Are Medspas Considered “Covered Entities” According to HIPAA?

Actually, yes. It may not be immediately apparent that medical spas and aesthetic practices must remain HIPAA compliant. And since HIPAA violation fees in the extreme can reach up to $1 million, it’s important to know what you are held accountable for. Below is a brief overview of the three main points a MedSpa must be aware of when considering HIPAA and its Privacy Rule:

What Is a “Covered Entity” According to HIPAA

HIPAA DEFINES A “COVERED ENTITY” AS EITHER A(N):

  • Health Plan
  • Healthcare Clearing House
  • Health Care Providers
  • Health Care

MedSpas that perform services or treatments would fall under either category C or D. The difference between Health Care Providers and Health Care is that the former is considered a provider of medical or health services, while the latter relates to care, services or supplies. Whether or not a particular Medi-Spa is a health care provider may be a bit of a gray area: are we more Med or are we more Spa? This is where Health Care comes into play; it includes a laundry list of items that affect either structure or function of the body as well as the dispensing of any drug or prescribed item. So, if any of your treatments involve altering the structure and/or function of any body part – including the skin – you are considered a covered entity. Additionally, even if you only provide cosmetic BOTOX® treatments, since BOTOX® Cosmetics is considered a prescription drug by the FDA (see www.fda.gov), HIPAA would consider your practice a covered entity.

Okay, so your Medical Spa is a covered entity. What’s next?

PHI Basics

PHI stands for Protected Health Information. The “health information” part of it includes any information gathered or recorded in any form by a covered entity. Any record of the patient such as history, consultation notes, treatment, or photos satisfies the “health information” part of the definition. The “protected” part applies to information that includes anything that could directly or indirectly identify a patient. The obvious “identifiers,” as they are called, are things such as client’s name, birthdate, account number, patient photos, etc. Less obvious are things such as tattoos, birthmarks, and scars. Even date-of-service or client initials are enough to mark information as PHI. You should be aware of these sorts of identifiers whenever you are working with patient photographs. And since this is not a comprehensive list, if you think something *might* be an identifier, it probably is, and must be handled appropriately as PHI.

PHI is important because it is considered information that must be securely handled by covered entities. This means:

a)Not using PHI for marketing purposes without clear patient consent

b)Not sending PHI via email or discussing it on the phone without patient consent

c)Not allowing PHI to be available for unintended parties

Part c) doesn’t just refer to keeping their name, date-of-birth, address, etc. on a computer that only your staff can access. It also means quickly transferring and wiping photographic information from an SD card that could potentially be left on a desk or taken out of the office – in limbo, if you will.

The Big Scary Privacy Rule

HIPAA states that covered entities must abide by the Privacy Rule, which mostly involves how to handle PHI. The language in the Privacy Rule leaves a lot open to interpretation. It basically says, “Be aware of how you are protecting your patients. Don’t be negligent.” Alright, so it is a little more rigorous than that, but terms that you see such as “reasonable and appropriate,” “reasonably anticipated threats,” and the requirement of covered entities to “consider” x, y, or z shows that there is some common sense and flexibility involved.

This is not to say that regulations can be ignored. By no means should or can it be. Instead, you must take measures to make sure all PHI is appropriately stored: this means securely and only accessible to your HIPAA-trained staff. You must also have consent forms available to patients if you would like to use any PHI for marketing, presentations, or research purposes. And you must be wary when sending information to third parties. The fees for HIPAA violations are real and can reach the high sum of over $1 million. So be smart and think about how you store client PHI, think about who has access to PHI, and try to eliminate any time when PHI is in limbo in your office.

These are the first steps to understanding HIPAA and the Privacy Rule. A good summary of the Privacy Rule can be found here, if you’d like some of the nitty gritty details. And here is a quick self evaluation HIPPA compliant ckecklist. Otherwise just be aware that you are a covered entity, that you do handle PHI, and that you must handle the PHI in an acceptable manner as defined by the Privacy Rule.

Are you struggling to take high-quality and consistent before and after photos?

Check out our whitepaper on

Mastering Clinical Photography


Emily Alten
Writing enthusiast and biology nerd, Emily specializes in educational healthcare and medicine content. She is a Magna Cum Laude graduate from Columbia University with a degree in biological sciences/pre-medical studies.

Medical Photography Equipment - are you paying too much?

How much should you spend on medical photography equipment?Without a doubt, your office needs to take photos of your patients on a daily basis. Whether you’re building a before and…

4 ways to Improve Your Patient Experience in the Waiting Room

Ever wonder why you call your clients “patients”? Turns out, the etymology of the word stems from a Latin word that means “enduring, or suffering, without complaint”. And this quiet…

Keep Your MedSpa HIPAA Compliant With These 5 Tips On Managing Patient Photos

Before and after photos, as well as photos used to document patient procedures are considered PHI (Protected Health Information) by HIPAA, regardless of whether or not clients are using health…