This story was originally published by CalMatters. Sign up for their newsletters.
When Paula Stannard, one of the federal government’s top healthcare privacy officials, visited her eye doctor this year, she was asked to sign a form, acknowledging she’d received a privacy notice about how the office would use her health data.
“Had I received the notice of privacy practices? No,” she told an audience at one of the nation’s largest health industry conferences in March.
“I did not want to tell them who I was and why they should not be doing that,” said Stannard, who is director of the Office for Civil Rights at the U.S. Department of Health and Human Services. “But I did write a note that says, ‘I have not received this. I am not acknowledging receipt.’”
Stannard’s story is all too common.
Over the last year, I’ve interviewed more than 20 patients, healthcare providers, experts and advocates about the privacy forms they must sign to get care at their providers’ offices.
Time and again I was told the same thing: Across the country, from large hospital systems to small, private clinics, patients are being asked to sign waivers blindly without knowing exactly what they’re signing.
When patients ask to see more, staff usually don’t have an easy way to show them. When patients do get the forms, it tells them all the ways their medical data will be shared and reused, and some of the ways patients can refuse. But electronic systems make it impossible to opt out on the spot, requiring follow up emails.
Records sharing between unaffiliated providers through these networks can benefit patients by making their scattered records more visible to the provider who is treating them.
But it can also harm patients.
Patients seeking an abortion may not want records to travel with them from a state where that treatment is legal to one where it is criminalized.
In other cases, companies, such as GuardDog, have admitted to accessing patient records “under the guise of treatment” and funneling them to personal injury law firms.
Researchers have also found healthcare workers snooping through electronic health records. Other dangers include data breaches and serious potential for misuse, such as domestic abusers stalking their partners though the pediatric records of their children.
There’s not much patients can do to limit the risks of their data being available across networks, except by aggressively pursuing opt-outs when providers offer them. Turns out, that can be pretty hard to do.
Gale Oleson is a retired dermatologist in Missouri who recalled visiting the emergency room after a hand injury.
“They hand me the signature pad,” he said. “They said, you have to sign this so we can do the procedure. And I said, well, I don’t know what the heck I’m signing. Is it like you get my house today? You know, you could be taking my car, you know, signing over my life insurance. And they just laugh, you know?
“… In those situations, I’ve had them either turn the screen to me or I request that they print out a copy for me to review and they’ve always done it, but it’s always a ‘I forgot how a printer works’ kind of thing.”
Experts have a name for this practice: “Dark patterns,” which are manipulative design choices that steer people into doing things or making decisions they otherwise would not make. It’s easier to check the box to say that you’ve received the privacy notice, even if you haven’t. It’s easier to sign the digital signature box, even if you can’t see what you’re signing.
The alternative — saying you didn’t get the privacy notice, or asking repeatedly to see what you’re signing — sounds like a simple request, but can be scary for patients. Many of the patients I’ve interviewed, including a lawyer who works as a privacy advocate, told me they’re afraid that speaking up or pushing back against terms they don’t agree to will make health providers categorize them as inconvenient patients and make it harder to get the care they need.
As a privacy researcher, I’ve experienced this hesitation myself. Last year, I wrote about the epic lengths I went through to get a copy of the consent forms I signed when my toddler needed surgery. When my child was strapped to a movable bed, the surgeon standing there at the ready, I was asked to verify my signature on a consent form. When I asked if I could have a copy of it, a nurse said she wasn’t allowed to give it to me — and sent me to a ghost office at another hospital to search for it. In the moment, I let it go, so I wouldn’t hold up the surgery. Later, after asking multiple people for help, I was finally able to get a copy.
To experience more of what patients have to deal with and test whether they’re able to successfully get the information they need, say no, or opt-out of having their data shared, I checked out over a dozen health care systems myself by registering and going to appointments in Iowa, New Jersey, New York, Ohio, Oregon, South Carolina and Virginia.
One telehealth appointment with a provider showed me how easily dark patterns force patients to share their data with big healthcare networks, even when the privacy form they’re signing explicitly says they can opt-out.
In October 2025, I booked a telehealth appointment with a women’s health clinic in Virginia, after a source was frustrated with the clinic’s check-in process. During registration, I was asked to sign their notice of privacy practices. It’s the same type of form that Stannard never got, but was asked to say she did.
