Wednesday, July 15, 2026 Living abroad, handled. Go Pro · $20/mo →
Seasoned Expat
Portugal, handled.
1 free article left this week. A free account gets you 4 a week.Go Pro →
Compliance

HIPAA for Medspas: The Before/After Photo, Texting, and Social-Media Consent Failures That Get Fined

The med spa runs on patient photos and casual texting — the two things most likely to turn a routine day into a privacy violation. Here's where the everyday workflow quietly breaks the rules.

Image: Seasoned Expat

Two things power the everyday med spa: the before-and-after photo and the quick text message. They're also the two things most likely to turn an ordinary Tuesday into a patient-privacy violation, because both live in the casual, fast, screenshot-and-send rhythm of the front desk and the treatment room — precisely the rhythm where compliance goes to die. The before/after image is simultaneously your best marketing asset and your most common compliance failure, and more often than not it's the same photo doing both jobs.

This is general education for owners, not legal advice. Your specific HIPAA status and the interplay with state privacy laws should be confirmed with counsel.

The before/after photo is your best marketing asset and your most common compliance failure — and it's usually the same photo doing both jobs.

Assume the duty applies

Owners sometimes talk themselves out of privacy obligations with "are we even a covered entity?" It's the wrong question to organize around. Many med spas are covered entities under HIPAA, and even where the analysis is genuinely nuanced, patient health information almost always carries privacy obligations under HIPAA and frequently under additional state privacy laws that can be stricter. The practical posture for nearly every owner is to operate as though robust patient-privacy duties apply — because the cost of being wrong about that assumption is paid in fines and reputation, and the cost of simply complying is paid in a few policies and some training.

The before/after photo: consent is specific, not general

Here's the distinction that trips up well-meaning practices: a patient signing a treatment consent has consented to treatment. They have not thereby authorized you to publish an identifiable image of their face for marketing. Those are different permissions, and using a general consent to justify a public post is the single most common avoidable privacy failure in the industry.

Publishing identifiable patient photos requires specific, documented authorization for that particular use — ideally spelling out where the images may appear and giving the patient genuine, revocable choice. The photo that converts beautifully on social media is also identifiable health information about a real person, and the gap between "they were happy" and "they specifically authorized publication" is exactly the gap a complaint exploits. The marketing value is real; so is the requirement, and they're attached to the same image.

Texting and personal devices: the casual channel

The second everyday failure is communication. Appointment reminders are generally lower-risk, but the workflow rarely stays that tidy. Staff texting patients health details over unsecured channels, sending photos through personal-phone messaging apps, or storing patient images in a camera roll that syncs to who-knows-where — these are the quiet exposures that accumulate because they feel like helpfulness, not violations. The danger isn't malice; it's convenience. A staffer doing exactly what makes the patient experience smooth can be creating the exposure precisely because no one drew the line.

The fix is unglamorous: a clear policy on what may be communicated, through which channels, on which devices, with appropriate safeguards — and training so the policy is a habit rather than a binder. Personal devices handling patient information without safeguards is a workflow that works perfectly until the day it doesn't.

Why this is a workflow problem, not a malice problem

Almost every med spa privacy violation comes from ordinary people doing ordinary tasks — posting a great result, texting a quick update, snapping a photo on a personal phone. That's the good news, because workflow problems are fixable with policy and training in a way that malicious actors are not. The owners who get fined are rarely the careless ones; they're the ones who never translated everyday enthusiasm into everyday rules.

What to do

  • Treat patient-privacy duties as applying and build policy accordingly rather than litigating whether they technically must.
  • Require specific, documented authorization for any identifiable patient image used in marketing, separate from treatment consent, and honor revocation.
  • Set clear rules for texting and devices — what information may go through which channels, with safeguards, and no patient images living in personal camera rolls.
  • Train the front desk and clinical staff so the rules are reflexes, and audit your social feeds for images that were never specifically authorized.

The photo and the text are the lifeblood of the practice, and nobody's asking you to stop using them. The ask is narrower and entirely achievable: get specific consent before you publish a face, draw clear lines around how patient information moves, and train your team so the everyday rhythm of the place stops manufacturing violations one helpful gesture at a time.

Frequently asked questions

Does HIPAA apply to my med spa?

Many med spas are covered entities under HIPAA, and even where the analysis is nuanced, patient health information carries privacy obligations under HIPAA and often additional state privacy laws. The practical answer for almost every owner is to operate as though robust patient-privacy duties apply. This is general education, not legal advice — confirm your status and obligations with counsel.

Can I post before/after photos on social media?

Only with proper, specific, documented patient authorization for that use. A general treatment consent is not the same as authorization to publish identifiable images for marketing. Posting identifiable patient images without specific consent is one of the most common and avoidable privacy failures.

Is texting patients a HIPAA problem?

It can be. Casual texting of appointment details may be lower-risk, but texting that includes health information over unsecured channels, or staff using personal devices without safeguards, can create exposure. The fix is clear policy on what may be communicated how, and appropriate safeguards.

What's the most common avoidable violation?

Publishing identifiable patient photos without specific marketing authorization, closely followed by careless handling of patient information over text and personal devices. Both come from everyday workflow rather than malice, which is exactly why policy and training prevent them.

Free alerts

Free: recall & rule-change alerts for your practice.

Get the recalls and state-law changes that hit your treatment room, in your inbox — free. Unsubscribe in one click.

Free · weekly · unsubscribe anytime. Privacy.

Stay three moves ahead of every practice in your market.

Knowing it happened is table stakes. Seasoned Expat Pro hands you the play — what each move means for your margins, your license, and your patients, and exactly what to do about it — in a two-minute brief, twice a week. The owners who read it never get blindsided.

Get the edge · $20/mo

Join the owners who run ahead of the industry. Cancel anytime, one click.

Discussion

    Leave a comment

    Comments are reviewed before they appear.
    Seasoned Expat Pro

    By the time it's news, it's too late.

    Seasoned Expat sits where the personal meets the procedural. Warm, been-there guidance on moving, settling, money, and finding your people abroad — right next to matter-of-fact, verified coverage of the visa rules, residency requirements, and regulatory changes that decide whether your plans actually work. Two voices, one job: help you live abroad without nasty surprises.

    Go Pro · $20/mo Cancel anytime.
    The twice-a-week brief Go Pro · $20/mo