Patients checking in for medical appointments are often asked to sign privacy forms before they can see a doctor. But an investigation by The Markup and CalMatters found that, in many cases, those forms do not give patients a meaningful chance to refuse the sharing of their health information, even when the paperwork says they have that right.
The problem is not limited to one clinic or one state. Over the past year, reporters interviewed more than 20 patients, health care providers, privacy experts and advocates about the documents patients are expected to sign before receiving care. Again and again, they described the same experience: Patients are asked to acknowledge or accept privacy terms on electronic forms without being able to fully review them, decline them or immediately opt out of data sharing.
Paula Stannard, director of the Office for Civil Rights at the U.S. Department of Health and Human Services, described a similar experience during a major health industry conference in March. Stannard, one of the federal government’s top health privacy officials, said she was asked at an eye doctor’s appointment to sign a form acknowledging that she had received a notice explaining how the office would use her health information.
She had not received the notice, she said.
Stannard told the audience she did not identify herself or confront the office staff about the issue, but she wrote on the form that she had not received the notice and was not acknowledging receipt.
Such encounters matter because patient information is increasingly shared through health information exchanges, networks that allow hospitals, doctors and other providers to access medical records from different health care organizations. These systems can be useful, especially when a patient’s history is scattered across multiple providers. A doctor treating someone in an emergency, for example, may benefit from quick access to lab results, prescriptions or prior diagnoses.
But broader access also creates risks. Patients who seek abortion care in a state where it is legal may not want those records to follow them into a state where abortion is criminalized. Companies have been accused of improperly accessing health records under the claim of treatment and sending information to personal injury law firms. Researchers have also documented employees snooping in electronic medical records. Other risks include data breaches and misuse by abusers who may try to track a partner through a child’s pediatric records.
For patients, the main way to limit some of those risks is to opt out when providers offer that option. The investigation found that doing so can be far more difficult than the forms suggest.
Gale Oleson, a retired dermatologist in Missouri, recalled being handed a signature pad in an emergency room after injuring his hand. Staff told him he needed to sign before they could perform the procedure. Oleson said he asked to see what he was signing, joking that he did not know whether he was signing away his house, car or life insurance.
He said staff often will turn a screen toward him or print out a copy if asked, but that the process tends to be awkward and slow.
Experts describe some of these barriers as “dark patterns,” a term used for design choices that push people toward decisions they might not otherwise make. In this context, it may be easier for a patient to click a box saying they received a privacy notice, even if they did not, or to sign a digital pad without seeing the full document.
Pushing back can be intimidating. Patients interviewed for the investigation, including one lawyer who works as a privacy advocate, said they worry that questioning forms or rejecting certain terms could lead providers to view them as difficult and make it harder to get care.
The issue can be especially acute when treatment is imminent. In one case previously reported by The Markup, a parent whose toddler was about to undergo surgery asked for a copy of a consent form while the child was already on a movable bed and the surgeon was ready. A nurse said she could not provide the form and directed the parent elsewhere. The parent dropped the request in the moment to avoid delaying surgery and obtained the document only after repeated follow-up.
To better understand what patients face, a reporter registered for appointments with more than a dozen health care systems in Iowa, New Jersey, New York, Ohio, Oregon, South Carolina and Virginia. One telehealth appointment with a women’s health clinic in Virginia showed how an electronic check-in system could require a patient to accept data sharing even while the privacy notice described a way to opt out.
During registration for the October 2025 appointment, the reporter was asked to sign a notice of privacy practices. The notice said the patient’s medical information could be shared through a health information exchange, allowing other providers to search for records such as lab results or medical history. It also stated that by signing the form, the patient agreed to have medical information shared.
The document described two alternatives: follow instructions on an opt-out form, though no link to that form was provided, or accept immediately and later begin the opt-out process by email.
At the end of the electronic notice, however, there was no visible way to decline. The only option was “I accept.” The patient then had to type a name to accept the policy, check a box acknowledging an electronic signature and click a button to continue.
