Does HIPAA apply to med spas?

Yes, HIPAA applies to all med spas that perform medical procedures, prescribe treatments, or bill insurance. Even cash-pay med spas that never bill insurance are covered entities if they perform medical treatments. HIPAA violations carry fines ranging from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category.

What are the most common HIPAA violations in med spas?

The most common HIPAA violations in med spas include sharing before-and-after photos without written patient authorization, discussing patient information in non-private areas, sending unencrypted patient data via text or email, improper disposal of patient records, and failure to have signed Business Associate Agreements with vendors who access patient data.

How should a med spa protect patient data?

Med spas should implement encryption for all electronic patient records, use HIPAA-compliant communication platforms for patient messaging, maintain physical security for paper records, conduct annual risk assessments, train all staff on HIPAA requirements, and have signed Business Associate Agreements with every vendor that handles patient information. Access to patient data should be role-based and limited to those who need it.

How often should med spa staff receive HIPAA training?

HIPAA requires initial training for all new employees and recommends annual refresher training for existing staff. Best practices include quarterly reminders on key policies, immediate training when procedures change, and documented training records for every employee. Training should cover proper handling of patient photos, secure communication protocols, and breach reporting procedures.

HIPAA Compliance for Med Spas: The Complete Guide to Protecting Patient Data

A med spa in the Southeast recently learned a $150,000 lesson about HIPAA compliance. An aesthetician texted a patient's before-and-after photos to a colleague using her personal phone. The colleague, meaning well, shared the photos on the practice's Instagram story to show their work. The patient -- who had never signed a photo release -- saw the post, recognized herself, and filed a complaint with the Department of Health and Human Services (HHS) Office for Civil Rights.

The investigation did not just look at the Instagram post. It uncovered a pattern: unencrypted patient communications, no Business Associate Agreements with their scheduling software vendor, staff who had never received formal HIPAA training, and patient intake forms stored in an unlocked filing cabinet at the front desk. What started as one social media post turned into multiple violations. The resulting settlement cost the practice $150,000 in fines, plus $40,000 in legal fees, a mandatory corrective action plan, and two years of federal monitoring.

This story is not unusual. It is not even the worst case. And the uncomfortable truth is that most med spas are operating with HIPAA gaps they do not even realize they have. The aesthetic medicine industry sits in a uniquely risky position: you handle sensitive medical data, take intimate photographs, communicate casually with patients on personal devices, and operate in an environment that blurs the line between medical practice and consumer beauty service.

This guide walks through everything a med spa owner needs to know about HIPAA compliance -- not in abstract legal language, but in specific, actionable terms. What the rules actually require. Where med spas most commonly fail. And exactly what to do about it.

$100 - $50,000

Per violation, per occurrence. HIPAA penalties can reach up to $1.5 million per violation category annually. A single breach can trigger multiple violation categories at once.

Why Med Spas Are High-Risk for HIPAA Violations

Med spas are not hospitals. They are not large physician practices with dedicated compliance departments and IT security teams. But under HIPAA, they are held to the same standards if they perform medical procedures, maintain medical records, or bill insurance for any services. And even if you are entirely cash-pay, the moment your medical director writes a prescription, orders lab work, or refers to another provider, HIPAA applies to your practice.

What makes med spas uniquely vulnerable is the nature of the business itself:

Before-and-after photography. No other medical specialty takes, stores, and shares patient photos as routinely as aesthetic medicine. Every photo is Protected Health Information (PHI). Every unsecured photo is a potential violation. And the temptation to use them for marketing -- on social media, websites, and in consultations with other patients -- creates constant compliance risk.
Social media culture. Med spas live and die by their social media presence. Staff are encouraged to post treatment results, behind-the-scenes content, and patient transformations. Without strict protocols, patient-identifiable information leaks into posts, stories, and reels daily.
Casual communication channels. Staff text patients from personal phones. Front desk teams discuss treatment plans in open reception areas. Patient consultations happen in rooms where other patients can overhear. The relaxed, spa-like atmosphere that patients love is the same atmosphere that leads to lax data handling.
High staff turnover. The med spa industry has significant employee turnover, particularly among aestheticians and front desk staff. Each departing employee is a potential data risk -- do they still have patient information on their personal devices? Were their system credentials deactivated? Did they take patient lists with them?
Third-party vendor sprawl. The average med spa uses 6-10 separate software tools: scheduling, EMR, payment processing, marketing automation, text messaging platforms, photo storage, and more. Each vendor that touches patient data requires a Business Associate Agreement. Most med spas have BAAs with fewer than half of their vendors.
Open floor plans and shared spaces. Many med spas have open reception areas where conversations carry, shared treatment rooms with thin walls, and consultation spaces that double as break rooms. Physical privacy is an afterthought in most spa-designed environments.

