HIPAA-Aware Websites for Med Spas: What You Need to Know

Most med spa owners assume HIPAA applies to their business the same way it applies to a hospital. That’s not quite right — and the answer changes how you should set up your website.

This is a plain-English breakdown of when HIPAA actually applies to a med spa, what counts as protected health information on your site, and the pieces a HIPAA-aware website needs to get right.

Does HIPAA Actually Apply to Your Med Spa?

HIPAA — the Health Insurance Portability and Accountability Act — applies to “covered entities” and their “business associates.” Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with specific HIPAA-defined transactions.

The transactions that trigger HIPAA are mostly insurance-related: submitting claims, checking eligibility, requesting payment from a health plan. If your med spa never electronically bills insurance, you may not be a covered entity under the federal definition at all.

Most med spas are cash-pay. They don’t bill insurance for Botox, fillers, or laser treatments. Under a strict reading, those businesses sit outside HIPAA’s federal scope.

But “outside HIPAA” doesn’t mean “no privacy rules.” State laws still apply. California’s CMIA, Texas’s Medical Records Privacy Act, and Washington’s My Health My Data Act each reach further than HIPAA in some areas.

The honest answer for most med spas: even when HIPAA doesn’t strictly apply, client trust and state law push in the same direction. Treat client health information as protected, even when the federal rule doesn’t reach you.

What Counts as Protected Health Information on Your Website

Once you’ve decided to treat client information as protected, the next question is what actually qualifies. On a med spa website, the answer is broader than most owners expect.

Before-and-after photos. A photo that identifies a real client and shows a specific treatment is health information. Even without a name attached, identifying features plus a treatment context can count — particularly if the client signed a consent form on file.

Intake forms and consultation requests. Any form that asks about skin conditions, medications, allergies, prior procedures, or specific concerns is collecting health information the moment the visitor hits submit. The data is protected from that point forward.

Treatment-specific contact forms. A generic “contact us” form is low-risk. A form that says “Tell us about your Botox concerns” is collecting information tied to a specific treatment, and that pairing changes the category.

Online booking with health questions. If your booking flow asks visitors to disclose pregnancy status, recent procedures, or current medications before confirming an appointment, the booking record now contains protected information.

Page visits combined with identifiers. This one surprises most owners. When a visitor lands on a page about a specific condition or treatment and your site captures their IP address through a tracking pixel, that combination has been treated as health information in recent federal guidance.

The Tracking Pixel Problem (The One Most Med Spas Miss)

In December 2022, the U.S. Department of Health and Human Services Office for Civil Rights issued a bulletin on online tracking technologies. The guidance was updated in March 2024 after legal challenges, but the core position stayed in place.

The position: when a covered entity uses tracking pixels — Meta Pixel, Google Analytics, third-party cookies, session replay tools — on pages where visitors discuss or research specific health conditions, the information collected by those pixels can be protected health information.

For a med spa that meets the covered-entity definition, the practical consequence is real. A Meta Pixel firing on a page titled “Botox for Migraine” or “Acne Scar Laser Treatment” may be sharing protected information with Meta without a business associate agreement in place.

For a med spa that doesn’t meet the covered-entity definition, the same federal rule doesn’t strictly apply. But the FTC has separately pursued similar cases under consumer protection law, and state laws like Washington’s My Health My Data Act regulate this kind of data sharing independently.

The fix is not to remove all tracking. The fix is to be deliberate about where tracking runs, what it captures, and whether the vendor receiving the data has a written agreement to handle it appropriately.

The Four Pieces a HIPAA-Aware Website Needs

Whether HIPAA technically applies or whether you’re operating under a state law that mirrors it, the same four pieces show up on every med spa website that handles client information responsibly.

1. A business associate agreement with any vendor that touches client data

Your hosting provider, your email platform, your booking system, your customer relationship manager — each of these vendors handles client information on your behalf. If you’re a covered entity, federal law requires a written business associate agreement with each one.

