasonable cost for additional requests
Excluded from accounting (provider doesn't have to tell you):
- Disclosures for treatment, payment, healthcare operations
- Disclosures you authorized in writing
- Disclosures to you (giving you copies of your records)
- Disclosures for directory (facility directory, if you agreed)
- Disclosures for national security/intelligence
Right to Request Restrictions
You can ask provider to limit uses/disclosures of your imaging PHI:
Examples of restrictions:
- "Don't share my CT scans with my other doctors" (may limit your care)
- "Don't use my images for research studies"
- "Don't share my imaging records with my family members"
- "Don't include my name in research database"
Provider must comply IF:
- You're paying for service out-of-pocket in full (not using insurance)
- Disclosure not for treatment (provider can deny if affects your care)
Provider can deny your request IF:
- Restriction would affect your treatment
- Provider cannot provide care without access
Right to Request Confidential Communications
You can ask provider to communicate with you in specific ways:
Examples:
- "Only call my work phone, not my home phone"
- "Only mail results to my PO Box, not my home address"
- "Only email me if encrypted"
- "Don't leave voicemails about my health"
Provider must accommodate reasonable requests:
- ✅ Reasonable: Alternative phone, mailing address
- ✅ You're willing to pay: Any extra cost for alternative communication
- ❌ Unreasonable: Provider can deny if not practical
Right to Paper Copies of Privacy Notice
Provider must give you:
- Privacy Notice (document explaining privacy practices)
- Copy on first visit to provider
- Copy in future (if you ask; posted on website usually)
- Copy if changed (if provider changes privacy practices)
Privacy Notice includes:
- How your PHI can be used
- How your PHI can be disclosed
- Your rights under HIPAA
- Provider's legal duties
- Whom to contact for questions/complaints
How HIPAA Protects Your Medical Images
Technical Safeguards
Providers must secure your electronic imaging PHI (ePHI):
| Safeguard | What It Means for Your Images |
|---|---|
| Encryption | DICOM files encrypted so hackers can't read them |
| Access controls | Only authorized staff can access your images |
| Audit logs | Every access to your images is recorded |
| Secure transmission | Images sent securely (not regular email) |
| Secure storage | Images stored on secure servers (not exposed) |
In practice:
- PACS (Picture Archiving System) is HIPAA-compliant: Secure storage, access controls, encryption
- DICOM transfers: Secure (encrypted network transmission)
- Workstation security: Automatic logout, screen locks, strong passwords
- Backup security: Encrypted backups, stored securely
Physical Safeguards
Providers must protect physical access to your images:
| Safeguard | What It Means |
|---|---|
| Facility access | Limited to authorized areas (badge access, locks) |
| Workstation security | Screens not visible to public; secure storage |
| Record disposal Shredded when discarded (hard copies, CDs) | |
| Device security | Laptops, tablets encrypted; lost devices reported |
Administrative Safeguards
Providers must have policies and procedures:
| Safeguard | What It Means |
|---|---|
| Privacy policies | Written policies on PHI handling |
| Training | All employees trained on HIPAA |
| Business associate agreements | Contracts with vendors (IT, cloud storage, shredding) |
| Sanctions | Employees penalized for HIPAA violations |
| Compliance officer | Person in charge of HIPAA compliance |
When Can Providers Share Your Images Without Permission?
Permitted Uses and Disclosures
Providers can share your imaging PHI WITHOUT your permission for:
| Purpose | What It Means | Example |
|---|---|---|
| Treatment | Sharing with other providers treating you | Primary care refers you to specialist; sends your CT scan |
| Payment | Sharing with insurance, billing | Sending X-ray to insurance to prove medical necessity |
| Healthcare operations | Quality improvement, training, accreditation | Using de-identified images for staff training |
| Public health | Reporting disease, birth/death reporting | Reporting TB on chest X-ray to health department |
| Research (limited) | Research without authorization | Using de-identified images in research study |
| Law enforcement | Subpoena, court order, warrant | Police subpoena for CT scan in criminal case |
| Coroners/medical examiners | Death investigation | Coroner requests medical imaging records |
| Organ donation | Coordinating organ procurement | Sharing images of potential donor |
| Research (very limited) | Preparing research data | Only if IRB waiver granted; very restricted |
Minimum Necessary Standard:
- Provider shares only minimum PHI needed
- Example: Sends relevant CT scan to specialist, not entire imaging history
- Doesn't apply to: Treatment (doctors need full records), law enforcement (subpoena specifies)