The "we are cash-pay so HIPAA does not apply" myth

This is the single most dangerous misconception in the med spa industry. HIPAA applies to any entity that provides medical treatment and maintains medical records, regardless of payment method. If you have a medical director, administer injectables, perform laser treatments, or maintain patient health histories, you are a covered entity. Period. Cash-pay status does not exempt you.

The 5 HIPAA Rules Every Med Spa Owner Must Know

HIPAA is not a single law. It is a framework made up of five interrelated rules. You do not need a law degree to understand them, but you do need to know what each one requires of your practice. Here is the plain-language breakdown.

1. The Privacy Rule

The Privacy Rule governs how you use and share patient information. It establishes patients' rights over their own data and sets limits on who within your practice can access what. For med spas, the Privacy Rule means:

Patients must receive a Notice of Privacy Practices (NPP) at their first visit
You can only share PHI for treatment, payment, and healthcare operations without explicit patient consent
Marketing use of any patient information -- including before-and-after photos -- requires separate, signed written authorization
Patients have the right to access their records, request corrections, and know who has viewed their information
You must designate a Privacy Officer (this can be the owner, but someone must be formally named)

2. The Security Rule

The Security Rule focuses specifically on electronic Protected Health Information (ePHI). It requires three categories of safeguards: administrative (policies and training), physical (facility and device security), and technical (encryption, access controls, audit logs). For med spas, this is where most violations occur because the technical requirements are specific and non-negotiable:

All electronic patient data must be encrypted at rest and in transit
Every user who accesses patient data must have a unique login -- no shared passwords
Automatic logoff must be enabled on all devices that access patient records
You must maintain audit logs showing who accessed what data and when
You need a documented risk assessment conducted at least annually

3. The Breach Notification Rule

If a breach occurs -- unauthorized access to or disclosure of PHI -- you have strict notification obligations. The timelines are firm and the consequences for missing them are severe:

Affected patients must be notified within 60 days of discovering the breach
If the breach affects 500 or more individuals, you must notify HHS and local media
Breaches affecting fewer than 500 individuals must be logged and reported to HHS annually
Notification must include what happened, what data was involved, what you are doing about it, and what patients should do to protect themselves

4. The Enforcement Rule

The Enforcement Rule establishes the penalty structure and investigation procedures. Penalties are tiered based on the level of negligence:

Tier	Level of Negligence	Penalty Per Violation	Annual Maximum
Tier 1	Did not know (and could not have known)	$100 - $50,000	$25,000
Tier 2	Reasonable cause (not willful neglect)	$1,000 - $50,000	$100,000
Tier 3	Willful neglect, corrected within 30 days	$10,000 - $50,000	$250,000
Tier 4	Willful neglect, not corrected	$50,000	$1,500,000

Here is the critical detail most med spa owners miss: each record affected counts as a separate violation. If a breach exposes 200 patient records and is classified as Tier 3, the penalty is not $10,000. It is $10,000 to $50,000 multiplied by 200. The math gets devastating quickly.

5. The Omnibus Rule

The Omnibus Rule, finalized in 2013, extended HIPAA requirements to Business Associates -- any vendor or contractor who handles PHI on your behalf. For med spas, this means:

Every vendor that touches patient data needs a signed Business Associate Agreement (BAA)
Your scheduling software, EMR, payment processor, email marketing platform, text messaging service, cloud storage provider, and even your IT support company all need BAAs
You are responsible for making sure your Business Associates are compliant -- their violations can become your liability
Subcontractors of your Business Associates (sub-associates) must also be covered

Quick BAA audit

Make a list of every software tool, vendor, and contractor who could possibly access patient information in your practice. Then check: do you have a signed BAA with each one? Most med spas discover they are missing BAAs for 3-5 vendors when they do this exercise for the first time. Common blind spots: your website hosting company (if patient forms go through the site), your social media scheduler, and your phone system provider.

Common HIPAA Violations in Med Spas

Understanding the rules is step one. Recognizing where your practice is most likely to violate them is step two. These are the violations that come up most frequently in med spa investigations and audits -- ranked by how commonly they occur.

