As other users mentioned, these screenshots are almost certainly not being transmitted as screenshots as the bandwidth costs would be enormous. The screenshots are converted to a hash on the user’s device before being sent to a server where the hash is compared to a database of known hashes. A user’s x-ray would just appear as a hash. This might still constitute a HIPAA violation, but I doubt it.