Lumè
Menu
FeaturesFor medspasSecurityPricingJournalAbout
Get a demo
← Journal

Compliance

The HIPAA checklist for medspas: what you actually need before paying clients walk in

Most medical spas operate in a HIPAA gray zone — somewhere between a salon and a medical practice, but treated like neither by the off-the-shelf software they buy. Here is what HIPAA actually requires, where state law adds teeth, and the vendor checks every operator should run before signing a contract.

The Lumè team12 min read

A short, uncomfortable fact: the Office for Civil Rights at the Department of Health and Human Services collected $144 million in HIPAA settlements between 2018 and 2024, and the per-violation civil penalty maxes out at $2.13 million per identical violation per year. Most medspas hear "HIPAA fine" and assume it does not apply to them, because they do not file insurance claims. That is half a story.

The other half is that several state attorneys general now enforce HIPAA-aligned obligations under their own laws — sometimes with broader scope than federal HIPAA itself — and the threshold for being treated as a "covered entity" is lower than it looks once you accept HSA cards, transmit treatment records electronically, or share lab results with a partner physician.

This piece walks through the practical compliance work that actually matters for a medspa: the threshold question, the ten Security Rule line items, the four state overlays most likely to apply, and the vendor checks you should run before you onboard new software.

Are you a covered entity? The threshold question

HIPAA distinguishes between two roles: Covered Entities (health plans, clearinghouses, and "health care providers who transmit any health information in electronic form in connection with a transaction" covered by HIPAA) and Business Associates (vendors who handle PHI on behalf of a Covered Entity).

The Covered Entity test for a medspa hinges on a few facts:

  • Do you bill any insurance, including supplemental plans for cosmetic procedures? If yes, you are a Covered Entity. Even infrequent insurance billing for reconstruction or scar revision puts you in scope.
  • Do you accept HSA or FSA cards through any electronic rail? The IRS treats those rails as health-payment systems; the HIPAA analysis follows the transmission, not the diagnosis.
  • Do you transmit treatment records electronically to a collaborating physician, dermatologist, or plastic surgeon? If yes, those transmissions are covered transactions under HIPAA §1320d-2.
  • Do you store electronic protected health information (ePHI) for your own treatment records? Storage alone does not make you a Covered Entity, but it triggers state medical-records laws in every U.S. state.

The ten line items the Security Rule actually requires

HIPAA's Security Rule (45 CFR §164.308–.312) is the part most medspas actually have to operationalize. The Privacy Rule is important but mostly governs how you communicate with patients, which a competent front desk already handles. Security is where the audits land. Here are the ten line items an OCR investigator will ask about.

1. A documented risk assessment

§164.308(a)(1)(ii)(A) requires you to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." In practice: a written document, dated, listing the systems that touch PHI and the known risks for each. Update it annually or whenever a major vendor changes. The NIST HIPAA Security Toolkit is a reasonable starting framework.

2. Audit controls on every system that touches PHI

§164.312(b) requires "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." In CRM terms: an audit log that captures who viewed, modified, exported, or deleted what — append-only, queryable, retained for at least six years per §164.316(b)(2).

3. Access controls and unique user IDs

§164.312(a)(2)(i) requires unique user IDs for every member of your workforce. Shared logins fail the audit immediately, because the audit log cannot then attribute action to person. Multi-factor authentication is not technically required, but every regulator-aligned auditor will ask why you don't have it.

4. Encryption at rest and in transit

§164.312(a)(2)(iv) makes encryption an "addressable" specification, not strictly required — but the OCR's practical position is that anything else is a documented risk you carry. The defensible answer: TLS 1.2+ for transmission and AES-256 for storage. The Safe Harbor in the HITECH breach-notification rule effectively exempts encrypted data from notification obligations, which is a significant operational benefit.

5. Backup and disaster recovery

§164.308(a)(7)(ii)(A) requires "retrievable exact copies of electronic protected health information." Translation: tested backups. The phrase the auditor uses is "have you ever actually restored from a backup?" The honest answer for most independent spas is no. Schedule one restore drill per quarter.

6. Workforce training

§164.308(a)(5)(i) requires a security awareness and training program. There is no specific curriculum, but the OCR's common request is documentation: who took what training, when, signed by them. Annual training plus on-hire training is defensible.

7. A sanction policy

§164.308(a)(1)(ii)(C) requires "appropriate sanctions against workforce members who fail to comply." This is usually a single paragraph in the employee handbook stating that HIPAA violations are grounds for discipline up to and including termination. Get it in writing; reference it in the training log.

8. Incident response procedures

§164.308(a)(6) requires you to "identify and respond to suspected or known security incidents." In a small-business context, this is a one-page document: who do staff tell when something looks wrong, who notifies the practice manager, who decides whether the breach-notification clock has started.

9. A BAA with every vendor handling PHI

§164.502(e) requires a Business Associate Agreement with every vendor that creates, receives, maintains, or transmits PHI on your behalf. This includes the CRM, the SMS provider, the email provider, the cloud-storage host, and the payment processor where they handle treatment-tied receipts. We wrote a separate piece on what a BAA actually covers.