1. Texting patient photos on personal devices

This is the single most common HIPAA violation in med spas. A provider takes a before photo on their personal iPhone, texts it to the medical director for review, then forgets to delete it. That photo -- sitting in an unencrypted text thread on a personal device with no passcode requirement -- is an unprotected copy of PHI. If that phone is lost, stolen, or accessed by anyone else, it is an automatic breach.

2. Unencrypted email communications

Sending patient appointment confirmations, treatment plans, lab results, or consultation notes via standard email (Gmail, Yahoo, Outlook consumer) violates the Security Rule. Standard email is not encrypted end-to-end. Even if your EMR is HIPAA-compliant, the moment you copy patient information into an unencrypted email, the protection is broken.

3. Front desk conversations in open areas

When your front desk confirms a patient's appointment details, discusses their treatment plan, or reviews their medical history in an open reception area where other patients can hear, that is a Privacy Rule violation. It happens dozens of times per day in most med spas and nobody thinks twice about it.

4. Unauthorized before-and-after photo sharing

Using patient photos for marketing, social media, website galleries, or consultation presentations without a signed, HIPAA-compliant photo release is a violation. And a general consent form that says "I agree to treatment" is not sufficient. The photo authorization must be a separate document that specifically describes how photos will be used, where they will be shared, and the patient's right to revoke consent at any time.

5. Improper record disposal

Tossing patient intake forms, printed treatment notes, or old records into a regular trash can is a violation. PHI on paper must be shredded using a cross-cut shredder. Electronic devices containing PHI (old computers, hard drives, tablets) must be wiped using certified data destruction methods before disposal.

6. Unlocked screens and shared logins

An unattended computer displaying a patient's chart in a treatment room or at the front desk is a violation. Using a single shared login for your EMR (the "front desk password that everyone knows") means you cannot track who accessed what, which violates the audit log requirement. Both are among the easiest violations to fix and the most commonly found during audits.

Non-Compliant Practices

Patient photos Personal phones

Communication Standard texts/email

Front desk check-in Open conversations

EMR access Shared passwords

Vendor agreements No BAAs

Staff training Verbal / none

Risk assessment Never done

Average fine risk $100K - $1.5M

HIPAA-Compliant Practices

Patient photos Encrypted app/EMR

Communication HIPAA-compliant platform

Front desk check-in Private check-in area

EMR access Individual logins + MFA

Vendor agreements BAAs with all vendors

Staff training Documented annually

Risk assessment Annual + documented

Average fine risk Minimal

Protect patient data automatically with RunMedSpa

Our HIPAA-compliant AI platform handles patient communications, scheduling, and data management with built-in encryption, audit logging, and BAA coverage -- so you can focus on treatments, not compliance paperwork.

Launching soon. Join the waitlist for early access.

You're on the list! Check your email for next steps.

Your Med Spa HIPAA Compliance Checklist

Here is the comprehensive checklist organized into three categories: physical safeguards, technical safeguards, and administrative safeguards. Use this to audit your current compliance posture. Any item you cannot check off is a gap that needs to be addressed.

Physical Safeguards

Patient intake forms and paper records are stored in a locked filing cabinet or room with restricted access
Computer screens displaying patient data are not visible to other patients or unauthorized staff from hallways or waiting areas
Treatment room doors are closed during consultations and procedures
The front desk has a privacy barrier or lowered-voice protocol for discussing patient information
A cross-cut shredder is available and used for all paper containing PHI before disposal
Decommissioned devices (old computers, tablets, hard drives) are wiped with certified data destruction before disposal or recycling
Visitor and vendor access to areas containing patient records is logged and restricted

Technical Safeguards

All electronic patient data is encrypted at rest (on devices and servers) and in transit (during transmission)
Every staff member has a unique login for all systems containing patient data -- no shared passwords
Multi-factor authentication (MFA) is enabled on EMR, email, and any system containing ePHI
Automatic screen lock activates after 2-5 minutes of inactivity on all workstations and tablets
Patient communications (appointment reminders, follow-ups, treatment plans) are sent through a HIPAA-compliant platform, not personal text or standard email
Wi-Fi networks used for patient data are separate from guest networks and secured with WPA3 encryption
Audit logs are enabled and track who accesses patient records, when, and what they viewed or modified

Administrative Safeguards

A designated Privacy Officer and Security Officer have been formally named (can be the same person)
A written HIPAA policies and procedures manual exists and is accessible to all staff
All staff complete documented HIPAA training at hire and at least annually thereafter
A current, signed Business Associate Agreement is on file for every vendor that accesses or handles PHI
A formal risk assessment has been conducted within the past 12 months and documented
A written breach notification plan exists and staff know how to report a potential breach internally

20 Items

If you cannot check off all 20 items on this list, you have HIPAA gaps. The average med spa we audit has 7-9 items that need remediation. Start with the items that carry the highest fine risk: encryption, BAAs, and staff training documentation.

