I'm also just annoyed at the concept of having to unsubscribe over and over again.
My question is: could anything here be construed as a HIPAA violation?
If this really has you irked and you want to do something about it you can file a formal complaint.[1] I would have to think that a call from the OCR would get a practice thinking more about their patients’ privacy and that must be a good thing.
I think it is unlikely that they are breaking any laws. The practice likely posted their Notice of Privacy Policy, and you may have even signed something. Once you allowed them to share your health data, your right to revoke that consent is largely dependent on if the data is considered sensitive (ie substance abuse and mental health data) and your state and local laws.
It is shocking to me how far removed people are from the ownership of their health data. I’m really passionate about changing that. If anyone is interested in working on this problem feel free to reach out.
1. https://www.hhs.gov/hipaa/for-individuals/guidance-materials...