If you run a medical spa, HIPAA compliance isn’t optional. Unlike a traditional day spa, med spas offer medical treatments like injections, laser procedures, and chemical peels. That means that information collected from clients is protected health information (PHI), and you’re responsible for keeping it safe.
The good news is that compliance doesn’t have to be complicated. Here’s a breakdown of what you need to know and how to protect your practice.
Does HIPAA apply to your med spa?
If your med spa is supervised by a licensed medical professional and provides medical treatments, then yes — HIPAA likely applies to you. Any time you collect a client’s health history, medications, allergies, or treatment records, that information is considered PHI and falls under HIPAA’s protections.
Some of the forms used by med spas to collect PHI include
- Client intake forms. These forms collect information like health history, current medications, allergies, and skin conditions. Every field that touches on a client’s medical background is collecting PHI.
- Informed consent forms. Before botox, filler, or laser treatment, clients confirm that they’re aware of the risks of the procedures and have no medical conditions that would make them unsuitable for treatment. Data from these forms contain PHI and require secure storage.
- Health history questionnaires. Often collected separately from intake forms, these forms dig deeper into a client’s medical background before specific procedures like laser treatments or chemical peels. Any health information documented here is PHI and must be handled accordingly.
How to collect information in a HIPAA-compliant way
Paper forms sitting in a binder are a compliance risk. They can be misplaced, damaged, or easily accessed by anyone. Digital forms are a much safer option — as long as the platform you’re using is HIPAA-enabled.
Jotform offers HIPAA-enabled forms with a Business Associate Agreement (BAA), which is a requirement under HIPAA for any third-party platform that handles PHI.
With Jotform, you can build your intake, consent, and health history forms online, collect e-signatures securely with Jotform Sign, and store submissions in an encrypted, access-controlled environment. You can also control which team members have access to which forms and data — so your front desk staff doesn’t have visibility into clinical notes, for example.
Here’s a quick compliance checklist for your med spa:
- All intake, consent, and health history forms are collected digitally on a HIPAA-enabled platform.
- You have a signed BAA with every software vendor that handles PHI.
- Client files are only accessible to staff who need them.
- You have a process for clients to request access to or deletion of their records.
- Staff are trained on what PHI is and how to handle it.
- You collect and store a record of consent to use any before-and-after photos of clients..
The bottom line
HIPAA compliance at a med spa is really about building good habits around how you collect, store, and share client information. The right forms and the right software go a long way toward protecting your clients — and your business.
Jotform’s HIPAA-enabled forms make it easy to comply with regulations without overhauling all of your workflows. Start with your intake form and go from there.
Send Comment: