HIPAA is the rule med spa owners worry about most and understand least, which is a dangerous combination for a business built on patient trust.

The practical version is simpler than the statute: protect patient information, get real consent to use it, and keep it out of your ad tools.

๐Ÿ”’ What counts as protected

Protected health information is anything that identifies a patient or connects them to your care.

That includes obvious things like names and photos, but also subtler ones: the fact that someone is a patient at all, or that they were interested in a specific treatment.

โœ๏ธ Consent for photos and testimonials

Keep those authorizations on file, let patients decline freely, and never assume a happy patient is fine with public exposure unless they've signed for it.

๐Ÿ“ง HIPAA-aware email and retargeting

Marketing channels are where HIPAA quietly gets violated, usually by accident.

  • Email: keep treatment specifics and identifying details out of marketing messages
  • Retargeting: target general site visitors, not people who viewed a specific treatment page
  • Tracking: don't pass sensitive data to ad platforms through pixels or analytics

The principle throughout: nothing that reveals who is a patient or what they're considering should reach a third-party ad system.

โœ… Staying safe in practice

Keep marketing general and warm, move any real clinical specifics to secure channels, and use platforms built for healthcare compliance.

Do that, and you get the trust benefit of respecting patient privacy while avoiding the violations that come from treating health data like ordinary marketing data.

See the marketing-laws overview for how HIPAA fits alongside the other rules.

โ“ Frequently asked questions

Does HIPAA apply to med spa marketing?

If your med spa is a covered entity handling protected health information, yes, HIPAA applies to how you use patient information in marketing. Even where the strict legal status is nuanced, treating patient data as protected is the safe and expected standard, and patients assume it.

Can I use patient photos and testimonials under HIPAA?

Only with specific, written authorization for that marketing use. A treatment consent form is not marketing consent. You need a signed release that names exactly how and where the photo or testimonial will be used, and you must honor any request to stop using it.

How do I do email and retargeting without violating HIPAA?

Keep protected information out of marketing messages and out of what you pass to ad platforms. Retarget on general engagement rather than specific treatments viewed, keep marketing emails general, and use platforms and setups built for healthcare compliance.