HIPAA rules for med spa marketing: when your agency needs a BAA | VitalSignal 4th of July Weekend Sprint · done-for-you patient reactivation, shipped in 7 days, closes Tuesday Claim your spot →
Field note · 2026-07-07

HIPAA rules for med spa marketing: when your agency needs a BAA

Most med spa owners hear “HIPAA” and assume it is a hospital problem. It is not. If your practice delivers medical services and your marketing vendor ever touches patient information, HIPAA is squarely your problem, and the fines land on the practice, not the agency.

This guide covers the four questions that actually matter: does HIPAA apply to your med spa, what counts as protected health information in marketing, when a marketing agency needs a business associate agreement, and the tracking-pixel issue that has caught thousands of health websites. This is education, not legal advice; confirm specifics with a healthcare attorney in your state.

Does HIPAA apply to your med spa?

HIPAA applies to “covered entities”: health care providers that transmit health information electronically in connection with insurance-style transactions (claims, eligibility checks, and similar). A med spa operating under a physician or medical director that bills insurance for anything, even occasionally, is very likely covered. A purely cash-pay med spa that never runs an electronic claim may technically fall outside HIPAA.

Do not relax if you are cash-pay. The FTC enforces the Health Breach Notification Rule and Section 5 of the FTC Act against non-HIPAA businesses that mishandle consumer health data, and it has pursued health platforms over exactly the kind of data sharing that happens in everyday digital marketing. State privacy laws such as Washington’s My Health My Data Act add another layer. The safe operating assumption for any med spa: patient data is regulated data.

What counts as PHI in marketing?

Protected health information is anything that identifies a patient and relates to their health or care. In a med spa marketing context that includes:

  • Patient names and email addresses on your newsletter list, because being on a med spa’s patient list itself reveals health information
  • Booking and appointment data synced to ad platforms or CRMs
  • Photos of patients, including the before and after galleries this industry loves
  • Reviews and testimonials you reuse in ads
  • Any patient detail shared with an agency “so they can write better copy”

Under the HHS marketing rules, using PHI for marketing generally requires prior written authorization from the patient. That includes testimonials and photos: a signed, HIPAA-valid authorization, not a verbal okay at the front desk.

When your marketing agency needs a business associate agreement

A business associate is any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. A marketing agency that manages your patient email list, runs your CRM, handles review responses that mention care, or gets exports of booking data is functioning as a business associate. HIPAA requires a signed business associate agreement (BAA) before that data changes hands, and HHS has settled enforcement actions against providers who shared patient information with marketing vendors without one.

Practical test when evaluating any med spa marketing agency: ask “will you sign a BAA, and what is your process for handling patient data?” A specialist answers in one sentence. An agency that has never heard the term is telling you it has never worked in regulated healthcare, whatever its portfolio says.

If the agency only ever touches non-patient assets, blog content, ad creative, your Google Business Profile, no PHI flows and no BAA is needed. Structure the engagement that way on purpose if you can.

The tracking-pixel trap

The quiet compliance failure on most med spa websites is the analytics and advertising stack. HHS has published guidance warning that tracking technologies (the Meta pixel, ad-platform tags, and similar) on patient-facing pages can transmit identifiable health information to third parties, and while pieces of that guidance have been narrowed in court, regulators at both HHS and the FTC still name pixel-based health data sharing as an enforcement priority.

Minimum hygiene: keep ad pixels off booking flows and patient portals, do not upload patient lists to ad platforms for targeting without valid authorization, and ask whoever runs your ads exactly which events your pixels fire and what data rides along with them.

The short checklist

  1. Decide honestly whether you are a covered entity; if unsure, act like one.
  2. Get signed authorizations before using any patient photo, name, or testimonial in marketing.
  3. Sign a BAA with any vendor that touches patient data, including marketing agencies.
  4. Audit your pixels and tags, especially on booking pages.
  5. Keep patient lists out of ad platforms unless a lawyer has approved the exact workflow.

Compliance literacy is one of the main filters we recommend when choosing between med spa marketing companies; our guide to the best med spa marketing agencies in the US explains how to test for it in the first sales call. And if you want a second opinion on your current setup, our free audit includes a look at the public-facing side of your marketing stack.

Want this handled?

VitalSignal ships this kind of content for weight-loss, TRT, and longevity clinics every week.

Book the consult