Staff Training Protocol

HIPAA training is not a one-time orientation bullet point. It is an ongoing, documented program that HHS investigators specifically ask to see during audits. "We told them about HIPAA when they started" is not sufficient. You need formal, documented training with proof of completion.

What to cover in training

Every staff member -- clinical, administrative, and management -- should be trained on these topics:

What counts as PHI. Most staff underestimate what qualifies as Protected Health Information. It is not just medical records. Names, appointment dates, email addresses, phone numbers, photographs, payment information, and even the fact that someone is a patient at your practice are all PHI.
Minimum necessary standard. Staff should only access the minimum amount of patient information needed to do their job. A front desk coordinator does not need access to clinical notes. An aesthetician does not need to see billing records. Role-based access is not optional.
Proper communication channels. Which platforms are approved for patient communication? Where can photos be taken and stored? What cannot be discussed in the waiting area? Staff need explicit, specific rules -- not vague guidance.
Social media rules. Even posting a photo of an empty treatment room can be a violation if a patient's chart is visible on a screen in the background. Train staff on exactly what can and cannot be shared publicly, and require management review of all practice-related social media posts.
Breach recognition and reporting. Staff should know what constitutes a potential breach and exactly how to report one internally. The faster a breach is identified and reported, the better your response -- and the lower the potential penalty.
Device security. Personal phone policies, password requirements, screen lock protocols, and what to do if a device containing PHI is lost or stolen.

Training frequency and documentation

New hire training: Within the first week of employment, before the employee accesses any patient data
Annual refresher training: Required for all staff, every 12 months
Incident-triggered training: After any breach, near-miss, or significant policy change
Documentation required: Training date, topics covered, trainer name, and each attendee's signature confirming completion. Store these records for a minimum of 6 years.

Make training practical, not theoretical

The most effective HIPAA training uses real scenarios from your specific practice, not generic healthcare examples. Walk through your actual front desk check-in process and identify where PHI could be overheard. Show your team exactly where photos should be taken, stored, and shared. Role-play a situation where a patient's friend calls asking about their appointment. Practical, practice-specific training sticks. Abstract compliance lectures do not.

Technology Requirements for HIPAA Compliance

Your technology stack is either your strongest compliance asset or your biggest liability. The right tools make HIPAA compliance automatic and effortless. The wrong ones -- or the absence of proper tools -- create violations every day without anyone noticing.

Encrypted communications

Every message, email, or notification that contains patient information must be encrypted end-to-end. This means:

Patient messaging: Use a HIPAA-compliant messaging platform (not standard SMS or iMessage). Options include platforms with BAAs that offer encrypted text messaging, or patient portals with built-in secure messaging.
Email: If you email patients, use a HIPAA-compliant email service (not consumer Gmail or Yahoo). Services like Paubox, Virtru, or Google Workspace with BAA and encryption enabled meet the standard.
Internal communication: Staff should not discuss patients via personal text, Slack (without a BAA), or any unencrypted channel. Use your EMR's internal messaging or a HIPAA-compliant team communication tool.

Secure patient portals

A secure patient portal is not a luxury -- it is a compliance tool. Portals provide encrypted access for patients to view their records, sign consent forms, upload photos, and communicate with your team. They create an audit trail automatically and keep sensitive exchanges off insecure channels like email and text.

