Hello readers,

I’m Alex, the Director of Sociotechnical Research at The Markup and CalMatters, and I’d like to talk about privacy in the context of healthcare. 

For more than seven years, I’ve been opting out of voluntary uses of my data when I go to medical appointments. In the process, I’ve seen everything from consent forms that deceive patients into letting advertisers mine their personal health data, to forms that automatically sign you up for mandatory arbitration while scheduling an appointment. As I explore how patients can lose control over their information or choices, I’ve become interested in something simpler: the challenges patients face when trying to access their own records and getting a copy of what they’ve agreed to. In the digital age, we might expect access to be simple, but the ways that organizations manage information, or fulfill their duties to comply with certain laws, can complicate it. I want to understand how providers, patients and other stakeholders grapple with technologies that affect patient care and trust. 

Which brings me to early April, when my toddler had a minor surgery at the Morgan Stanley Children’s Hospital, part of the New York-Presbyterian hospital network in Manhattan. To see a physician, patients or their guardians have to sign forms agreeing to policies for treatment, payment, and privacy. Healthcare providers in turn are legally required to provide most of these records back to patients under a combination of state and federal laws. But as I experienced firsthand at New York-Presbyterian, actually getting them can be extremely difficult.

Initially I had to figure out how to get copies of two sets of forms provided to me digitally in the hours prior to surgery. Then came a last-minute consent I signed on a doctor’s phone, which was printed out for me to confirm my signature, but never handed over. Doing so, I was told, would violate federal law. I was referred instead to a medical records office across the street that turned out not to exist—then wandered into a completely different office that gave me everything I wanted. Things only got more weird from there, as you’ll see below.

But first I should note why it’s important that patients can get copies of their privacy forms. One reason is that the forms usually have instructions on how patients can opt-out of their medical data being used in unwanted or unexpected ways. For example, most states collect a mandatory blood sample from newborns to screen for certain disorders, and some states have kept genetic information on file for decades and even provided the data for use in criminal investigations. A few weeks after my now-toddler was born in New York, wanting to protect his genetic privacy, I followed the instructions on his hospital paperwork to have the state’s Department of Health destroy his sample after screening was complete. 

Patients also need copies of their paperwork to prove when they didn’t agree to certain terms. For example, Phreesia, the company that provides digital check-in services at my OB-GYN offices, deceptively claimed I consented to let it mine my personal health information for targeted marketing when I was pregnant. My own records contradicted the company’s claims, and after three months of back and forth, Phreesia representatives finally admitted they were wrong. As Health and Human Services intervened, Phreesia started warning patients explicitly that the form is optional, when they used to label it as “required.” 

These reasons are why, in 2025, the night before my toddler’s surgery, I used a screen recorder on my iPhone to capture the pre-registration paperwork as I filled it out.

Little did I know that, on the morning of the surgery and in the weeks that followed, I’d be asked to jump through hoop after hoop to get a copy of each of my toddler’s medical and administrative records.

I followed the rules that the hospital and nurses set out for me, but they weren’t following the rules, which meant I had to keep asking. Each time I did so, I wondered: Am I jeopardizing the goodwill of the people who I rely on for care?

The next morning, many new forms were waiting for us when my family arrived at the hospital at 6 a.m., the recommended two hours prior to my kid’s surgery, during which he couldn’t eat or drink anything. We’d followed a path of yellow star stickers that led us from lobby security to the office of patient registration. My toddler made plaintive requests for snacks that I was so sorry I couldn’t give him while I tried to focus on a yellow tablet they handed me to complete check-in. When I was done, the staff promised they would later print me a copy of the forms I just filled out, and we headed upstairs to pediatric surgery. My husband distracted our hungry toddler by tracing the letter “G” for Grover in a Sesame Street book, and my son settled into a disappointed silence, dressed in hospital-issued clothes: A purple gown and yellow pants two sizes too big. 

New medical staff came in and out, asking questions or providing instructions and information. One doctor asked me to sign a final, surgical consent form using his phone. After he left, I asked the attending anesthesiologist who followed for a printed, completed copy of it after the surgeon signed it too. He told me that should be fine. 

