HIPAA Violations: What Your Med Spa Needs to Know

posted by

HIPAA Violations must be avoided. Your med spa’s social media sites are a great way to keep in touch and communicate with your clients. But before you respond to a comment about how great and wonderful your med spa experience was, you should be aware of potential harmful consequences when you do respond. These harmful consequences relate to HIPAA.

HIPAA is the federal Health Insurance Portability and Accountability Act of 1996, and although it deals mainly with health insurance companies, the law also requires the protection of the confidentiality and security of patient information. Your med spa’s client’s business is valuable, and so is their privacy. Make sure that you protect their personal information just as you would your own.

So, when you respond back to those very kind words your clients left on your Facebook page or blog, keep these things in mind:


Your clients might post about their wonderful experience at your med spa and mention staff members by name. That’s great, and perfectly legal. You, on the other hand, should not return the favor and confirm their statement. Confirming their statement is an acknowledgement of their status as a patient, and that is a big no-no with HIPAA. If you want to comment, saying “thank you for your kind words” should be good enough. You responded back kindly without acknowledging your relationship to them. But, saying “it was great having you as a Botox patient” is revealing to the world something the patient would probably want to keep private.


Your med spa’s site might have a discussion forum. That in itself is not a bad thing, but when your med spa starts to dole out medical advice in it, that could lead to bad things. One way this could become a HIPAA violation is if the person on the forum happens to be a current client, and during the discussion your medical staff inadvertently refers to the person as being a client (“Oh yes, I remember you now. You came in for that treatment last month!”).

Play it safe and don’t give out medical advice online. If your medical staff feel the need to provide medical advice to someone on their online forum, have them schedule an appointment and give the dish privately.

P.S. There’s no problem posting medical articles or journals on your site. This can be an alternative to giving medical advice.


Maintaining patient confidentiality can be a difficult job sometimes, but you can make it easier by reminding your online community (in the form of a disclaimer) that your website is a public place and that everything is visible to everyone. With that in mind, your community will at least be aware of the perils of posting information they may not want other people to know. They’ll be more cautious with their posts, and you’ll have an easier time managing the content and avoiding a HIPAA red flag.


Before and after pictures are a great way for med spas to display their expertise. But before you post those pictures, make sure you have the patient’s written consent allowing your med spa to use those pictures. Anonymity cannot be guaranteed by blacking-out the eyes or just showing the body. Do it right and ask the client for permission to use the pictures.

Remember, nothing is private online. Utilize social media to promote your med spa business, but make sure to protect your clients’ privacy.

July 10, 2014

Hannah Cloe is the brand manager for Med Aesthetics Group. She manages all of Med Aesthetics Group’s digital marketing and branding efforts and has a passion for marketing and the aesthetics industry. Her favorite thing about working at Med Aesthetics Group is getting to collaborate with an amazing team and getting to see our clients’ practices reach their potential. In her free time you can find Hannah reading, writing, and hiking.

Leave a Reply

Your email address will not be published. Required fields are marked *

Book More Patients. Start Today.

Instagram Feed

This error message is only visible to WordPress admins

Error: No connected account.

Please go to the Instagram Feed settings page to connect an account.