If you’re not a covered entity, the agreement is still a strong practice. It documents that the vendor knows it’s handling sensitive information and agrees to handle it appropriately.

2. A tracking technology audit

List every pixel, tag, and analytics tool firing on your site. For each one, identify which pages it runs on, what data it captures, and where that data goes. Pull anything that fires on a treatment-specific page until you’ve confirmed the vendor relationship is documented.

3. Encrypted forms and storage

Any form that collects health information should transmit over HTTPS and store the resulting data in a system that encrypts at rest. A contact form that emails responses in plain text to an unencrypted inbox does not meet this standard.

4. A privacy notice and consent flow

Your privacy notice should describe what information you collect, what you do with it, and which vendors receive it. Consent should be specific — a blanket “by using this site you agree” line is not enough when treatment-specific information is in play.

What to Ask Your Web Provider

If you don’t build the site yourself, three questions surface most of the gaps.

“Will you sign a business associate agreement?” A provider that says no, or doesn’t know what one is, is signaling that they don’t handle health-adjacent businesses regularly. That’s a flag, not a dealbreaker — but it changes the rest of the conversation.

“What tracking runs on my treatment pages?” A provider should be able to give you a complete list within a day. If they need a week to find out, the audit has never been done.

“Where do my client form submissions live?” The answer should be specific: a named platform, with encryption at rest, and a documented retention policy. “We email them to you” is not an answer.

Frequently Asked Questions

My med spa is cash-pay only. Does HIPAA apply at all?

Probably not, under a strict reading of the federal rule. HIPAA’s covered-entity definition turns on whether you electronically transmit health information in connection with specific transactions — most of which are insurance-related. A pure cash-pay med spa that never bills insurance generally sits outside that definition. State medical privacy laws still apply, and several of them are broader than HIPAA. The cleanest position is to operate as if HIPAA applies even when it technically doesn’t.

What about my Instagram before-and-after posts?

Social media is a separate question from your website, but the principle is similar. A photo posted with client consent, on a public platform the client chose to engage with, is generally fine. A photo posted without specific written consent — even one with a face blurred — can create exposure under state privacy laws and platform terms. Get written consent for each photo, name the platforms it will appear on, and store the consent record where you can find it.

Do I need to remove Google Analytics from my website?

Not necessarily. Google Analytics on a homepage or a generic information page is low-risk. Google Analytics on a page titled “Botox for TMJ” or on a booking confirmation that includes treatment details is a different question. The practical move is to audit which pages the tracking fires on and either restrict it to non-PHI pages or pursue a written agreement with Google for the appropriate properties. Removing tracking outright is rarely the right answer if the goal is responsible handling, not avoidance.

What’s the penalty if something goes wrong?

HIPAA penalties are tiered by intent — from honest mistakes to willful neglect. For covered entities, fines can range from hundreds of dollars per violation to over two million dollars per category per year. For non-covered entities, the federal HIPAA penalty doesn’t apply, but the FTC has reached settlements with several non-covered health businesses for similar conduct under consumer protection law, and state laws carry their own penalties. The point is not the headline number — it’s that exposure exists across multiple legal frameworks.

Can I just use a “HIPAA compliant” web platform and be done?

No platform makes you compliant on its own. Compliance is a posture across the platform, the people, the processes, and the documentation. A platform that signs a business associate agreement, encrypts data, and follows current guidance gets you most of the technical pieces. The rest — what your forms collect, what your team does with the data, what consent you obtain — is on the business. Treat “HIPAA compliant” claims from vendors as the floor, not the finish line.

Closing

For most med spas, the question isn’t whether HIPAA technically applies. The question is whether your website handles client health information the way a regulator, a court, or — most importantly — a client would expect it to be handled. Treat the federal rule as the floor and build from there.

For a closer look at how Perfectly5.5 handles the technical pieces — encrypted forms, BAA-backed vendors, page-level tracking control — see the platform overview at perfectly55.com/platform.