The notice told me that I was giving them permission to let my physician share my health data with a health information exchange, a network that allows providers to search my medical records, like lab results or medical history, from other health organizations when they treat me. These networks can be regional, state-wide or national in reach. The privacy notice says that by signing the form, “you agree to have your medical information shared.”
It also says I have two other choices:
- Say no by following instructions on the opt-out form, but there’s no link to the form.
- Say yes now and kick off the opt-out process later by sending an email. An email address is provided.
But when I got to the end of the privacy notice, I wasn’t allowed to say no. I had only one choice: “I accept.” After that, there’s a spot to type my name “to accept the policy,” check a box that I understand that I’m electronically signing, and a big button to “Continue.”
I ignored the accept button and tried clicking “Continue.” An error message told me I couldn’t move forward unless I hit “I accept.”
I was at a crossroads. The privacy notice literally describes “Say No Thanks” as a choice, but doesn’t let me pick it.
At this point, most of the patients I’ve interviewed would probably click “I accept” and move on, even if they wanted to keep their information private. But I was researching what patients have to do for healthcare systems to honor their wishes around consent and privacy, so I stopped filling out the form.
Instead, I emailed the address on the privacy notice. I was surprised that an employee got back to me that day, shared the opt-out request form, and confirmed that “registration is required to opt-in.” She also told me her company, which manages this consent process for the information exchange, will process my opt-out after I sign it and they’re able to process it. The risk is that they might not do it before my appointment. I emailed her back and asked what we should do about this, since the original privacy notice says, “Please note, your opt-out does not affect health information that was disclosed through HIE [health information exchanges] prior to the time that you opted out.” How could we make sure none of my information is shared?
The next day, she replied that her company would proactively opt me out of the information exchange, that I should still complete the opt-out form she sent me, and that “You should now be able to complete your check-in, and the setting will remain unchanged.”
When I went back to check in for my appointment, I clicked “I accept,” because the health services company assured me nothing will change. Just to be safe, I wrote “I opt out of HIE” and my initials, “AR” into the box where I’m supposed to write my name.
When I wrote to a manager of the women’s clinic about this, they stood by Privia’s process and said that Privia makes themselves available for patients who want to opt-out.
“This is a dark pattern,” said Lior Strahilevitz, a legal scholar at the University of Chicago who has published papers on privacy and dark patterns and teaches health law. In fact, Strahilevitz sees multiple dark patterns in the patient registration process I went through.
One is called an “obstruction dark pattern,” which means the design makes it harder for patients to make any choice except the one healthcare providers want.
Another dark pattern was “visual interference” where the interface makes it hard on the patient. “The patient’s going to have to face inordinate burdens in order to make an autonomous choice,” he said, because they will need to go “outside the user interface, outside the screens, in order to exercise your opt-out rights.”
Lucia Savage, former chief privacy officer at the federal health IT office, called the Office of the National Coordinator for Health IT, said that problems like this can happen when people carelessly put physical forms online. “This isn’t really a design at all,” she said. “This is just a bunch of paper pasted onto a web page. Could you even really call it design?”
So, is all of this legal?
Legal experts point out that only one element of the check-in process violates the spirit of health privacy law, and it’s not the part I expected.
In Virginia, where I had my appointment, it’s legal for providers to opt patients in at registration and give them a way to opt-out later.
Some states, like Florida and New York, require providers to get a patient’s explicit consent before they can share or access a patient’s data from information exchanges. Other states, like Arizona and Maryland have laws that allow data-sharing through health information exchanges by default, as long as providers tell patients and give them a way to opt-out. Some states have not passed any additional regulations, which means they follow the federal baseline. Federally, under the Health Insurance Portability and Accountability Act (HIPAA), sharing a patients’ data in a health exchange is legal.
According to Sarah Jaromin, a health policy specialist at the National Conference of State Legislatures, in Virginia, there is no current state policy with explicit opt-in or opt-out requirements.
Craig Konnoth, a law professor at the University of Virginia who specializes in health and civil rights looked at the privacy notice I was asked to accept. “You have the choice as to whether your data is going to be used. In this particular situation, ‘we are going to use your data until you file in the opt-out paperwork’ — then that’s actually kosher,” he said.
