Because HIPAA does not adequately protect patient privacy and consent, or control over private health information, but allows stronger state privacy laws, state legislators should consider passing patient consent requirements for sharing protected health information, and prohibiting a provider from refusing to treat a patient who exercises their right to not share information or to modify consent forms to limit data-sharing.