HIPAA Compliance for Medical Spas

Medical spas are one of the most consistently misunderstood corners of HIPAA. The business sits at the intersection of medicine and retail aesthetics, often under a physician’s license but operating like a salon. Whether HIPAA applies, and to which records, requires a deliberate analysis that most med spas have never conducted.

This guide is written for practice administrators at physician-owned medical spas, dermatology practices that operate aesthetic divisions, and standalone aesthetic businesses operating under a medical director.

Why medical spas have unique HIPAA exposure

Three structural features of medical spas create HIPAA risk patterns that traditional clinics do not face:

1. The covered-entity question is genuinely live. A med spa may be a covered entity, may not be, or may be a covered entity for some records and not others.
2. Before-and-after photographs are central to marketing and are routinely posted publicly. Photos that identify a patient are PHI when tied to a treatment record, and marketing use requires authorization under § 164.508.
3. Social media is a primary acquisition channel, and the line between marketing the practice and marketing a specific patient’s results is easy to cross.

Top HIPAA risks for medical spas

The risks below appear consistently in regulatory actions and state medical board complaints involving med spas.

• Posting before-and-after photos without a current, signed authorization meeting § 164.508 elements.
• Using a general intake-form consent as if it were a marketing authorization.
• Tagging or naming patients in social media posts about their results.
• Responding to public reviews in ways that confirm the person was a patient.
• Operating as a covered entity in fact while having no Notice of Privacy Practices, no Security Risk Analysis, and no BAAs.
• Mixing medical procedure records (Botox, fillers, laser treatments under medical direction) with non-medical retail records in ways that make sorting impossible later.
• Front desk staff with full access to clinical photo libraries.
• Cloud-based photo platforms used without a BAA.
• Patient communication via direct messages on social platforms.
• Influencer or model treatments shared publicly without authorization, even when the patient consented verbally.

Vendor and BAA checklist for medical spas

Confirm BAAs for each of the following that handle PHI:

• EHR or aesthetic-specific clinical record platform.
• Photo management and before-and-after platform.
• Patient communication and CRM platform if clinical context is attached.
• Telehealth platform if the medical director conducts virtual visits.
• E-prescribing platform.
• Payment processor if clinical context is attached to charges.
• Email and SMS marketing platform if it segments based on services received.
• Cloud storage of clinical photos and records.
• Booking platform if it stores chief complaint or treatment plan data.
• IT managed service provider.

State law overlays affecting medical spas

State law often does more work than HIPAA in regulating medical spas. State medical boards typically define which procedures require physician supervision and impose recordkeeping requirements that apply regardless of HIPAA status. Several states have specific medical spa licensing or registration requirements. State consumer protection statutes regulate before-and-after advertising claims and may require additional disclosures. Some states classify aesthetic photographs as part of the medical record with their own retention rules. Telehealth-enabled medical direction across state lines picks up the medical practice rules of each patient state.

A medical spa that concludes it is not a HIPAA covered entity is still typically subject to state medical board rules that look very similar to HIPAA’s privacy and security expectations.

HIPAA compliance checklist for medical spas

1. Conduct and document a covered-entity analysis for each service line; note where medical and aesthetic services produce different records.
2. If any service line makes the practice a covered entity, complete a Security Risk Analysis and treat clinical records across the business as PHI.
3. Adopt a marketing authorization form that meets every element of § 164.508 and use it for every photograph or testimonial intended for marketing use.
4. Establish a written policy that prohibits social media posts identifying patients without a current authorization.
5. Train front desk and aesthetician staff on the difference between intake consent and marketing authorization.
6. Sign BAAs with every photo platform, CRM, and communication vendor that touches identifiable clinical information.
7. Configure role-based access so only staff who need clinical photos for treatment have access to the full photo library.
8. Adopt an approved patient communication platform; prohibit clinical communication via personal social media accounts.
9. Audit your social media accounts annually for posts that identify patients without a current authorization, and remove posts that lack one.
10. Maintain a process for handling expired authorizations: when an authorization expires, the marketing use must stop and the content must be taken down.

For broader compliance operations guidance, see our compliance operations library and the practice type library. To see how PHIGuard supports medical spas and aesthetic practices with current pricing, see our HIPAA overview.