The staff did print a copy of it, but wouldn’t share it with me. As my toddler was bundled into a movable bed so they could wheel him into surgery, the staff showed me only the last page of the three-page surgical consent form I’d signed on the doctor’s phone. They wanted me to verify that it was indeed my signature while the surgeon stood next to us, ready to go. I asked for a copy of the completed consent, and a nurse from the surgical team said yes, we can give it to you, before another nurse from the floor interjected to say she can’t give me a copy because it’s against hospital policy, which requires that I get it from the medical records department.

My toddler, looking resigned to his fate, was whisked away and I shifted gears. The nurse had left to ask her colleague, who specifically helps patients navigate the hospital, where the medical records department was. When she came back, she told me that it’s in the Milstein hospital building across the street. 

After storing our things in the waiting room locker, I went to the nurses station on the pediatric surgical floor and asked to take a photo of the printed form they had already shown me, the one from the doctor’s phone. They refused, saying that to allow me to do so would be in violation of the Health Insurance Portability and Accountability Act, or HIPAA, and hospital policy. Instead, they reiterated I should go across the street and find the medical records department in the adult hospital. At that moment, I knew that under HIPAA, I was entitled to a copy of my medical records, but I hesitated to make my case too forcefully while my toddler was going under the knife.

I was nervous to stray from the waiting area, but with up to an hour to kill, I set off to find it. Early April is chilly in New York, and wind whipped through my light coat as I turned the corner onto a long city block, and passed through a noisy construction zone. At the next hospital, I approached the information services desk to ask for directions to the medical records department. 

“Doesn’t exist,” said the gentleman at the desk, “unless you’re here for X-rays.” Instead, he produced a flyer with a poorly cropped photocopy on guidance for “Requesting Medical Records” from a third-party vendor called Verisma. I criss-crossed back around the block through large trucks beeping their way into unloading docks. 

On my way back, instead of going back upstairs and asking the nurses what else I should do — I thought I’d try asking a different person for help, someone who had seemed helpful earlier in the day.

I followed the yellow footprints back to the office for patient registration on the first floor, where I had filled out forms on a yellow tablet at 6 am. So far, out of the seven doctors, nurses and staff I’d asked about getting a copy of my toddler’s forms at the hospital, only the woman at patient registration had personally agreed to print me a copy.

I was still in disbelief that it could be hospital practice to send patients, or their worried parents, across the street to a ghost department, or that hospital staff wouldn’t allow a patient to take photos of the forms she just signed.

Sure enough, when I asked her if she could print out the forms I signed upstairs, in addition to the ones I signed with her earlier this morning, she immediately said yes. Without any prompting, she also noted specifically that she could share the forms because I was asking for my own (and my toddler’s) records.

Afterward, I headed upstairs with copies of all my signed forms, and reviewed them in the waiting room next to my husband, trying to verify that everything was there. I was still in disbelief that it could be hospital practice to send patients, or their worried parents, across the street to a ghost department, or that hospital staff wouldn’t allow a patient to take photos of the forms she just signed. 

I wanted to know how other patients could avoid the runaround I’d been through, in part because it’s professionally relevant to me: At CalMatters and The Markup, I’m launching a research project examining the hidden terms in patient registration paperwork, challenges in opting out of voluntary uses of patient data, and obstacles in obtaining copies of patient records. 

So I went back to the nurses’ station on the surgical floor, because I know that’s what many patients would do. I wanted to know: If a patient followed instructions, would they get their forms? I showed two nurses the flyer and explained that “medical records” did not exist as a physical location, to their surprise. 

The nurses then kindly started sharing suggestions for what I — or any other patient — can do when up against refusals like, well, the one they gave me. Over the next two months, I tried most of their suggestions, and only one (so far) worked. All of them took me days, if not weeks, to pursue:

• Contact the doctor’s office, and different departments, including billing and patient administrative services.
  
  Over several weeks, I called the doctor’s office twice, messaged them through a widely-used health information app called MyChart, and spoke with patient administrative services three times. None would directly give me the surgical form, or other records I requested, such as to validate the medical bill they did send.

• Look for my signed forms online, using MyChart, the hospital’s digital patient portal.
  
  The patient portal is called NYP Connect (a branded version of MyChart), but I hadn’t logged into MyChart for this surgical appointment, so trying to figure out how to login or whose account (me or my toddler’s) to check took time, including renewing old account credentials. There were no records I sought on either account.
  
• Apply for my records through Verisma, the company on the flyer.
  
