I declined to share my medical data with advertisers at my doctor’s office. One company claimed otherwise

I care deeply about privacy, and as a professional researcher, I take meticulous notes.

During my recent maternity leave, I spent most of my hands-free time trying to figure out why my doctors were trying to give my medical data away to advertisers — even after I opted out.

I had two different providers for the duration of my pregnancy, because one closed their doors before my baby arrived. At both providers, upon my arrival the staff would hand me a tablet made by Phreesia, a company with a roughly $1.7 billion market cap, to check in. Phreesia collects demographic information, with fields including information as sensitive as the number of abortions the patient has had and their social security number. Each time I checked in, a form labeled “Required” in bright red letters sought authorization to share my data.

But that label was deceptive — and felt intentionally so.

Patients are indeed required to acknowledge a typical HIPAA privacy policy in order to be seen so that their physicians’ practices can use that data for internal operations or billing, for example.

This HIPAA authorization form was different. Phreesia was asking for consent to mine the data I entered through the check-in process to show me targeted ads. Buried eight paragraphs down is language informing me I can opt out without losing access to my providers, but most readers likely click through hurriedly so they can get to their appointment in time. My OB-GYNs are committed to the ethics of patient confidentiality. Why would they encourage me to give away my reproductive privacy at the digital front door to their office?

I methodically clicked “I decline” to the terms at each routine visit and kept a photo record, but that wasn’t enough to safeguard my consent. Staying in control of my data privacy is a burden that requires proactive attention. Pregnancy is exhausting, and I already had a very active toddler to run after, plus a full-time job. A patient seeking a long-awaited appointment with a specialist isn’t going to cancel, even if they are uncomfortable, because getting care is the priority. And yet, privacy harms add up. The Markup investigated hospitals that send your data to Facebook, Google and others when you visit their websites. The Federal Trade Commission recently fined GoodRx $1.5 million for doing the same and banned the company from sharing consumers’ sensitive health information for advertising when patients use its service to obtain discounts on prescription drugs.

In September, after revisiting a June 2022 article about Phreesia’s privacy practices, I wrote to its privacy inbox to confirm that it had no consent from me on record. To my surprise, the representative, a compliance analyst, simply offered to revoke my authorization. I was horrified and suddenly wracked with self-doubt. Had I accidentally clicked “I accept” when I was in pain or distracted, responding to a work email or coordinating a school pick-up? Revoke it, I indicated, but please show me the proof that I had accepted in the first place.

On the day I gave birth, the Phreesia representative replied, “Unfortunately, since we have deleted your authorization, we no longer have a copy of that authorization on file to provide you.” I read their response when I was emerging from the newborn haze a few weeks later and was incredulous. I wondered, pessimistically, if they could opt in everyone who opts out, and simply revoke it when they’re caught. Would a surgeon tear up your consent form after the operation was complete?

The blank authorization form states that patients are entitled to a copy, but Phreesia wouldn’t give them to me. They told me I’d have to go through my providers to get them. In between feedings and sleep training, I went on a fishing expedition to trawl through the details of every single visit I’d had that year, since they wouldn’t disclose the specific date where, they allege, I consented. To excavate my forms from the practice that closed, I had to go through the company that acquired them, Optum Health (owned by UnitedHealth Group). When I reached their director of privacy at the end of November, she told me, “I don’t think we’ve had other complaints about Phreesia to date.” It took me over a dozen calls, more than 30 emails, and in-person visits over two to three months just to get to that point. Even motivated patients would struggle to be heard.

At the end of one visit after the birth, my physician asked if there was anything else. I hesitated. Privacy injuries are intangible and diffuse, and women often report that even their physical pain is dismissed as unreal across health care settings. I briefly mentioned I was having trouble obtaining a phantom Phreesia authorization form. Kindly, she wrote her personal email down and the name of their practice’s CEO, and offered the very useful advice that I should go through patient services, not medical records.

Optum requested an explanation from Phreesia, and their senior product counsel admitted to me in December, “we have been able to conclude that you did not provide an authorization.” Phreesia attributes a source of their confusion to a blank authorization form they received on one occasion where the staff checked me in manually. Phreesia told my provider, who then told me, that the date of that visit was in late November, about six weeks after Phreesia confirmed they revoked my errant authorization. It doesn’t add up, but I checked my records. I was midway through the tablet check-in when it started conducting a screening survey for postpartum depression. I stopped and handed it back to the staff, explaining I’d be happy to be screened by my physician, but not through Phreesia. They pressured me to continue, but eventually conceded. Resisting the screens for patient intake services at any provider’s office, such as by asking for paper copies, is a nuisance to the admin staff, who now have to locate papers that aren’t on hand. Many ask you to sign blindly into the electronic signature box to acknowledge their privacy policy without showing it to you.

Phreesia says I was never shown any sponsored content on the basis of that dubious authorization form, but that doesn’t mean I didn’t experience any harm. Legal scholars Daniel Solove and Danielle Citron argue that the risk and anxiety of future injury is the harm, citing data-breach victims who might avoid applying for a mortgage or a new job for fear that their credit reports are marred by theft. Avoiding health care services is impractical, but keeping my privacy at the doctor’s office should be straightforward. When I followed Phreesia’s direction to read its privacy policy on its website, it used trackers, much like many hospital websites do, to send my data to Facebook, used session recording, which monitors the behavior of visitors to the sites, such as mouse movements and scrolling, and sent my data to ad tech companies, which I was able to check with Blacklight, a privacy inspector.

I did everything I could to make educated, informed choices about my consent, and it wasn’t enough. (Phreesia has not responded to my request for comment.) The policy solution is clear. Some types of data should simply never be shared for advertising purposes, a policy goal that the FTC is pursuing. The Department of Health and Human Services could also implement a rule against pressuring patients to provide consent, as health law professor Frank Pasquale observed to me.

To be sure, Phreesia might argue that targeted ads are useful because they could make patients aware of a hitherto unknown cure, and that is a core part of their business value proposition to investors. Indeed, Phreesia’s SEC filing notes that, “patients exposed to a brand campaign using the Phreesia Platform are over four and a half times more likely, on average, to have a prescription filled for that product than control patients.” But if there’s a medication I should consider, isn’t my provider equipped to make that recommendation without involving advertisers?

The products we encounter at the doctor’s office should be safe to use. Corrective actions would be simple and meaningful to make. Phreesia could email patients a copy of their authorization forms, for example, and the form itself should be labeled “Optional” not “Required.” But all privacy policies should contain clearly marked and usable fields to opt out at the time you acknowledge them. Moving toward a default opt-out model would reverse the onus on the patient to navigate and verify complicated processes for revoking their consent, such as by writing to a privacy inbox, after the fact. To protect patients, we should separate the business of ad tech from the business of getting care.

Alex Rosenblat is an ethnographic sociologist and the author of Uberland: How Algorithms Are Rewriting the Rules of Work. She is an affiliate of the Data & Society Research Institute and a former fellow with the Aspen Tech Policy Hub.

Correction: A previous version of this essay misstated the name of UnitedHealth Group.