Business Associate Agreements with every vendor

Every software tool that touches patient data needs a signed BAA. Here is a checklist of the vendors most med spas use and whether a BAA is likely needed:

Vendor Type	BAA Required?	Common Blind Spot
EMR / Practice Management	Yes -- critical	Usually covered, but verify it is current and signed
Scheduling Software	Yes	Some consumer scheduling tools (Calendly, Acuity) do not offer BAAs on basic plans
Payment Processor	Yes	PCI compliance is not the same as HIPAA compliance -- you need both
Email Marketing Platform	Yes, if sending to patients	Mailchimp, Constant Contact, and similar tools require BAAs if patient lists include PHI
Text/SMS Platform	Yes	Many texting platforms are not HIPAA-compliant at all -- check before using
Cloud Storage (Google Drive, Dropbox)	Yes, if storing PHI	Consumer versions do not support BAAs. You need business/enterprise plans.
Website Hosting	Only if patient forms submit through website	Contact forms that collect health information create BAA requirements for your host
IT Support / MSP	Yes	Your IT provider likely has access to systems containing PHI -- they need a BAA
Answering Service	Yes	If they take patient messages or access scheduling, they are a Business Associate

Secure scheduling systems

Your scheduling system is a high-touch point for PHI. Patient names, contact information, treatment types, and appointment notes flow through it constantly. The system must offer encryption, individual user logins, audit logging, and a signed BAA. If your current scheduling tool cannot meet these requirements, it is a compliance liability regardless of how convenient it is.

The personal device problem

If staff access patient data on personal phones or tablets -- whether through an app, email, or text -- those devices fall under HIPAA's Security Rule. You either need a formal BYOD (Bring Your Own Device) policy with remote wipe capability and encryption requirements, or you need to prohibit PHI on personal devices entirely and provide practice-owned devices for clinical use. There is no middle ground.

Before-and-After Photo Compliance

Before-and-after photos are the lifeblood of med spa marketing. They are also one of the most regulated forms of PHI in aesthetic practice. Getting photo compliance right protects your patients, your reputation, and your business.

Consent form requirements

A HIPAA-compliant photo consent form is separate from your general treatment consent. It must include:

Specific description of what will be photographed
Exactly how the photos will be used (marketing, social media, website, in-office consultations, educational presentations)
Whether the patient's face or identifying features will be visible
The duration of the consent (or that it continues until revoked)
A clear statement that the patient can revoke consent at any time, in writing
A statement that refusing photo consent will not affect their treatment or care
The patient's signature and date

Do not bury photo consent in your general intake paperwork. It must be a standalone document that patients can read and sign with full understanding of what they are agreeing to.

Photo storage requirements

Photos must be stored on encrypted, access-controlled systems -- not personal phone camera rolls
Use your EMR's built-in photo feature, or a HIPAA-compliant photo management platform with a signed BAA
Photos must be backed up according to your data retention policy
Access to photo libraries should be role-based -- not every staff member needs access to all patient photos
When a patient revokes photo consent, their photos must be removed from all marketing materials within a reasonable timeframe (30 days is standard)

Sharing rules

Social media: Only post photos of patients who have signed a current, specific photo release. Remove identifying features if the consent does not cover face-visible sharing. Never tag patients or reveal their identity in captions.
Website galleries: Same consent requirements as social media. Maintain a log of which patients' photos appear on your website so you can remove them promptly if consent is revoked.
Consultation use: Showing one patient's photos to another patient during a consultation requires explicit consent for that use. "Marketing use" consent does not automatically cover in-office consultation sharing.
Staff sharing: Sharing photos between providers for clinical purposes (within your practice) is covered under the treatment exception, but only through secure, encrypted channels -- never personal text messages.

Photo Consent Language Template

AUTHORIZATION FOR USE OF PHOTOGRAPHS: I, [Patient Name], authorize [Practice Name] to take photographs, videos, or other images of me before, during, and/or after my treatment(s) at this practice. PERMITTED USES (check all that apply): [ ] Practice website and online galleries [ ] Social media accounts (Instagram, Facebook, TikTok, etc.) [ ] Printed marketing materials and brochures [ ] In-office educational displays [ ] Presentations at professional conferences or training events [ ] Consultation with other patients (anonymized/non-anonymized) IDENTIFYING FEATURES: [ ] My face MAY be visible in shared images [ ] My face must be CROPPED or OBSCURED in shared images REVOCATION: I understand that I may revoke this authorization at any time by submitting a written request to [Practice Name]. Revocation will not affect any uses made prior to receipt of my written revocation. I understand that signing this authorization is voluntary and that my treatment will not be affected if I choose not to sign. Patient Signature: _________________ Date: _____________

What to Do if a Breach Occurs

No matter how strong your compliance program is, breaches can happen. A lost phone, a misdirected email, a stolen laptop, a hacked vendor -- the breach vector is less important than your response. Having a documented breach response plan before an incident occurs is both a HIPAA requirement and your best protection against escalating penalties.