10. Physical safeguards

§164.310 covers facility access controls, workstation security, device and media controls. In a small medspa: locking workstations when stepping away, screen filters in any front-desk position visible to the public, encrypted laptop hard drives, and a written policy for what happens to devices when an employee leaves.

The state overlays most medspas miss

HIPAA preempts less than people assume. State laws can add obligations on top, and several states actively enforce them. The four that catch medspas most often:

California — CMIA + CCPA

The Confidentiality of Medical Information Act (CMIA) covers any provider who delivers "health care," which is interpreted broadly enough to include cosmetic medical providers. The California Privacy Rights Act adds rights to access and delete personal information; for medical records, CMIA controls. The California AG has pursued CMIA actions independently of federal HIPAA enforcement.

New York — SHIELD Act

The SHIELD Act (General Business Law §899-bb) requires "reasonable safeguards" for any business that holds private information about a New York resident. The safeguards framework closely mirrors HIPAA's Security Rule, but the SHIELD Act applies regardless of whether you are a Covered Entity.

Texas — HB 300

Texas HB 300 broadens the definition of "Covered Entity" beyond federal HIPAA to include any business that "comes into possession" of PHI. Training requirements are stricter: within 60 days of hire, and every two years thereafter, with documented attendance.

Massachusetts — 201 CMR 17.00

Massachusetts' data security regulation requires a Written Information Security Program (WISP) for any business that holds Massachusetts residents' personal information, including a designated security officer and written policies on encryption, access, and disposal.

The vendor checks you should actually run

Most HIPAA failures inside medspas trace back to the vendor layer: a CRM without a BAA, an SMS provider that has not signed one, an email tool used to send signed-consent copies to patients without authorization. Five questions to ask any vendor before signing:

  1. Will you sign a BAA, and can I see your template before we contract?
  2. What does your audit log capture, and how long do you retain it? (Six years is the HIPAA-required minimum.)
  3. Where does my data live? Which AWS or Azure region? Is it encrypted at rest with a managed-key service?
  4. Have you completed a SOC 2 Type II audit, and can I see the attestation report under NDA?
  5. What happens to my data on termination — return, destruction, or both? On what timeline? Is there an export fee?

Any vendor unwilling to answer these in writing is a vendor you cannot rely on for HIPAA defensibility. The trade-off is not cost. It is whether the OCR investigator finds documented diligence when they ask.

When to bring in a consultant

A HIPAA compliance consultant typically runs $1,500 to $5,000 for an initial gap assessment, plus a similar amount annually for ongoing review. The math: a single tier-1 HIPAA violation is $137 to $68,928 per violation as of 2024 adjustment. Tier-4 willful neglect, uncorrected, is up to $2.13 million per identical violation per year. The consultant fee is almost always worth paying once you have more than two providers or a multi-location practice.

A reasonable order of operations

For an independent medspa with one location, the realistic 90-day plan:

  • Week 1: Inventory every vendor that touches patient data. Note which have BAAs on file.
  • Weeks 2–3: Request BAAs from vendors that lack one. Escalate any vendor that refuses.
  • Weeks 4–6: Draft a written risk assessment using the HHS Security Risk Assessment Tool.
  • Weeks 7–8: Write or revise the workforce training material; deliver it; collect signed acknowledgments.
  • Weeks 9–10: Document the incident response procedure and post it where staff can find it.
  • Weeks 11–12: Run a backup-restore test. Document the result.

That gets you defensibly to "HIPAA-aligned." The annual cycle is the same list, lighter, plus updated training and a fresh risk assessment.

How Lumè handles the CRM-layer items

We built Lumè around the parts of this list that fall on the CRM specifically. Worth knowing when you evaluate vendors:

  • Tenant isolation is enforced at the database layer — every PHI-bearing table carries a tenant FK, and queries route through a tenant-scoped manager.
  • Audit logging is append-only at the Postgres trigger level. UPDATE and DELETE statements on the audit table are rejected. Every PHI read, every state change, every report export writes an entry with IP and user-agent.
  • Encryption is AES-256 at rest via AWS KMS, TLS 1.2+ in transit.
  • The BAA is included in every customer contract — not a premium tier. We summarize what it covers on /baa.
  • Data export is one click on every report. On termination, return or destruction is in the BAA. No export fees, ever.

The rest — workforce training, written sanction policies, physical safeguards in your own facility — is your responsibility. No CRM can do that piece for you, and any CRM that claims to is exaggerating.

References: 45 CFR §164.302–.318 (HIPAA Security Rule); 45 CFR §164.500–.534 (HIPAA Privacy Rule); HHS Office for Civil Rights enforcement highlights; California Civil Code §56 (CMIA); New York General Business Law §899-bb (SHIELD Act); Texas Health and Safety Code §181 (HB 300); 201 CMR 17.00 (Massachusetts).

Keep reading

Get a demo

See Lumè running on your medspa, not a generic one.

Send us your service menu. We configure the demo on your real data. Thirty minutes. The first call is the demo.

Get a demo