HIPAA-Compliant Medspa Website Checklist: What I Audit First and How to Fix Every Item
In June 2022, reporters at The Markup found the Meta Pixel running on the websites of 33 of America’s 100 largest hospitals, quietly sending appointment details and patient information to Facebook. Hospitals with full compliance departments got this wrong. Most medspa websites I open have at least one of the same problems, usually more, and the owner has no idea. This is the checklist I run before I touch any medspa marketing project.
Quick context on who is writing this. I’m Mandeep, I’ve spent 9 years building and marketing websites, and a large share of my work now is medspa sites where the marketing stack and the patient data sit uncomfortably close together. One required disclaimer before anything else: I am not a lawyer and this is not legal advice. I’m a web and SEO guy who has cleaned up enough medspa sites to know where the bodies are buried. Use this checklist to find problems and ask better questions, then confirm anything consequential with a healthcare attorney licensed in your state.
Why your medspa website probably falls under HIPAA
Owners push back on this constantly. “We’re cash-pay, HIPAA doesn’t apply to us.” Sometimes that’s even technically true. HIPAA covered-entity status attaches to providers who transmit certain electronic transactions, typically insurance billing. A medspa that never bills an insurer might not be a covered entity in the strict sense.
Here is why that argument doesn’t save you in practice:
- Your medical director almost certainly is covered. Most medspas operate under a physician or nurse practitioner whose practice bills insurance somewhere. When your intake forms and treatment records flow through their supervision, the conservative read is that HIPAA obligations follow.
- The FTC regulates you even if HIPAA doesn’t. In February 2023 the FTC fined GoodRx $1.5 million under the Health Breach Notification Rule for sharing health data with advertisers. GoodRx is not a HIPAA covered entity. Three weeks later BetterHelp agreed to pay $7.8 million over similar conduct. The FTC has made it explicit that health data shared with ad platforms is enforcement territory regardless of HIPAA status.
- State laws are stacking up. Washington’s My Health My Data Act, California’s privacy framework, and a growing list of state health-privacy laws cover consumer health data with private rights of action in some cases. “Not a covered entity” is not a defense under those.
One more piece of recent history you should know. In December 2022, HHS’s Office for Civil Rights published a bulletin taking an aggressive position on tracking technologies on healthcare websites. In June 2024 a federal court in Texas vacated part of that guidance as it applied to certain visits to public-facing pages. Some marketers read that ruling as permission to put pixels back. I’d read it as a reminder that this area is contested and moving, while FTC enforcement and state laws kept rolling forward untouched. The risk calculus for a small medspa did not meaningfully improve.
So the practical posture I take on every build: treat anything a patient submits or books on your website as protected, and design the stack so you never have to argue about definitions.
The checklist at a glance
Five areas, ordered by how often I find problems and how ugly the consequences are. The rest of this post walks through each one with specific fixes.
| Area | What goes wrong | Typical fix cost |
|---|---|---|
| 1. Tracking pixels | Meta Pixel and GA4 firing on booking and intake pages | $0, about an hour of work |
| 2. Intake forms | Generic form plugins emailing health answers in plain text | est. $30 to $100/mo for a BAA-backed vendor |
| 3. Missing BAAs | Patient data on vendors who carry zero legal responsibility | $0 to est. $50/mo, mostly paperwork |
| 4. Photo consent | Before/afters published without valid marketing authorization | $0, a proper consent form |
| 5. SSL, retention, breach plan | Mixed-content pages, indefinite data hoarding, no breach process | $0 to est. $20/mo |
1. Tracking pixels: the first thing I check, every time
⚡ 2-minute scorecard · instant result
Is your medspa marketing actually converting?
Answer 5 quick questions. Get your score + the top fixes — free.
1. Can patients book online 24/7 without calling?
2. Do you respond to new inquiries in under 5 minutes?
3. Do you run a membership or recurring-revenue program?
4. Are you retargeting site visitors with ads?
5. Are you generating fresh reviews every month?
Open your booking page. Open your browser’s developer tools, switch to the Network tab, and reload. If you see requests to facebook.com, google-analytics.com, tiktok.com, or hotjar.com firing while a patient picks a Botox appointment slot, you have the exact problem that put those 33 hospitals in the news.
The mechanics matter. A pixel on a booking page can transmit the page URL (which often contains the treatment name), button clicks, form field interactions, and an identifier that ties all of it to a real person’s Facebook or Google profile. “Jane Doe viewed /book/laser-hair-removal/ and completed a booking” is health information attached to an identity. That is the whole problem in one sentence.
What I audit:
- Meta Pixel on booking, intake, or thank-you pages. The thank-you page is the sneaky one. Marketers track conversions there, which means the pixel fires at the precise moment someone becomes a patient.
- GA4 on patient-facing flows. Google states outright that customers must not send protected health information to Google Analytics and it will not sign a BAA for GA4. GA4 on your blog is defensible. GA4 on your booking funnel is not.
- Session recording tools. Hotjar, Microsoft Clarity, and similar tools can capture keystrokes and replay a patient typing their medical history. Most owners installed these years ago and forgot.
- Google Ads remarketing tags. Building a remarketing audience called “visited filler pricing page” is building a list of people interested in a medical treatment. Think hard about where that tag fires.
- Tag managers hiding all of the above. Google Tag Manager means anyone with container access can add trackers without touching your site. Audit the container, not just the page source.
How to fix it without killing your marketing:
- Strip all third-party pixels from booking, intake, confirmation, and patient portal pages. Keep them on generic content if you want, the blog and the homepage, with a clear privacy policy.
- Track ad conversions with privacy-safe proxies. A click on “Book Now” measured on your own server, or a call-tracking number, gives you optimization signal without handing identities to Meta.