What experts say violates the spirit of the law, however, is requiring that patients sign the privacy notice itself.
When I was checking in, the privacy notice forced me to add my signature and click “I accept” before I could click “Continue.”
“What becomes problematic for me is that you can’t actually proceed. The design forces you to do something that the HIPAA privacy rule does not require you to do,” said Stacey Tovino, a professor who teaches HIPAA privacy law at the University of Oklahoma College of Law. (Full disclosure: As a part of my role as Director of Sociotechnical Research at The Markup and CalMatters, I am combining a broader journalistic investigation with a small ethnographic research studying on digital patient intake procedures, The Markup paid Tovino to consult on the HIPAA implications of my findings, but she did not participate in data-collection or editorial decision-making.)
“Nothing in HIPAA requires them to make you sign the notice,” said Tovino. “If they don’t obtain the signature they simply have to document why they didn’t get it.”
There’s an important nuance here. At a doctor’s office, patients usually have to sign and give consent to treatment and financial responsibility policies before they can actually get medical care. But when it comes to privacy notices, HIPAA only requires healthcare providers to ask that patients acknowledge receiving it. Patients should be able to ignore it.
Many of the privacy-focused patients I interviewed, including those who also work as doctors and nurses, deliberately decline to sign a notice of privacy practices if it contains terms they disagree with. But when modern check-in technology refuses to let a patient move forward without agreeing to the notice of privacy practices, is that legal?
Emily Hilliard, press secretary at the U.S. Department of Health and Human Services (HHS), confirmed that the HIPAA privacy rule does not require providers to get a patient’s consent to their privacy notice, but it also does not “prohibit covered entities from requiring individuals to acknowledge, or agree to the terms of, an NPP.”
In other words, requiring patients to agree to a privacy notice before getting treatment is legal.
“Likely because HHS never envisioned this happening, HIPAA does not explicitly prohibit a covered entity from requiring an acknowledgement of receipt of the notice of privacy practices as a condition of treatment,” said Adam Greene, a partner at the law firm Davis Wright Tremaine who focuses on health information, privacy and security.
“HHS has heard about widespread problems with the acknowledgment of receipt of the notice of privacy practices becoming an obstacle to patient care and a cause of confusion,” he said. “In 2021, they issued a proposed rule that, amongst other things, proposed deleting the requirement for an acknowledgment of receipt of the notice of privacy practices.” The rule was never finalized, but it is back on the agenda this year.
Stannard confirmed that at HHS, “we are in the process of finalizing the rule which includes some additional requirements for the notice of privacy practices.”
The current proposed rule includes, “Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices.”
Experts say patients should be able to opt out immediately — not eventually
Legal experts say that regulators can fix this problem with one fell swoop: make it a rule that companies must let patients opt-out right away, at the same moment they’re notified that they can.
“Amend these [federal] regulations to say covered entities shall not impose an undue burden on people trying to opt out. Covered entities shall not make it functionally problematic. Covered entities shall not, in registration documents, force people to proceed, thus waiving their right to opt out at the earliest possible time,” Tovino said.
She suggested that when a company notifies someone of their right to opt out, the next sentence should include a link to do so.
Savage agreed that this change would “absolutely” be a substantial intervention. “I believe that’s something OCR [Office of Civil Rights at HHS] could do in regulations.”
At the same event where Stannard shared that her eye doctor asked her to acknowledge a privacy notice she never got, I asked her, “Would updating the privacy rule to require a live link when patients make a choice to opt out or into sharing their information be empowering to Americans as individual patients?” She’d just spoken about U.S. Health Secretary Robert F. Kennedy Jr.’ s agenda “to empower individuals with their own health information.”
“That’s an interesting idea,” Stannard responded. “I don’t remember if we’ve considered it before. It’s certainly something that we could consider going forward.”
One registration form, but a cocktail of technology companies
Navigating the dark patterns in the check-in process was difficult. What I’ve learned however, is that it’s hard to know who picked that interface to use with patients. Did it come from the clinic or the sprawl of vendors that health facilities have come to rely on?
