Does HIPAA apply to your med spa? Here's the honest answer.
If you own or manage a med spa, you've probably heard two completely opposite claims. One says HIPAA doesn't touch you because you're cash pay and you're in the beauty business. The other says everything you do is regulated and you're one Instagram post away from a federal penalty. Both versions are sold with confidence, and both are wrong often enough to be dangerous. The honest answer is that it depends on how your business actually operates, and the test is specific enough that you can work through most of it yourself.
HIPAA applies to what the law calls covered entities. For a business like yours, that means a health care provider that transmits health information electronically in connection with certain standard transactions. In everyday terms, those transactions are the machinery of insurance — billing a claim, checking a patient's eligibility, requesting a prior authorization, receiving an electronic remittance. A provider who does any of that electronically, or has a billing service do it on their behalf, is a covered entity, and HIPAA applies to the whole practice.
If your practice is truly cash pay from end to end, never bills insurance for anything, never runs an electronic eligibility check, and never has anyone do those things for it, there's a real possibility you are not a HIPAA covered entity at all. That surprises people, but it's how the statute is built. HIPAA was written around the flow of insurance transactions, not around the sensitivity of the information itself.
Before you exhale, look at the trapdoors, because med spas fall through them constantly. A medical director who bills insurance for anything at any affiliated practice can pull coverage in. Prescription weight loss programs are the big one right now. The moment your program touches insurance — whether that's a prior authorization for the medication, a billed lab panel, or a telehealth prescriber who bills — you've likely crossed the line.
Even if HIPAA doesn't apply, a growing list of states has passed consumer health privacy laws that apply based on the data you hold, not on whether you bill insurance. Washington's My Health My Data Act lets consumers sue directly. The FTC has penalized health businesses that sit entirely outside HIPAA for sharing customer health information with advertising platforms. And your clients believe their information is confidential regardless of what federal statute applies.
The risk concentrates in four places: photos (before-and-after images are identifiable health information), texting (injectors and front desks text constantly about clients), your website (a Meta Pixel on your booking page can transmit consultation data to advertising platforms), and marketing vendors (your CRM, email platform, and booking software may all be holding client health information without proper agreements).
Stag Compliance builds these programs for aesthetic practices specifically, because your risks look nothing like a primary care office's. The most common starting point for med spas is a website tracking scan, because it's fast, inexpensive, and usually surfaces the one problem that's actively leaking data today.