Yes — and this is one of the most common areas where new medspa operators underestimate their obligations. A medical spa is a HIPAA covered entity when it:

Provides healthcare services. Injectable treatments (Botox, fillers, PRP) are healthcare services under federal law.

Collects and uses Protected Health Information (PHI). Health history forms, treatment records, and before-and-after photographs linked to patient identity all constitute PHI.

Transmits health information electronically. This includes any digital booking system that collects patient health data.

What counts as PHI in a medspa: patient health history forms and intake questionnaires; injectable treatment records (what was administered, units used, areas treated, provider, and date); before-and-after photographs linked to a patient's identity; consent forms containing health information; clinical consultation notes; and any communication that includes a patient's name alongside their health condition or treatment.

Spa-only services — massages, non-medical facials, and other wellness treatments performed without a medical component — are typically not subject to HIPAA on their own. However, most medspas offer both medical and aesthetic services, making HIPAA applicable to the whole practice. If you offer any injectable treatments, you are a covered entity.

The choice of medspa software is one of the most consequential HIPAA-related decisions you'll make for your business. The booking system, patient records platform, and communication tools all handle PHI from the moment the first patient books an appointment. Here is what your medspa software must support:

Encrypted data storage. All PHI stored by the software must be encrypted at rest and in transit. Zenoti encrypts all patient data at rest and in transit.

Access controls. Staff should have access only to PHI relevant to their role — front desk does not need access to clinical notes. Zenoti provides role-based access controls — configurable per staff member.

Audit trails. The system must log who accessed which patient record, when, and what changes were made. Zenoti maintains complete access and change logs per patient record.

BAA availability. The software vendor must be willing to sign a Business Associate Agreement. Zenoti signs BAAs for medical spa clients — available on request.

Secure messaging. Patient communications containing PHI must use HIPAA-compliant channels — standard email/SMS is not sufficient. Zenoti's patient messaging is HIPAA-compliant by design.

Automatic session logoff. Systems should auto-logout after periods of inactivity to prevent unauthorised access to open records. Zenoti supports configurable automatic session timeout.

RED FLAG: Refusal to sign a BAA is an immediate disqualifier. Any vendor declining to sign a BAA cannot legally handle your PHI. Zenoti's medical spa software supports all six requirements above. BAA available on request for all medspa clients.

HIPAA compliance is not a one-time setup — it's an ongoing program that requires consistent maintenance. Here are the eight steps to build it correctly from day one:

1. Appoint a HIPAA Privacy Officer. In small practices, this is often the owner. The Privacy Officer is responsible for compliance oversight, staff training, and incident response.

2. Conduct a Risk Analysis. Identify everywhere PHI is stored, processed, and transmitted in your practice — including your medspa software, email, cloud storage, and any paper records.

3. Create Written Policies and Procedures. Document how PHI is handled in every scenario — new patient intake, treatment records, photography consent, staff access, and breach response.

4. Train All Staff. Everyone who handles PHI must receive HIPAA training before they begin work and annually thereafter. Document the training.

5. Sign BAAs with All Relevant Vendors. This includes medspa software, EMR, email marketing platform, cloud storage. No BAA = non-compliant, regardless of the vendor's claims.

6. Prepare a Patient Notice of Privacy Practices. Draft, post in reception, provide to all new patients, and publish on your website.

7. Create an Incident Response Plan. Document what to do if a breach occurs, including who to notify, what the notification timeline is, and how to investigate.

8. Schedule an Annual HIPAA Compliance Review. Review policies, update for any changes in your practice or regulations, and re-train staff.

If you're still in the planning phase, see our med spa business plan guide for how to include compliance planning in your pre-opening structure.