Yes, HIPAA Applies to Your Med Spa
If your medical spa provides services under a licensed healthcare provider, you are a HIPAA-covered entity. Before/after photos, treatment records, and patient health histories are all protected health information.
2025 U.S. market size
Industry survey data
Per year, per violation type
Before/After Photos Are Protected Health Information
Many med spas store patient before/after photos on personal phones, shared drives, or social media accounts without proper consent or security. These photos — when linked to a patient identity — are protected health information under HIPAA. Storing them on unsecured devices, sharing via text message, or posting without proper authorization is a HIPAA violation. The OCR has investigated and fined providers for exactly this practice.
Security Built for Med Spas
Photo & Media Security
Secure storage for before/after photos with access controls, encryption, and compliant consent management.
PCI + HIPAA Compliance
Med spas handle both health records and payment data. We ensure dual compliance without the complexity.
Endpoint Protection
EDR on every device including iPads, treatment room tablets, and front desk systems.
Staff Training
Security awareness training covering photo handling, social media policies, and patient data protection.
How We Protect Med Spas
Compliance Check
We assess whether HIPAA applies to your specific services and identify compliance gaps.
Secure Systems
Deploy encryption, access controls, and secure photo storage. Lock down patient portals and booking systems.
Train & Monitor
Staff training on HIPAA requirements for aesthetics, plus ongoing monitoring and compliance reporting.
Get a Free HIPAA Assessment for Your Med Spa
Med Spa HIPAA FAQ
HIPAA applies when your med spa provides services under a licensed healthcare provider (physician, NP, PA) and transmits health information electronically — which includes billing insurance, using an EHR, or electronically prescribing medications. If a medical director oversees your treatments and you handle any patient health information electronically, HIPAA applies.
Only with proper written HIPAA authorization from the patient, which must be separate from your general consent forms. The authorization must specify exactly how the photos will be used, where they will be posted, and the patient must be able to revoke authorization at any time. Generic consent forms that bundle photo release with treatment consent do not meet HIPAA requirements.
Purely aesthetic services (facials, non-medical massage, cosmetic treatments without a medical provider) may not trigger HIPAA. However, if the same business also provides Botox, fillers, laser treatments, or any service requiring a medical provider, then HIPAA applies to the entire practice — not just the medical services. Most med spas fall under HIPAA.
HIPAA compliance made simple
Protect patient data and avoid costly violations with our comprehensive healthcare cybersecurity solutions.