When the reporter skipped the accept button and tried to proceed, the system displayed an error stating that the form was mandatory and had to be accepted before moving forward.
The reporter stopped the process and emailed the address listed in the notice. An employee replied the same day with an opt-out request form and confirmed that registration was required to opt in. The employee also said the company managing the consent process would handle the opt-out after the form was signed and processed.
That raised another concern: The notice said an opt-out would not affect health information already disclosed through a health information exchange before the opt-out took effect. The reporter asked how to ensure no information would be shared before the appointment.
The next day, the employee said the company would proactively opt the patient out of the information exchange, while still asking that the opt-out form be completed. The employee said the check-in could then be finished and that the setting would remain unchanged.
The reporter then returned to the form and clicked “I accept,” after being assured that the opt-out would remain in place. In the signature field, the reporter wrote that they were opting out of the health information exchange, followed by their initials.
When contacted about the process, a manager at the women’s clinic defended Privia Health’s procedure and said Privia is available to patients who want to opt out.
Lior Strahilevitz, a University of Chicago legal scholar who has studied privacy and dark patterns and teaches health law, said the registration process contained multiple dark patterns.
One, he said, is an “obstruction” pattern, in which the design makes it more difficult for patients to select anything other than the option preferred by the provider. Another is “visual interference,” where the structure of the screen creates an unreasonable burden. In this case, he said, patients had to go outside the registration interface — by sending an email and waiting for a response — to exercise the right the notice said they had.
Lucia Savage, former chief privacy officer at the federal Office of the National Coordinator for Health Information Technology, said such problems can arise when paper forms are copied into digital systems without meaningful redesign.
Legal experts said the situation is complicated. In Virginia, where the appointment occurred, health care providers may enroll patients in information exchange data sharing during registration and give them an option to opt out later. Sarah Jaromin, a health policy specialist at the National Conference of State Legislatures, said Virginia does not currently have a state policy with explicit opt-in or opt-out requirements.
State laws vary. Florida and New York require explicit patient consent before information can be shared or accessed through health information exchanges. Arizona and Maryland permit data sharing by default if patients are notified and given a way to opt out. Other states follow the federal baseline. Under the federal Health Insurance Portability and Accountability Act, known as HIPAA, sharing patient data through a health information exchange is generally allowed for treatment and related purposes.
Craig Konnoth, a University of Virginia law professor who specializes in health and civil rights, reviewed the privacy notice used in the Virginia appointment. He said that if a provider tells patients their data will be used until they file opt-out paperwork, that approach is generally legally permissible.
But experts said another part of the process conflicts with the intent of health privacy rules: forcing patients to sign or accept the privacy notice before they can continue.
Stacey Tovino, a University of Oklahoma College of Law professor who teaches HIPAA privacy law, said HIPAA does not require a patient to sign a notice of privacy practices. Providers must ask patients to acknowledge receipt of the notice, but if they do not obtain a signature, they can document why they did not get one.
That is different from treatment consent forms or financial responsibility agreements, which patients are typically required to sign before receiving care. A notice of privacy practices is supposed to inform patients how their information may be used, not serve as a mandatory agreement to treatment.
Emily Hilliard, press secretary at the U.S. Department of Health and Human Services, confirmed that HIPAA does not require providers to obtain a patient’s consent to a privacy notice. She also said HIPAA does not prohibit covered entities from requiring patients to acknowledge or agree to the terms of such a notice.
In practical terms, that means requiring a patient to accept a privacy notice before treatment is currently legal.
Adam Greene, a partner at the law firm Davis Wright Tremaine who focuses on health information, privacy and security, said that is likely because federal officials never anticipated that acknowledgment of a privacy notice would become a barrier to care. He said HHS has heard of widespread problems with the acknowledgment process causing confusion and interfering with patient care.
In 2021, HHS proposed a rule that would eliminate the requirement that direct treatment providers obtain written acknowledgment that patients received a notice of privacy practices. The rule was not finalized, but it is back on the federal agenda this year.
