Healthcare Dark Patterns

Paula Stannard is one of the federal government’s top healthcare privacy officials. This year, she visited her eye doctor and was handed a form asking her to confirm she’d received the office’s privacy notice. She hadn’t received it. “I did not want to tell them who I was and why they should not be doing that,” Stannard, director of the Office for Civil Rights at the U.S. Department of Health and Human Services, told an audience at one of the nation’s largest health industry conferences in March. Instead, she wrote a note in the margin: “I have not received this. I am not acknowledging receipt.” If the country’s top health privacy enforcer has to resort to handwritten margin notes to protect her own rights at a routine eye appointment, something has gone badly wrong with how healthcare consent actually works in practice. This is a story about dark patterns — manipulative design choices that push patients toward giving up their health data even when the form in front of them explicitly says they don’t have to. And it is a story about why consent compliance cannot stop at having the right policy language on paper.

What Patients Are Actually Signing

Over the past year, investigative reporter Alex Rosenblat at CalMatters interviewed more than 20 patients, healthcare providers, experts and advocates about the privacy forms patients must sign to receive care. She then tested the system herself, registering for appointments at clinics across Iowa, New Jersey, New York, Ohio, Oregon, South Carolina and Virginia. The pattern she found was consistent: patients are asked to sign waivers without being shown what they contain. When they ask to see the forms, staff don’t have an easy way to show them. When they do get access, the forms describe all the ways their medical data will be shared — and some of the ways they can refuse. But the electronic systems make it impossible to exercise that refusal in the moment, routing patients to follow-up emails and separate opt-out processes that most will never complete. Gale Oleson, a retired dermatologist in Missouri, described the experience after a hand injury sent him to the emergency room. “They hand me the signature pad,” he said. “They said, you have to sign this so we can do the procedure. And I said, well, I don’t know what the heck I’m signing.” He asked them to print the form. “It’s always a ‘I forgot how a printer works’ kind of thing,” he said. This is not accidental friction. Experts call it what it is: dark patterns.

The Telehealth Appointment That Made It Impossible to Say No

In October 2025, Rosenblat booked a telehealth appointment with a women’s health clinic in Virginia. During registration, she was presented with a notice of privacy practices — the same type of form Stannard was asked to confirm receiving but never got. The notice informed her that by signing, she was agreeing to let her physician share her health data with a health information exchange — a network allowing providers to search her medical records, including lab results and medical history, from other health organizations. The notice also told her she had two other options. She could say no by following instructions on an opt-out form — though no link to that form was provided. Or she could say yes now and start the opt-out process later by sending an email. When she reached the end of the form, there was one button: “I accept.” She tried clicking “Continue” without hitting accept. An error message appeared: “This form is mandatory. Please accept the form to continue.” The privacy notice described “Say No Thanks” as a choice. The interface didn’t let her pick it. Lior Strahilevitz, a legal scholar at the University of Chicago who has published research on privacy and dark patterns and teaches health law, reviewed the process. “This is a dark pattern,” he said — and identified two distinct ones operating simultaneously. The first is an obstruction dark pattern: the design makes it harder for patients to make any choice except the one healthcare providers want. The second is visual interference: “The patient’s going to have to face inordinate burdens in order to make an autonomous choice,” Strahilevitz said, because exercising opt-out rights requires going “outside the user interface, outside the screens.” Lucia Savage, former chief privacy officer at the federal health IT office, was blunt about what she saw. “This isn’t really a design at all,” she said. “This is just a bunch of paper pasted onto a web page. Could you even really call it design?”

The Stakes Are Higher Than a Checkbox

The consequences of patients being unable to meaningfully opt out of data sharing are not abstract. Patients seeking abortions may not want records traveling with them from a state where that treatment is legal to one where it is criminalized. Companies including GuardDog have admitted to accessing patient records “under the guise of treatment” and funneling them to personal injury law firms. Researchers have documented healthcare workers snooping through electronic health records. Domestic abusers have used pediatric records to stalk partners. Health information exchanges can benefit patients — making scattered records visible to treating providers is genuinely useful. But benefit and harm are not mutually exclusive, and patients deserve the real ability to choose, not a theatrical version of choice that leads back to the same “I accept” button regardless of their preference. Many of the patients Rosenblat interviewed — including a lawyer who works as a privacy advocate — said they are afraid that pushing back against terms they disagree with will cause healthcare providers to categorize them as inconvenient patients and make it harder to get care. The fear of medical retaliation is itself a dark pattern operating at the systemic level.

Is Any of This Actually Legal?

