Hi! Could we please enable some services and cookies to improve your experience and our website?

7 Tips on How to Be HIPAA Compliant with Your MedSpa

All the latest from DaySmart to you

Written by Camilla Mills



If you’re running a HIPAA complaint MedSpa, your clients know you’re offering the highest quality service. However, you’re walking a tightrope where you could be risking violations that could result in anything from $50,000 fines to time in jail. The first thing you need to do as a MedSpa is learn how to be HIPPA compliant so that you can train your staff and service providers.

As people age, they’re finding that medical spas can provide the kind of quick and simple skin care procedures they need to look healthy. Medical spas can get rid of wrinkles, spots, and keep the signs of aging at bay. As much as your clients love your services, they might not want everyone knowing that they don’t look so good naturally!

If you want to ensure that your office meets all the necessary HIPAA requirements, follow these 7 tips.

1. Confirmation Is Dangerous

As 84% of consumers now trust online reviews as much as a personal recommendation from a friend, what people say about you online matters. You can even ask your clients to provide reviews for your services. It’s perfectly legal for someone to say what a great experience they had.

They can mention staff members by name and provide whatever details they’d like.

However, when you jump in and confirm their statements, you could be in rough territory. Confirming their statements confirms that they’re a patient and that they had those treatments done. Saying more than “We appreciate the kind feedback” could land you in violation territory.

You can’t disclose what your clients had done or who they’ve worked with. You can thank them but never acknowledge a relationship. When you say they’re a patient or that they had XYZ service provided, you’re in a way revealing their private and sensitive information.

Steer clear of violations by keeping your responses vague.


2. Steer Clear of Advice

If you think you should provide any advice to someone who comments or asks a question online, hold back. While there are open forums where some medical professionals offer feedback to questions, it’s a very slippery slope that could land you in court.

If someone on a form is a current client and you accidentally reveal that status, you’ve violated their privacy. If the discussion turns to specifics, turn back. Your best bet might be to avoid responding at all and to answer questions with links to your blog or service pages.

Giving out medical advice online is dangerous for a lot of reasons. People who don’t have adequate insurance or suspect they might have an issue could end up following feedback not intended for them. If you think someone needs your advice, tell them to schedule an appointment so you can give that feedback privately.

3. Disclaimers Are Your Friend

It’s a minefield trying to maintain the confidentiality of your patients. You can make it easier by adding disclaimers to your social media profile and any forum that you post to.

If you have a blog, include a disclaimer that allows people to know that you’re not giving out medical advice. And make sure you don’t give out medical advice!

The internet is a public venue where everyone has access to everything. If patients are posting comments, they should know that they could be posting private information to a public group of people. Let them know and you won’t have to worry about having any HIPPA investigators knocking on your door anytime soon.

4. Photos Can Cause Problems

Make sure you don’t include any patients in the photos you take and post on social media or in your marketing materials. If you imply that anyone but your staff or hired actors are patients at your MedSpa, you could be violating HIPAA requirements for privacy.

If you take any photos of patients, make sure you have permission before you publish anything. Just because you block out faces or only show a part of their body doesn’t guarantee their anonymity. Show respect for your clients and get them to sign a waiver.


5. Dispose of Trash Properly

If you have any personal information that goes in the trash, make sure that you secure your trash cans and that they’re picked up from a trusted disposal company. Some hospitals have shredding services or set aside a shredder for any patient information. Identity theft can happen just through poorly disposed of trash.

Even writing information on a notepad or sticky note could reveal sensitive information. Pick up a HIPAA compliant shredder and use it religiously. Train staff to get into the habit of using it too.

6. Keep Conversations Private

If you’re having conversations about any of your patients’ details, make sure they’re happening in the privacy of your office. Casually talking about patient services could give away more than you realize.

If someone sees another patient walking in and then hears details, they could be privy to information that is meant to be private. Don’t mention anything at the front desk. It’s disrespectful to your patients and shows a lack of professional with a disregard for HIPAA requirements.

Charts shouldn’t be left out in visible areas. If there is information, it should be hidden in an envelope, not marked with the name of the patient they pertain to.


7. Patient Lists Should Be Private

If you’ve got lists of your patients, people who are selling services or marketing for pharmaceutical companies might want that information.

Selling patient information is illegal. Recklessly allowing someone to get ahold of it has its consequences as well.

Learning How To Be HIPAA Compliant Takes Time

It could take some trial and error to get your office to become completely HIPAA compliant. While it might be second nature for staff to talk in the hallway, they might need to be trained to keep quiet about patients.

If you want to improve spa management to teach everyone how to be HIPAA compliant, check out our guide to management tricks.