Authorization Required
Provider must get your written permission (authorization) to share for:
| Purpose | Example |
|---|---|
| Research (most) | Using your images in research study |
| Marketing | Using your images in advertisement |
| Employment | Sharing images with employer |
| Insurance (life, disability) | Sharing images for insurance application |
| Family/friends | Sharing with family members (unless you agree orally) |
| Media | Sharing images with news media |
| School | Sharing images with school (sports physical, etc.) |
Authorization must include:
- Specific description of information to be used/disclosed
- Person/organization requesting disclosure
- Purpose of disclosure
- Expiration date or event
- Your signature and date
- Right to revoke authorization
- Statement whether information will be re-disclosed
You can revoke authorization:
- In writing: Withdraw your permission
- Provider must comply (except if already acted on authorization)
HIPAA Breaches: What Happens When Your Data Is Exposed
Breach Notification
If your imaging PHI is breached (exposed, stolen):
Provider must notify you:
- Without unreasonable delay: Within 60 days of discovery
- By mail (or email if you agreed)
- If breach affects >500 people: Public notice (website, media)
Notification must include:
- What happened (brief description)
- What information was involved
- What provider is doing to protect you
- What you should do to protect yourself
- Who to contact for more information
Breach examples:
- Stolen laptop: Contains patient images
- Hacked email: PHI sent to wrong person
- Lost CD: Your imaging CD lost in mail
- Ransomware: Hackers encrypt images, demand payment
- Improper disposal: Imaging CDs thrown in regular trash
What to Do If Your Data Is Breached
If notified of breach:
| Action | Why |
|---|---|
| Read notice carefully | Understand what happened |
| Call provider | Ask questions, get specifics |
| Monitor accounts | Watch for identity theft |
| Change passwords | If online patient portal affected |
| Consider credit freeze | If Social Security number exposed |
| File complaint | If provider didn't follow HIPAA |
HIPAA Rights: Special Situations
Minors (Children Under 18)
Parent/guardian exercises HIPAA rights for child:
- Access child's imaging records (except in limited circumstances)
- Request corrections to child's records
- Authorize disclosures on child's behalf
Exceptions (child can control own records):
- Agrees to mental health treatment: Without parent consent
- Court order: Child can consent to treatment
- Emancipated minor: Considered adult under HIPAA
Deceased Patients
After patient dies:
- Executor/administrator exercises HIPAA rights
- Surviving family can access records if:
- Will or trust authorizes disclosure
- State law authorizes disclosure
- Healthcare provider believes disclosure is in best interest of deceased patient
Funeral homes, coroners: Can access PHI needed for their duties without authorization.
Psychotherapy Records
Psychotherapy notes (different from medical records):
- Extra protection: Not included in standard right to access
- Separate authorization: Required to disclose
- Created by mental health professional documenting psychotherapy session
Medical imaging (CT, MRI showing brain) is NOT psychotherapy notes - regular HIPAA rules apply.
How to Exercise Your HIPAA Rights
Requesting Your Medical Images
Step-by-step process:
-
Identify provider's Privacy Office: Call hospital/clinic, ask for "Privacy Officer" or "Medical Records"
-
Submit written request (can be letter, email, or form):
”"I request a complete copy of my medical imaging records, including all CT scans, MRIs, and X-rays performed between [date] and [date]. Please provide these in DICOM format on CD. Please mail to: [your address]"
-
Provider has 30 days to respond (may extend 30 more days - must notify you)
-
Provider responds:
- ✅ Approves: Provides records (may charge reasonable fee)
- ⚠️ Denies: Written denial with reason, right to review
-
If denied: You can request review of denial
What to include in request:
- Your full name (at time of scan and current name if changed)
- Date of birth
- Patient ID/Medical record number (if known)
- Date range of imaging records requested
- Specific request: "All CT scans from 2020-2026 in DICOM format"
- Preferred format: DICOM CD, electronic download, etc.
- Contact information: Phone, email, address
Requesting Accounting of Disclosures
Step-by-step process:
- Submit written request: "Please provide a full accounting of all disclosures of my protected health information for the past 6 years"
- Provider responds within 60 days with list of:
- Who received your PHI
- Date of disclosure
- Purpose of disclosure
- What was disclosed
- Free for one request every 12 months
- Reasonable cost for additional requests
Requesting Restrictions
Step-by-step process:
- Submit written request: "Please do not share my medical imaging records with [specific provider/family member/etc.]"