Legal experts have a nuanced answer: most of it is legal. One part isn’t — but not necessarily the part you’d expect. Under HIPAA, sharing patient data in health information exchanges is federally legal. State rules vary significantly — Florida and New York require explicit opt-in consent before data can be shared or accessed through exchanges. Arizona and Maryland allow data sharing by default as long as providers notify patients and offer opt-out. Virginia, where Rosenblat’s appointment took place, has no state policy with explicit opt-in or opt-out requirements. Craig Konnoth, a law professor at the University of Virginia who specializes in health and civil rights law, reviewed the privacy notice. “You have the choice as to whether your data is going to be used. In this particular situation, ‘we are going to use your data until you file in the opt-out paperwork’ — then that’s actually kosher,” he said. What legal experts say does violate the spirit of health privacy law is something more specific: requiring patients to sign the privacy notice itself before proceeding. “Nothing in HIPAA requires them to make you sign the notice,” said Stacey Tovino, a professor who teaches HIPAA privacy law at the University of Oklahoma College of Law. “If they don’t obtain the signature they simply have to document why they didn’t get it.” There is an important distinction here. Patients routinely must sign consent to treatment and financial responsibility policies before receiving care — that’s standard and legal. But privacy notices are different. HIPAA only requires providers to ask patients to acknowledge receipt. Patients should be able to decline without consequence. Emily Hilliard, press secretary at HHS, confirmed that while HIPAA does not require providers to obtain patient consent to their privacy notice, it also does not prohibit covered entities from requiring individuals to agree to its terms. Adam Greene, a partner at Davis Wright Tremaine who focuses on health information privacy and security, put it plainly: “Likely because HHS never envisioned this happening, HIPAA does not explicitly prohibit a covered entity from requiring an acknowledgement of receipt of the notice of privacy practices as a condition of treatment.” HHS proposed eliminating the written acknowledgment requirement in 2021. That rule was never finalized. Stannard confirmed it is back on the agenda.

Three Companies, One Broken Consent Experience

One of the more revealing details from Rosenblat’s reporting is how accountability dissolves across the vendor ecosystem that most clinics now rely on. Her single telehealth appointment involved three separate companies: Phreesia, which handles patient-facing software including consent forms and processes one in six patient visits in the U.S.; Privia Health, which handles management services for nearly 5,000 providers across 15 states affecting 5.2 million patients; and athenahealth, which replaced Phreesia entirely by her second appointment six months later. When CalMatters asked all three companies who was responsible for the design of the patient registration interface, none gave a clear answer. Phreesia said the form belongs to the provider. Privia cited compliance with regulatory requirements. athenahealth said its technology is “configured according to each provider’s requirements.” “Unless you’re a really giant system,” said Savage, “you don’t have internal expertise on how to do this. So you buy it. You buy what’s plug-and-play and what’s affordable.” The result is a system where no single party is accountable for the patient experience — and the patient absorbs the cost of that diffusion of responsibility in the form of dark patterns they cannot navigate and opt-outs they cannot exercise. For organizations managing HIPAA compliance through third-party vendors, this is a critical gap. Business associate agreements cover data handling obligations, but they rarely address the quality of the consent interface those vendors deploy on your behalf. If a vendor’s dark-pattern registration form is generating consent that patients couldn’t meaningfully refuse, the covered entity carries the regulatory exposure.

What Regulators Can Actually Do

The jurisdictional gap complicates enforcement. The FTC and CFPB have been the most active federal agencies on dark patterns generally, but healthcare privacy sits primarily with HHS and HIPAA. Strahilevitz noted that the FTC does have jurisdiction to enforce against dark patterns as unfair or deceptive practices in for-profit healthcare entities — and the vast majority of clinics are for-profit. But HHS has the broader mandate covering non-profit hospitals as well. Tovino offered a straightforward regulatory fix: “Amend these regulations to say covered entities shall not impose an undue burden on people trying to opt out. Covered entities shall not make it functionally problematic. Covered entities shall not, in registration documents, force people to proceed, thus waiving their right to opt out at the earliest possible time.” Her proposed implementation: when a company notifies someone of their right to opt out, the next sentence should include a live link to do so. Savage agreed that this intervention would be substantial and is within OCR’s existing rulemaking authority. Strahilevitz pointed to the consumer finance framework as a model. The CFPB treats a practice as unfair or deceptive when a consumer cannot reasonably avoid the resulting injury. “In other privacy contexts, the courts have said where it’s literally possible to opt out of something but practically quite difficult, unduly onerous, then we’re not going to treat that as creating an opt-out right,” he said. The same logic should apply to healthcare. His broader hope: “I hope that at some point, we’ll get to a point where symmetry of choice is the law of the land — not only with respect to consumer privacy in some states, but to these kinds of medical privacy or financial privacy or other contexts.”

What This Means for Compliance Teams

The practical lesson for any organization collecting health data — or any organization relying on a third-party vendor to collect consent on their behalf — is that a policy that says patients can opt out is not the same as a system that lets them. The gap between those two things is where regulatory exposure lives. Consent management that passes legal review on paper but deploys dark patterns in practice does not protect the covered entity — it creates the illusion of compliance while accumulating the liability that comes when the design is scrutinized. The specific failures documented in this reporting — no live opt-out link, forced acknowledgment of a form patients couldn’t refuse, opt-out processes routed outside the registration interface — are not edge cases. They are standard practice across the vendor ecosystem that most independent clinics have adopted. Organizations that want to get ahead of where HIPAA rulemaking and FTC enforcement are heading should be asking their vendors the questions CalMatters couldn’t get answered: who controls the interface, what choices does it actually present to patients, and is it as easy to opt out as it is to accept? If the answer to that last question is no, the consent and privacy audit is overdue.