  This one did work, although it took a week. The surgical consent was on page 102 of the 111 page-PDF I received from Verisma after paying $6.50 to have his surgery records sent to my email (records are free of charge if patients ask Verisma to deliver them through MyChart). 

During this process, the patient services administrator I talked to told me there was no policy preventing patients from taking a photo of their own signed consent form. 

Before publishing this article, I also reached out to the hospital for official comment. Eilis Stoner, media relations associate at New York-Presbyterian, said that patients can access their medical records through Verisma or through the hospital network’s patient portal NYP Connect, both of which are listed on their medical records page. Stoner did not respond to questions about the hospital’s policy on patients taking photos of their forms, or printing out copies of signed forms for patients.

There are a few privacy scholars, like Janet Vertesi and Anya Prince, who have written about how difficult it is for them to hide information about their pregnancies from advertisers. But the effort, which can include buying extensive gift cards to make anonymous purchases for diapers or a stroller, can make a privacy-minded person look like a criminal. 

I had the opposite problem: I wanted information about myself from the system, and hospital staff prevented me from getting it. 

Even though I know that HIPAA is designed to protect my rights to privacy and to access my health information, I’m still worried about becoming an object of suspicion. I followed the rules that the hospital and nurses set out for me, but they weren’t following the rules, which meant I had to keep asking. Each time I did so, I wondered: Am I jeopardizing the goodwill of the people who I rely on for care?

Five days after my toddler recovered, I wrote to the New-York Presbyterian’s HIPAA office to ask: Does the hospital really have a policy that prevents patients or their parents and guardians from obtaining a completed, printed copy of their own consent form at the visit, or photographing their own consent during the time of signing and at the appointment? The office emailed me a form letter back, which included my incident number, and a website where I could go to see the status of my inquiry. When I clicked on the website, it asked me to login with credentials from one of three major medical centers (one of which was New-York Presbyterian), which I clearly didn’t have. I emailed the hospital’s IT service desk for help. I haven’t heard back in over three months.

Kelly Gillespie, a health law professor at Saint Louis University, said that in this case, “HIPAA does not cover a patient’s right to have their records right now, but you have a right to it within 30 days at the maximum if the state doesn’t have a shorter timeline, there’s no question.” 

As a patient, it’s my practice to take a photo or a video of what I’m signing as a hedge, so that I have direct control of my information, and so I can refer back to what I signed, especially if I’m in a rush.

“I think it’s much more difficult to know what you’re signing and read what you’re signing when you’re handed an iPad,” said Diane Spicer, an attorney with the Community Service Society of New York who specializes in health care systems and health insurance. “Sometimes you don’t get to see the actual document on the iPad, but you get a signature pad and the person says, ‘now you’re signing this.’”

We often hear that digitizing paperwork makes it more efficient to manage information, but as the director of socio-technical research at CalMatters and The Markup, I want to understand for whom — and where work is offloaded to others, like staff or patients. 

If you’re a patient (or act on behalf of one), a healthcare worker, a vendor, or simply interested in this area, I want to understand how new and emergent technologies, like artificial intelligence, affect your healthcare and your privacy. 

Please reach out if you have experiences, or leads that might be helpful, or if you just want to chat about questions like these: 

• Did you receive targeted ads about your, or your family’s, health after registering for an appointment? 
• Have you faced challenges accessing your medical records, such as when you seek a new consult or try to validate your medical bills?
• What experiences have you had with AI services, from note-taking to diagnostics?
• What challenges have been resolved from digitizing registration? What has gotten worse?

Here’s how you can get in touch:

• You can email me at arosenblat@calmatters.org. 
• If you’re worried about being tracked or discovered, you can send me messages and files securely by messaging me on the Signal app (download it here). My number on Signal: 530-364-1838
• If you want to share files with me, you can email them to me or upload them securely here. We use an end-to-end encrypted service. That means the files and messages cannot be read by anybody other than you and The Markup and CalMatters. Be aware that sending anything from a work computer, using work email, or on work Wi-Fi networks can create additional risks.

If you’d like to formally participate in the research project I’m doing on patient registration and records, you can participate here. This study has been reviewed by an institutional review board (IRB), which is a committee that has reviewed this research study to help ensure that your rights and welfare as a research participant are protected and that the research study is carried out in an ethical manner.

Thanks for reading,

Alex Rosenblat
Director of Sociotechnical Research
The Markup and CalMatters