Stannard said HHS is working to finalize a rule that includes additional requirements related to privacy notices. The current proposal includes removing the requirement for providers to obtain written acknowledgment that a patient received the notice.
Some experts say regulators should go further and require that patients be able to opt out immediately when they are told they have that right.
Tovino said federal rules should prohibit health care organizations from placing undue burdens on people who try to opt out or forcing them to continue through registration in a way that effectively waives their ability to opt out at the earliest opportunity. She said that if a notice tells a patient they have the right to opt out, the next sentence should provide a working link to do so.
Savage said such a requirement could be a meaningful intervention and that the Office for Civil Rights at HHS could address it through regulation.
At the March conference where Stannard described her experience at the eye doctor, she was asked whether updating privacy rules to require a live link for patients who want to opt in or out of information sharing would help empower patients. Stannard said it was an interesting idea and something the agency could consider.
The registration process also revealed how difficult it can be to determine who is responsible for a patient-facing digital form. The telehealth appointment involved multiple companies.
The mobile check-in link came from Phreesia, a company that provides patient-facing software for tasks such as consent forms, screening surveys and payment. Phreesia has said its systems are used in one in six patient visits in the United States.
The clinic was part of Privia Health, which provides management services for nearly 5,000 providers in 15 states, affecting 5.2 million patients, according to a 2025 company press release. The privacy notice directed the patient to Privia’s medical records office to opt out, and Phreesia’s logo appeared on copies of forms sent by the clinic.
Six months later, for a second telehealth appointment, the clinic sent a link connected to another vendor, athenahealth. The clinic had replaced Phreesia with athenahealth.
Savage said smaller practices often do not have internal expertise to design these systems and instead buy available technology that is affordable and easy to implement.
When The Markup and CalMatters asked Privia, Phreesia and athenahealth who controlled the design of the patient registration interface, none provided a clear answer.
Privia said it is committed to protecting patient privacy and security and complying with regulatory requirements. Athenahealth said it provides technology that health care providers use to manage registration and clinical workflows, configured according to provider requirements and applicable law. Phreesia said the form belongs to the provider, which determines the content and interface options.
None of the companies answered detailed written questions about how much control clinics have over the interface.
Outside health care, regulators have increasingly scrutinized dark patterns. The Federal Trade Commission, the Consumer Financial Protection Bureau, state attorneys general and other agencies have described such tactics as manipulative or abusive when they confuse consumers about privacy choices or make it difficult to cancel services.
California has been among the states taking aim at dark patterns in consumer privacy. But health privacy is governed mainly by HIPAA and the U.S. Department of Health and Human Services, creating a regulatory gap. Strahilevitz said agencies such as the FTC and CFPB have limited ability to police patient privacy because that responsibility primarily falls to HHS.
Greene and Savage said the FTC can pursue dark patterns as unfair or deceptive practices when for-profit health care entities are involved. But HHS has broader authority over the health care sector, including nonprofit hospitals.
Strahilevitz said consumer finance rules offer one way to think about the issue. In that field, a practice may be considered unfair or deceptive when consumers cannot reasonably avoid harm. In health care, he said, complicated opt-out systems can force patients to give up data by default, creating privacy harms that may be difficult or impossible to reverse.
He cited the potential for health information exchanges to reveal abortion-related records in states where abortion is criminalized as an example of a serious privacy injury.
Savage said regulators also could encourage better practices by investing in open-source interface designs for health care forms or by creating competitions through the federal health IT office to improve the tools doctors and clinics buy.
If major technology vendors changed how their registration systems work, the impact could extend to millions of patients. State regulation could also play a role, especially as states such as California continue to examine unfair or deceptive digital design practices.
Strahilevitz said the broader goal should be “symmetry of choice” — making it as easy for patients to decline or opt out as it is to accept.
The reporting was based on interviews with more than 20 patients, health care providers, experts and advocates, as well as the reporter’s registration for multiple medical appointments and review of the paperwork provided. The article also drew on a small ethnographic study reviewed by an institutional review board, a committee that evaluates research involving people to help protect participants’ rights and welfare.
Original source: CalMatters
