HIPAA and Medical Spas
The Health Insurance Portability and Accountability Act of 1996, or “HIPAA”, was a landmark piece of legislation that shaped the way patient privacy is handled. However, it can be difficult for medical spa owners to navigate how HIPAA applies within their practices. The general misconception is that, since not all aesthetic procedures are considered the practice of medicine, and further, since treatment is elective and generally not covered by insurance, HIPAA is not a concern for medspa owners. Unfortunately, this is wholly inaccurate.
In this article, we help medical aesthetic practice owners understand how HIPAA impacts their businesses by making sense of key terms. We also share best practices for staying HIPAA compliant at your medical aesthetics or wellness practice.
Key HIPAA and Privacy Terms Explained:
The HIPAA Privacy Rule
The HIPAA Privacy Rule protects individuals' medical records and other individually identifiable health information (collectively defined as “Protected Health Information” or “PHI”.) This rule outlines how a patient’s PHI needs to be stored and used by healthcare providers and “covered entities” (defined below).
Protected Health Information can include patient history, treatment, notes, and photos. Any other information that could identify a patient is also protected, including name, birthday and photos of scars or tattoos. For medical spas - which do indeed fit within the definition of covered entities - all of this information needs to be safely stored and handled. And of course, medical spas cannot use photos or other PHI for marketing without patient consent.
Covered Entities
HIPAA rules apply to all three categories of covered entities:
Health Care Providers: Including doctors, clinics, nurses, etc, but only if they transmit any health information in electronic form.
Health Plans: These include health insurance companies, HMOs, Medicare, and more.
Health Care Clearinghouse: Entities that process nonstandard health information into a standard electronic format or data.
Under this definition, most medical spas qualify as covered entities because they collect and store patients’ health information electronically.
Business Associates
The United States Department of Health and Human Services defines a business associate as a person or entity that performs activities that involve PHI on behalf of a covered entity. Some examples of business associates include a management company, CPA firm, fractional CFO, attorney, clearinghouse, medical transcriptionist, consultant, pharmacy staff, or any third party who has access to patients’ PHI in your system.
Business Associate Agreements
If you allow a business associate access to patients’ health information through your system, you must have a written business associate contract (or a “Business Associate Agreement”) to establish specifically what they have been engaged to do. It requires the business associate to comply with the HIPAA Privacy Rule in the same manner as the covered entity itself. Business associates are directly liable for a lack of compliance with provisions of HIPAA.
Best Practices for Medspas and Wellness Practices
In order for your medspa or wellness practice to remain compliant with HIPAA, we recommend putting the following protocols in place:
Train your employees on HIPAA compliance: Make sure to educate your employees on how to handle Protected Health Information and keep it confidential. You might consider working with a training program to put the systems and processes in place for your staff.
Put safeguards in place to protect PHI: In addition to staff training, you’ll need to put other safeguards in place to keep PHI confidential. This includes password protection, device and workplace controls, and considering protocols for breach notification. If you take photos and videos, you’ll also have to consider the cameras and where the files are stored. You’ll need protocols to wipe the cameras clean before they leave your facility, as well as protocols on who can handle them.
Use HIPAA Compliance Software Programs: There are programs available to help you safeguard patient information from internal software to photo storage. Look into using appropriate tools and technology for your practice.
Always receive signed consent to use patient photos or other PHI for marketing: In medical aesthetics, before and after photos are a key part of marketing treatments and services. It is absolutely essential to never release a photo without a written and signed patient consent. Have a lawyer review your consent forms, and make sure patients understand exactly how the photos are to be used, whether internally or for marketing purposes.
Use Discretion with Online Communication: Your practice likely uses social media as a marketing tool. Use discretion, however, in the ways you communicate with patients in comments and captions. Even recognizing that someone was a client (for example, “Thanks for coming in!”) can be in violation of HIPAA.
Use a Business Associate Agreement with third parties: Med spa owners need to use a Business Associate Agreement (or “BAA”) with third-parties. In addition to those we listed above (consultants or accountants) this might include referral partners such as an esthetician or salon owner with whom you closely work. If you share names and other Protected Health Information, you’ll need to have a legal team draft a BAA.
Work with a legal team to remain HIPAA compliant
It is becoming more and more important to protect digital information. In order to ensure your patients’ privacy and remain HIPAA compliant, work with a legal team to put the proper safeguards in place. Marti Law Group helps healthcare practices implement Business Associate Agreements and other contracts pertaining to HIPAA. Reach out to learn more about how we can help protect your business.