HIPAA FAQ: What Medspa Owners Need to Know

Learn how to protect sensitive client information and remain compliant

Medspas are unique within the self-care industry because their providers often have access to clients’ sensitive medical information. In some aspects, that means running your business more like a healthcare center than a beauty salon — especially when it comes to client privacy. 

Not all self-care business software can handle these demands, especially when it comes to HIPAA compliance. Here’s what fledgling medspa owners should know about HIPAA, the penalties for non-compliance, and best practices for protecting clients’ data.

What is HIPAA and how does it affect medspa owners?

Short for the Health Insurance Portability and Accountability Act of 1996, HIPAA is a set of federal guidelines designed to protect patients’ health information from being disclosed without their consent. HIPAA is broken into two core tenets: the Privacy Rule and the Security Rule.

The Privacy Rule “requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization.” This rule also gives individuals the right to their own medical histories, including the ability to obtain health records.

While it ultimately serves the same purpose of protecting sensitive medical information, the Security Rule specifically refers to electronic medical records. In an era where almost everything is digitized, the Security Rule plays a particularly important role in HIPAA compliance.

HIPAA applies to all healthcare providers “regardless of size of practice” that submit records electronically, whether that means claims, benefit eligibility, or referral authorization requests. Because medspa professionals provide medical services like skin tightening, injectables, and laser hair removal, that means these self-care businesses at the intersection of health and beauty must adhere to HIPAA guidelines.

What specific information does HIPAA protect?

According to the U.S. government, there are 18 “identifiers” that medical providers must work to secure:

1. Names

2. Geographic information more specific than state of residence

3. Relevant dates, like birth date, admission date, and discharge date (except year)

4. Telephone numbers

5. Fax numbers

6. Email addresses

7. Social security numbers

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers and serial numbers

13. Device identifiers and serial numbers

14. URLs

15. IP addresses

16. Biometric identifiers like fingerprints

17. Full-face photographic images

18. “Any other unique identifying number, characteristic, or code” with a few exceptions

What are HIPAA violations and what penalties do they carry?

As a federal law, HIPAA isn’t just a suggestion — it’s a legal requirement. The HIPAA Breach Notification Rule requires all HIPAA-covered entities to report potential violations in the case of a breach.

As for what constitutes a violation, it’s the “impermissible use” of any of the 18 identifiers in the previous section. Any action that compromises the security of protected patient data subjects the medical provider is “presumed to be a breach” and generally requires a thorough risk assessment to determine the degree of the violation.

The actual HIPAA complaint process is lengthy and has several stages that will ultimately determine the next steps for medspa owners. Consequences can range from government intervention with technical assistance to the referral of criminal investigations to the Department of Justice, the latter of which may result in criminal penalties. Of course, there’s a lot of space in between those two extremes, with fines for the willful neglect of patient data ranging from $10,000 to $1.5 million.

How can medspa owners remain HIPAA compliant?

You might think you’re doing everything in your power to protect that medical data, but even without “willful neglect,” breaches can happen in other ways. The penalties may not be as harsh, but once you lose a client’s trust, it’s almost impossible to win it back.

To avoid that unfortunate consequence, engage in best practices for protecting your clients’ data and privacy.

Be considerate with marketing materials

Client testimonials are powerful marketing tools, but before sharing your client’s story with your social media or email audience, you’ll need to obtain written authorization. For the purposes of HIPAA guidelines, marketing refers to “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

There are exceptions to the marketing rule, but it’s safest to avoid the issue by always seeking out written permission. Make sure clients who agree to be part of your marketing strategy fully understand what they’re agreeing to, including how their information will be used.

Implement physical security measures

You may have good intentions, but all it takes is one bad actor making their way into your business to violate HIPAA guidelines. Protect yourself, your staff, and your clients by ensuring all entrances and exits have secure, difficult-to-breach locks. Additionally, all rooms that house patient information should only be accessible to those with the right credentials.

Cameras and an alarm can provide an extra layer of security. Position surveillance cameras in the lobby and other common areas to monitor activity throughout the building, and install an audible alarm that prevents unauthorized entry after hours — sometimes the noise alone can be a deterrent, but if not, the alarm should notify the authorities of a break-in.

Use medspa software that prioritizes data security

When selecting the software that will become the backbone of your medspa operations, you’re probably prioritizing features that are specific to your business. But as you search for a solution with features like self-booking, client management, and payment processing, don’t forget to do your research on data security.

Any software you’re considering should be compliant with not just HIPAA guidelines, but any regulatory considerations. For example, Boulevard’s self-care business platform has ongoing support for HIPAA coverage, from detailed access settings and a streamlined BAA process to regular security updates. Clients must use two-factor authentication to log into the client portal where PHI like appointment history is stored. Boulevard also undergoes annual independent audits to ensure its data and security programs are up to date and functioning properly.

By prioritizing data security from the start and finding a software solution that aids with HIPAA compliance, you’ll be able to focus on what’s most important: Giving clients a five-star experience and growing your business.