Private clinics often partner with multiple outside companies (vendors covered by HIPAA) to get technology and administrative support. My appointment involved three different companies:
- The mobile link I received to check-in for my appointment comes from a company named Phreesia, which handles patient-facing software, like consents, medical screening surveys and payment. When a patient clicks through those consent forms in the U.S., it goes through Phreesia every 1 in 6 patient visits.
- The clinic had joined Privia Health, which handles management services for nearly 5,000 providers across 15 states, which affect 5.2 millions patients, according to a 2025 press release. The privacy notice I struggled with sent me to Privia’s medical records office to opt out. Phreesia’s logo was also on the copy of my forms that the clinic emailed me.
- Finally, for my second telehealth appointment six months later, the clinic sent me a link with the name of another vendor, “athenahealth,” in it. The clinic had replaced Phreesia with athenahealth entirely.
“Unless you’re a really giant system,” said Savage, “you don’t have internal expertise on how to do this. So you buy it. You buy what’s plug-and-play and what’s affordable.”
The Markup and CalMatters asked all three companies who was responsible for the design of the patient registration interface, and no company gave us a clear answer.
Privia: “Privia is committed to the privacy and security rights of our patients’ information and to ensuring we comply with all regulatory requirements regarding our use of that information,” said Robert Borchert, senior vice president of investor and corporate communications at Privia Health.
athenahealth: “athenahealth provides technology that healthcare providers use to manage patient registration and clinical workflows … configured according to each provider’s requirements and applicable law,” read a statement from athenahealth, provided by Nikki D’Addario, senior public relations manager.
Phreesia: “It is the provider’s form and they determine the content and interface options,” said Dori Zweig Young, Phreesia spokesperson.
None of the companies responded to detailed written questions about how much control clinics have over the interface.
A blindspot for regulators and how it can be fixed
Outside of healthcare, regulators, like the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and multiple state attorneys general and agencies, have called dark patterns manipulative or abusive tactics that confuse consumers about their privacy choices or lock consumers into paying for services (like the famous Amazon Prime case). Researchers consistently find that people want more control over the context of how their data is shared, and that patients are least comfortable handing over blanket access with broad, open consents, even if they are largely willing to share it for specific uses.
Strahilevitz explained, however, that agencies like the FTC and CFPB, which have been the most active on regulating dark patterns, regulate privacy within their zones, and only occasionally take on boundary cases.
“Health privacy, for the most part, is going to be primarily addressed by HIPAA and Health and Human Services rather than the FTC Act and the Federal Trade Commission,” she said.
“There are limits on [the commissions] ability to protect patient privacy because that’s basically another entity’s job.”
Green and Savage both agreed that the Federal Trade Commission has jurisdiction to enforce against dark patterns as unfair or deceptive practices in for-profit healthcare entities. The clinic I went to, like hundreds of thousands across the country, is for-profit.
But HHS has a broader mandate to regulate healthcare organizations, including non-profit hospitals.
For example, Strahilevitz said, in consumer finance, regulators at the Consumer Financial Protection Bureau treat a practice as unfair or deceptive when a consumer cannot reasonably avoid the resulting injury. Just as hard-to-cancel online subscriptions force people to pay more, maze-like opt-out structures force patients to pay with their data by default.
Strahilevitz said this provides a framework for thinking about privacy injuries in healthcare. An information exchange could serve as a clearing house for information about a patient’s abortion, which has a clear potential for injury if that information becomes known in a state where abortion treatments are criminalized.
“In other privacy contexts, the courts have said where it’s literally possible to opt out of something but, practically quite difficult, unduly onerous, then we’re not going to treat that as creating an opt-out right,” he said.
Savage sees more opportunities in carrots than sticks to get to best practices. She argued that the government could invest in good interface design that’s open source and available for anyone to use, and the federal health IT office, where she used to work, could create competitions focused on improving the technical tools that providers buy and use.
If the big technology vendors that independent clinics are already using make these changes, it could affect millions of patients.
State regulation is another possible solution. Strahilevitz said that scrutiny of dark patterns is spreading as states, like California, and regulatory agencies, like the FTC, seek to reign in unfair or deceptive practices through the simple intervention that it should be as easy to cancel as it is to subscribe, with one click.
“I hope that at some point, we’ll get to a point where symmetry of choice is the law of the land, not only with respect to consumer privacy in some states, but to these kinds of medical privacy or financial privacy or other contexts,” he said.
