The form asked my permission to share my health data. Then it wouldn’t let me say no. – The Markup
Skip navigation
The form asked my permission to share my health data. Then it wouldn’t let me say no.
By Alex Rosenblat
May 27, 2026 8:00 a.m. UTC
Viewable online at<br>https://themarkup.org/privacy/2026/05/27/opt-out-dark-patterns
Share This Article
Copy Link
Republish
The Markup, now a part of CalMatters, uses investigative reporting, data analysis, and software engineering to challenge technology to serve the public good. Sign up for Klaxon, a newsletter that delivers our stories and tools directly to your inbox.
When Paula Stannard, one of the federal government’s top healthcare privacy officials, visited her eye doctor this year, she was asked to sign a form, acknowledging she’d received a privacy notice about how the office would use her health data.
“Had I received the notice of privacy practices? No,” she told an audience at one of the nation’s largest health industry conferences in March.
“I did not want to tell them who I was and why they should not be doing that,” said Stannard, who is director of the Office for Civil Rights at the U.S. Department of Health and Human Services. “But I did write a note that says, ‘I have not received this. I am not acknowledging receipt.’”
Stannard’s story is all too common.
Over the last year, I’ve interviewed more than 20 patients, healthcare providers, experts and advocates about the privacy forms they must sign to get care at their providers’ offices.
Hello World
During my kid’s surgery, I was denied a copy of my consent form — then sent to a ghost office
Help us understand the challenges patients face opting out of voluntary uses of their data, or getting access to their records.<br>July 19, 2025 8:00 a.m. UTC
Time and again I was told the same thing: Across the country, from large hospital systems to small, private clinics, patients are being asked to sign waivers blindly without knowing exactly what they’re signing.
When patients ask to see more, staff usually don’t have an easy way to show them. When patients do get the forms, it tells them all the ways their medical data will be shared and reused, and some of the ways patients can refuse. But electronic systems make it impossible to opt out on the spot, requiring follow up emails.
Records sharing between unaffiliated providers through these networks can benefit patients by making their scattered records more visible to the provider who is treating them.
But it can also harm patients.
Patients seeking an abortion may not want records to travel with them from a state where that treatment is legal to one where it is criminalized.
In other cases, companies, such as GuardDog, have admitted to accessing patient records “under the guise of treatment” and funneling them to personal injury law firms.
Researchers have also found healthcare workers snooping through electronic health records. Other dangers include data breaches and serious potential for misuse, such as domestic abusers stalking their partners though the pediatric records of their children.
There’s not much patients can do to limit the risks of their data being available across networks, except by aggressively pursuing opt-outs when providers offer them. Turns out, that can be pretty hard to do.
Gale Oleson is a retired dermatologist in Missouri who recalled visiting the emergency room after a hand injury.
“They hand me the signature pad,” he said. “They said, you have to sign this so we can do the procedure. And I said, well, I don’t know what the heck I’m signing. Is it like you get my house today? You know, you could be taking my car, you know, signing over my life insurance. And they just laugh, you know?
“… In those situations, I’ve had them either turn the screen to me or I request that they print out a copy for me to review and they’ve always done it, but it’s always a ‘I forgot how a printer works’ kind of thing.”
Experts have a name for this practice: “Dark patterns,” which are manipulative design choices that steer people into doing things or making decisions they otherwise would not make. It’s easier to check the box to say that you’ve received the privacy notice, even if you haven’t. It’s easier to sign the digital signature box, even if you can’t see what you’re signing.
Report Deeply and Fix Things
Because it turns out moving fast and breaking things broke some super important things.
Give Now
The alternative — saying you didn’t get the privacy notice, or asking repeatedly to see what you’re signing — sounds like a simple request, but can be scary for patients. Many of the patients I’ve interviewed, including a lawyer who works as a privacy advocate, told me they’re afraid that speaking up or pushing back against terms they don’t agree to will make health providers categorize them as inconvenient patients and make it harder to get the care they need.
As a privacy researcher, I’ve experienced this hesitation...