Step-by-step breach response plan

Contain the breach immediately. Stop the unauthorized access. Disable compromised accounts. Recover or remotely wipe lost devices. Disconnect affected systems if necessary. Document every action you take and the exact time you take it.
Assess the scope. Determine what information was exposed, how many patients are affected, who had unauthorized access, and whether the data was encrypted (encryption is a safe harbor -- if the exposed data was properly encrypted, it may not qualify as a reportable breach).
Document everything. From the moment the breach is discovered, create a detailed written log: who reported it, when, what happened, what data was involved, what containment actions were taken, and the timeline of events. This log will be critical for the HHS investigation.
Conduct a risk assessment. HIPAA requires a four-factor risk assessment to determine if the breach requires notification: (1) the nature and extent of PHI involved, (2) who accessed the information, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated.
Notify affected patients. If the risk assessment determines notification is required, notify all affected patients in writing within 60 days. The notification must include a description of the breach, the types of information involved, steps patients should take to protect themselves, what you are doing to address the breach, and contact information for questions.
Notify HHS. Breaches affecting 500+ individuals must be reported to HHS within 60 days through the HHS breach reporting portal. Smaller breaches must be logged and reported annually.
Implement corrective actions. Address the root cause. Update policies, retrain staff, fix technical vulnerabilities, and document everything you have changed to prevent recurrence.

The 60-day clock starts ticking when the breach is discovered

Not when you finish investigating. Not when you decide it is serious. The moment any member of your workforce becomes aware of a breach, the clock starts. This is why every staff member needs to know how to report a potential breach internally -- delays in internal reporting can push you past the notification deadline and trigger additional penalties.

Breach response team

Even a small med spa should have designated roles for breach response:

Privacy Officer: Leads the response, coordinates notifications, interfaces with HHS
IT lead (or MSP contact): Handles technical containment, forensic analysis, system remediation
Legal counsel: Reviews notification obligations, advises on liability, prepares for potential investigation
Communications lead: Handles patient notifications, media inquiries (if applicable), and internal staff communication

For solo practitioners or very small practices, you may fill multiple roles yourself. But have the plan written down, with specific action steps and contact information for your attorney and IT support, so you are not scrambling to figure out what to do during the crisis.

Building a Culture of Compliance

The med spas that avoid HIPAA violations are not the ones with the thickest policy manuals. They are the ones where compliance is woven into daily operations so deeply that it becomes automatic. Here is how to build that culture:

Lead from the top. If the owner or medical director treats HIPAA as a nuisance, staff will too. When leadership takes privacy seriously -- using encrypted communication, locking screens, asking about BAAs before signing up for new software -- staff follow the example.
Make it easy to be compliant. If the compliant way of doing something is harder than the non-compliant way, people will take shortcuts. Provide practice-owned devices for photos. Set up a HIPAA-compliant messaging tool that is as easy to use as regular texting. Auto-enable screen locks so staff do not have to remember. Remove friction from the compliant path.
Reward reporting, not silence. When a staff member reports a potential issue -- even if they caused it -- thank them. The worst thing that can happen is staff hiding potential breaches because they fear punishment. Early detection and honest reporting dramatically reduce penalty severity.
Audit regularly. Conduct quarterly walk-throughs of your practice looking for compliance gaps: unlocked screens, visible patient charts, unsecured filing cabinets, personal phones with patient photos. Make it routine, not punitive.
Update policies when things change. New software, new staff member, new treatment offering, new vendor -- each change is a potential compliance trigger. Build a habit of asking "does this change affect our HIPAA compliance?" whenever something in your practice evolves.

HIPAA compliance is not a one-time project you complete and forget. It is an ongoing operational discipline -- like hand hygiene or equipment sterilization. The practices that internalize it as part of their standard operating procedures are the ones that never end up in an HHS investigation. The ones that treat it as a checkbox exercise are the ones writing six-figure settlement checks.

Your patients trust you with their health, their appearance, and their most sensitive personal information. That trust is not just a moral obligation -- it is a legal one. Protect it with the same rigor you apply to the treatments themselves.

Let RunMedSpa handle compliance for you

Our HIPAA-compliant AI platform includes encrypted patient communications, secure scheduling, audit logging, and BAA coverage built in. Protect your patients and your practice -- on autopilot.