[Intl_DxMedPhys] Who owns patient image data?

Tue May 26 15:45:04 EDT 2026

At least in the U.S., patients only have the rights to access their imaging data under HIPAA, and the provider retains ownership of the actual data. My understanding is that as long as the data is de-identified, patient consent is not required at all for the provider to sell it.

I recalled this pre-AI article (AuntMinnie write up here<https://urldefense.com/v3/__https://www.auntminnie.com/imaging-informatics/advanced-visualization/article/15609566/patients-can-be-identified-based-on-3d-reconstructions__;!!KGKeukY!2ZziBAuty3fhstZQYoQVMvS9hUdQ1QATPTTYWAG7AZurJiV80t0mZnT-lG1ByrR4bErMJ7eL42L-47n3FnkFYsCS7pJgYDfayXcfnfjzF5venPdF$ >) about facial recognition from 3D surface renderings using CT. There probably is potential for an AI algorithm to do a far better job than humans at matching a photo/video to a 3D rendering. The theoretical risk for harm would be greater if the de-identified CT were readily linked to more health information from an EHR.

As with other AI-related legal questions (like liability for missed cancers in AI-only screening), the legal and ethical frameworks are still lagging behind rapid commercial development.

-----

Jayse M. Weaver, Ph.D. (he/him)

Associate Physicist – Diagnostic Services Medical Physics

Assistant Professor – Diagnostic Radiology and Nuclear Medicine

Rush University Medical Center

[RUSH]

________________________________
From: Intl_dxmedphys_wd_osu_list <intl_dxmedphys_wd_osu_list-bounces at lists.osu.edu> on behalf of Bob Pizzutiello via Intl_dxmedphys_wd_osu_list <intl_dxmedphys_wd_osu_list at lists.osu.edu>
Sent: Tuesday, May 26, 2026 2:00 PM
To: intl_dxmedphys_wd_osu_list at lists.osu.edu <intl_dxmedphys_wd_osu_list at lists.osu.edu>
Subject: [Intl_DxMedPhys] Who owns patient image data?

Rush Email Security

This email originated from outside of RUSH. Do not click links or attachments unless you recognize the sender and know that the content is safe. RUSH will never ask for user ID information via email.

I have heard that some big data companies are looking to purchase deidentified image and possibly EMR data from hospitals and imaging centers.

Who actually owns this data? It seems to me that patients pay for the imaging service and should have some or full ownership, but perhaps there is fine print in the release forms that assign ownership elsewhere.

I have some uneasiness about this, since huge companies could arguably develop tech to identify individuals, and enable nefarious use of that data.

Does anyone know?

Thanks
Bob
>From Bob Pizzutiello, typos courtesy iPhone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/intl_dxmedphys_wd_osu_list/attachments/20260526/ff085147/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-RUSH.png
Type: image/png
Size: 14397 bytes
Desc: Outlook-RUSH.png
URL: <http://lists.osu.edu/pipermail/intl_dxmedphys_wd_osu_list/attachments/20260526/ff085147/attachment.png>