- Provider responds within 60 days:
- ✅ Agrees: Must comply (if you're paying out-of-pocket)
- ❌ Denies: If denial would affect your treatment
- If denied: Provider must explain why
Filing HIPAA Complaint
If your privacy rights violated:
File complaint with OCR (Office for Civil Rights):
| Contact Method | Details |
|---|---|
| Online | https://www.hhs.gov/ocr/privacy/hipaa/complaints/ |
| U.S. Department of Health & Human Services Office for Civil Rights 200 Independence Avenue, SW Washington, D.C. 20201 | |
| OCRComplaint@hhs.gov | |
| Phone | 1-866-627-7748 |
| Fax | 1-866-627-7749 |
Complaint must include:
- Your name, address: Contact information
- Name of provider: Who violated your rights
- Description of violation: What happened
- Dates: When violation occurred
- File within 180 days: Of when you knew (or should have known) about violation
OCR investigates:
- Provider's compliance with HIPAA
- May require corrective action: Changes to policies, procedures
- May impose penalties: Fines up to $50,000 per violation (up to $1.5M per year)
You can also sue:
- File lawsuit for HIPAA violations
- Seek damages (if provider knowingly violated)
- Attorney fees: If prevailing
HIPAA and Imaging Centers
Business Associates
Imaging centers (as vendors to hospitals/clinics):
- Are "Business Associates" under HIPAA
- Must comply with HIPAA Security Rule
- Have contract (Business Associate Agreement) with healthcare provider
- Must protect PHI they receive/create
What this means:
- Imaging center must protect your CT/MRI/X-ray images
- Must report breaches to healthcare provider
- Must comply with HIPAA Security Rule
Mobile Imaging (Mobile CT, MRI)
Mobile imaging units (CT truck, mobile MRI):
- Must protect your images when on mobile unit
- Encryption on laptops, tablets storing images
- Secure transmission of images back to hospital
- Physical security of mobile unit (locked when unattended)
Teleradiology (Remote Reading)
Teleradiology (radiologist reads images remotely):
- Secure transmission of images (encrypted)
- Access controls: Only authorized radiologists access images
- Audit logs: Track who accessed which images
- Business Associate Agreement: Between facility and teleradiology company
HIPAA in Emergency Situations
Emergency Treatment
In emergency:
- Provider can share your imaging PHI WITHOUT your permission
- With other providers treating you in emergency
- To best interest of patient (you can't consent)
Example:
- You're unconscious after car accident
- Emergency department CT scans your head/neck/chest
- Images sent to trauma surgeon caring for you
- No authorization needed (emergency exception)
After emergency:
- Provider must document emergency disclosure
- Must minimize PHI shared (only what's necessary)
- Can inform you afterward (when you regain capacity)
HIPAA vs. Common Situations
Sharing Images with Family
Can provider share your images with family?
| Situation | Authorization Required? |
|---|---|
| Family member picks up your CD | Yes, verbal OK OK if you agree |
| Doctor discusses your imaging with family in room | Yes, verbal OK OK if you agree |
| Mailing results to family member | No, requires written authorization |
| Provider calls family to discuss results | No, requires written authorization (unless emergency) |
Best practice:
- Tell provider who can access your information
- Put in writing who can/cannot receive your information
- Ask provider to document your preferences
Sharing Images for Second Opinion
Getting second opinion:
- Provider can share your images with specialist (treating you)
- No authorization needed (if for treatment)
- You can request your own images and take them to specialist
Best practice:
- Request your images in DICOM format
- Bring to specialist yourself (ensures you have control)
- Ask specialist to upload to their system for review
Research Use of Your Images
Research studies:
| Research Type | Authorization Required? |
|---|---|
| De-identified images (name, ID removed) | No |
| Identified images (your name attached) | Yes, written authorization |
| Dead body (post-mortem images) | No (if proper authorization for research) |
De-identification:
- Removes 18 identifiers: Name, dates, locations, etc.
- Reverse-engineering must be impossible (cannot identify you)
- Safe for research without authorization
Common HIPAA Questions
FAQ
Q: Can my spouse get copies of my imaging records? A: Only if you authorize (written or verbal OK at time of request). Provider should verify.
Q: Can provider leave voicemail about my scan results? A: Yes, if you agreed to receive communications at that number. Tell provider if you don't want voicemails.
Q: Can provider email me my images? A: Generally no (regular email not secure). Some providers offer secure patient portals.
Q: Can I post my own CT scan images on social media? A: Yes, it's YOUR record. But consider: images contain your name embedded. Consider cropping/covering identifying information.
Q: Can provider use my images for marketing? A: No, not without your written authorization.
Q: Can provider sell my images? A: No, never. HIPAA prohibits sale of PHI.
Q: What if provider denies my request for images? A: You can request review of denial. Contact OCR if you believe denial improper.
Q: Can provider charge me for copies of my images? A: Yes, reasonable cost-based fee (labor, supplies). Usually $25-$75 for CD.
Q: Does HIPAA apply to employers requesting imaging? A: HIPAA restricts disclosure to employer. Employer needs written authorization.
Q: Can my lawyer get my imaging records? A: Yes, with subpoena or court order, or your written authorization.
The Bottom Line
HIPAA protects your medical imaging privacy:
- ✅ Control who sees your CT scans, MRIs, X-rays
- ✅ Access your records: Get copies within 30 days
- ✅ Request corrections: If records are wrong
- ✅ Know disclosures: Who accessed your images
- ✅ Request restrictions: Limit how your information is shared
- ✅ File complaints: If rights violated
Providers must:
- ✅ Protect your images: Encryption, access controls, audit logs
- ✅ Train staff: On HIPAA requirements
- ✅ Report breaches: Notify you if data exposed
- ✅ Honor your rights: Access, correction, restriction requests
Most important: HIPAA gives you rights over your medical imaging records. Know your rights, exercise them when needed, and speak up if your privacy is violated. Your medical images are YOUR health information.
Related articles on WellAlly: