PET Scan Records Privacy: Who Can Access Your Results and How They're Protected

HIPAA Privacy Rule Overview

Your PET scan images and radiology report are Protected Health Information (PHI). Under the HIPAA Privacy Rule, PHI includes any information that identifies you and relates to your health, care, or payment for care—whether in paper, verbal, or electronic form.

HIPAA applies to Covered Entities—healthcare providers, health plans, and healthcare clearinghouses—and to their Business Associates that handle PHI on their behalf. These organizations may use or disclose your PET scan records for treatment, payment, and healthcare operations without your written permission, but must follow the “minimum necessary” standard for non-treatment purposes.

HIPAA also requires clear notices of privacy practices, limits on non-routine disclosures, and safeguards that protect PHI across Electronic Health Records (EHRs), imaging systems, and communications channels.

Access Rights to PET Scan Records

You have the right to see, download, and receive copies of your PET scan records, including the radiology report and, when feasible, the underlying images. You can usually access them through a patient portal or by submitting a records request to your provider’s health information management team.

Who within the healthcare system may access

• Your treating clinicians and the radiology team for diagnosis and care coordination.
• Other providers involved in your treatment (for example, a surgeon or oncologist you were referred to).
• Health plans for payment and utilization management, limited to the minimum necessary.
• Business Associates supporting care (such as cloud storage for PACS or secure image exchange), bound by contracts that protect PHI.

Access inside an organization is typically controlled through Role-Based Access Control (RBAC). Staff see only what they need to do their jobs, and non-clinical personnel cannot open imaging results unless required for their duties.

Patient Authorization Requirements

Written permission is required for many disclosures not covered by treatment, payment, or operations. Common examples include releasing your PET scan results to an employer, a life insurer, an attorney, or a family member who is not involved in your care, as well as using PHI for marketing or selling PHI.

What valid Authorization Forms include

• A specific description of the PET scan information to be disclosed (for example, “PET/CT report from May 2026 and related images”).
• The name of the person or organization receiving the records.
• The purpose of the disclosure (or a statement that you elect not to specify a purpose).
• An expiration date or event.
• Your signature and date, plus your right to revoke in writing at any time (revocation does not affect disclosures already made).

No authorization is required for disclosures permitted or required by law, such as certain public health reports or court orders, but only the minimum necessary information should be shared for non-treatment purposes.

Data Protection Measures for Imaging Records

Providers must safeguard PET scan records under administrative, physical, and technical controls. In practice, this includes unique user IDs, access provisioning and removal, workforce training, and secure device and facility management.

Technical safeguards you should expect

• Role-Based Access Control that limits who can open your PET scan report and images.
• Data Encryption in transit (for example, TLS for portals and secure messaging) and at rest on servers and backups.
• Strong authentication (often multi-factor), automatic logoff, and session timeouts in PACS and EHR systems.
• Secure image exchange methods that avoid unencrypted media and reduce the need for CDs.
• Backups, disaster recovery, and integrity checks to prevent loss or tampering.

When images or reports are used for training or research without your authorization, they must be de-identified or otherwise handled under strict review processes that protect your privacy.

Patient Rights and Record Corrections

You can request copies of your PET scan records in the format you prefer if readily producible, including electronic copies via your patient portal or secure email. Providers generally have up to 30 days to respond, with a possible single 30‑day extension, and may charge a reasonable, cost-based fee for copies.

You may ask to amend your PET scan report if you think it is inaccurate or incomplete. Providers typically must act within 60 days (with one possible 30‑day extension). If approved, the radiologist may add an addendum and the provider will make reasonable efforts to inform others who rely on the record. If denied, you can submit a written statement of disagreement that becomes part of the record.

Other helpful rights

• Request restrictions on certain disclosures—such as limiting disclosures to a health plan when you pay a covered service in full out of pocket.
• Request confidential communications (for example, results sent to a different address or phone number).
• Request an Accounting of Disclosures— a history of certain disclosures made without your authorization, excluding most treatment, payment, and operations disclosures.

Conditions for Legal and Public Health Disclosures

Your PET scan records may be disclosed without your authorization only when permitted or required by law. Typical scenarios include:

• Public health reporting (for example, certain disease surveillance or adverse event reporting).
• Health oversight activities (audits, inspections, or investigations).
• Judicial and administrative proceedings (court orders; certain subpoenas with required assurances).
• Law enforcement purposes in defined situations.
• To avert a serious threat to health or safety.
• Organ, eye, or tissue donation and decedent-related purposes.
• Workers’ compensation and other specialized government functions as allowed by law.

Even in these cases, the minimum necessary standard applies for non-treatment disclosures, and disclosures must be documented when required.

Audit and Monitoring of Record Access

Healthcare organizations maintain audit logs that record who accessed your PET scan records, when, and from where. Compliance teams routinely monitor these logs, investigate suspicious activity (including “break-the-glass” emergency overrides), and apply sanctions for inappropriate access.

You may request an Accounting of Disclosures covering up to six years prior to your request, excluding most treatment, payment, and operations disclosures and certain other categories. Providers generally must respond within 60 days (with one 30‑day extension). The first accounting in a 12‑month period is typically free; reasonable fees may apply to additional requests.

If a breach compromises the privacy or security of your PET scan records, you should receive a notification describing what happened, what information was involved, steps taken to mitigate harm, and how you can protect yourself.

Conclusion

In short, PET scan records privacy rests on HIPAA’s rules, strict access controls, and robust technical safeguards. You control routine sharing beyond care and payment, you can see and correct your records, and you can track certain disclosures—while organizations must monitor access, document exceptions, and protect your information end to end.

FAQs.

Who can legally access my PET scan records?

You, your personal representative, and your treating providers can access your PET scan records. Health plans may access the minimum necessary information for payment, and certain Business Associates may handle PHI under contracts that protect it. Others—such as employers, insurers not involved in your care, attorneys, or family members—generally need your written authorization.

How does HIPAA protect my PET scan information?

HIPAA limits who can use and disclose your PHI, requires the minimum necessary for non-treatment purposes, and mandates safeguards across Electronic Health Records and imaging systems. It also gives you rights to access, request amendments, set certain restrictions, and obtain an Accounting of Disclosures.

What is required for third-party access to PET scan results?

For most third parties, a valid written authorization is required. Authorization Forms must specify what will be released, to whom, for what purpose, when the authorization expires, and include your signature and your right to revoke. Limited exceptions exist when disclosures are required or permitted by law.

How can I request corrections to my PET scan records?

Send a written amendment request to your provider’s medical records department, identifying the PET scan report and what needs correction with a brief explanation. The provider typically has up to 60 days to decide. If approved, an addendum is added and relevant parties may be notified; if denied, you can submit a statement of disagreement that becomes part of your record.