- If you need analytics on sensitive pages, use a tool that either signs a BAA or collects nothing identifiable. Several privacy-first analytics products run cookieless and store no personal data.
- Do not assume a cookie banner fixes this. Regulators have signaled that a banner click is not a HIPAA-valid marketing authorization.
If you just opened your own Network tab and your stomach dropped, that’s the normal reaction. I run this exact pixel check as part of a free site review, no signup wall, no obligation. Book a free 30-minute call and I’ll walk through what your booking pages are actually sending and to whom.
2. Intake forms: where most medspas store the riskiest data
Your intake form asks about medications, allergies, pregnancy, medical history, and treatment goals. That is some of the most sensitive data a small business can hold. And the most common setup I find is a generic WordPress contact-form plugin that emails those answers, unencrypted, to the front desk’s Gmail, while also saving a copy in the WordPress database on a $5/month shared host.
Every link in that chain is a problem. The plugin stores PHI on a host that won’t sign a BAA. The email transmits PHI through a provider with no BAA. The inbox retains it forever. One compromised password exposes years of patient histories.
What I audit:
- Where form submissions are stored. WordPress database entries from form plugins are the most common offender. Check your plugin’s entries screen, you may find years of intake data sitting there right now.
- Where submissions are sent. Plain email to a free inbox fails. Notifications should be a “you have a new submission” ping with no health details, with the data living inside a BAA-covered platform.
- Whether the form vendor signs a BAA, on your specific plan. Several vendors only include HIPAA features on higher tiers.
- Embedded third-party widgets. Chat widgets that ask “what treatment are you interested in?” are intake forms wearing a costume. Same rules apply.
- File uploads. Patients uploading photos of skin concerns means medical images on whatever server receives them.
Vendors I see medspas use successfully, all of which offer BAAs (verify current terms and pricing before you sign, these move):
| Vendor | BAA | Pricing | Notes |
|---|---|---|---|
| IntakeQ | Yes | est. $50/mo | Built for medical intake specifically, e-signatures included |
| Jotform (Gold plan) | Yes, Gold and Enterprise | est. $99/mo | HIPAA features only on upper tiers, easy WordPress embedding |
| Formstack | Yes, on eligible plans | est. $99+/mo | Strong workflow automation if you outgrow basics |
| Hushmail for Healthcare | Yes | est. $10 to $20/user/mo | Bundles encrypted email with simple secure forms |
| Google Forms via Workspace | Yes, via Workspace BAA | est. $7 to $14/user/mo | You must actually execute the Workspace BAA in admin settings |
The pattern behind every good fix: your website becomes a brochure that points to a secure vault, and the vault holds the data. Your WordPress site links out or embeds a BAA-covered form, and nothing sensitive ever touches your own database or inbox. That single architectural decision solves intake forms, simplifies hosting (next section), and costs less than one syringe of filler per month.
3. BAAs: the paperwork that decides who’s liable when things go wrong
A business associate agreement is the contract that makes a vendor legally on the hook for protecting patient data it handles on your behalf. No BAA means that when the vendor leaks your patients’ data, the regulatory consequences land on you alone. It is the least glamorous item on this checklist and the one that determines who pays when something breaks.
Walk your stack and ask one question per vendor: does this company ever store, process, or transmit identifiable patient information for me? If yes, you need a signed BAA or you need to remove patient data from that vendor.
- Hosting. Most shared WordPress hosts will not sign a BAA, and that’s fine if your site holds no PHI. The big clouds (AWS, Google Cloud, Microsoft Azure) sign BAAs for covered services if you ever need PHI-adjacent infrastructure. For a typical medspa the right answer is the brochure-and-vault model from the previous section: keep the marketing site clean rather than chasing HIPAA-eligible hosting.
- Booking and practice management. Purpose-built platforms such as Aesthetic Record, Boulevard, Mangomint, and Zenoti advertise HIPAA compliance. Advertising it and having a countersigned BAA in your files are different things. Get the document.
- Email. Mailchimp’s terms prohibit storing or sending PHI through it, and it does not sign BAAs. Mainstream marketing email platforms broadly take that position. Generic newsletters are fine there. Appointment reminders, treatment follow-ups, and anything referencing what a patient had done belong in a HIPAA-eligible service like Paubox or Hushmail, or inside your BAA-covered booking platform’s messaging.
- CRMs and lead tools. The moment a lead mentions a treatment in a form note, your CRM holds health information. Either keep treatment details out of the CRM by design or choose one that signs a BAA.
- Everything bolted onto the site. Chat widgets, call-tracking with recording, transcription tools, review-request platforms that reference visits. Each one is a vendor. Each one gets the same question.
Make a one-page inventory: vendor, what data it touches, BAA yes/no, date signed. That document is also the first thing an attorney or auditor will ask for, and producing it in thirty seconds instead of three panicked days changes the tone of any investigation.
If mapping vendors and BAAs sounds like a weekend you don’t have, this is genuinely the kind of thing I do alongside medspa marketing engagements, because I have to audit the stack before I touch the funnel anyway. Grab a free 30-minute call and bring your vendor list, I’ll tell you which gaps would worry me and which are paperwork.
4. Before/after photos: your best marketing asset and a standing liability
Before/after photos sell aesthetic treatments better than any copy I will ever write. They are also protected health information when they’re identifiable, and full-face photographs are explicitly one of HIPAA’s 18 identifiers. Using PHI for marketing requires a valid written authorization, and that word “valid” carries specific requirements.
What I audit:
- Whether a standalone marketing authorization exists for every published photo. A sentence buried in general intake paperwork (“photos may be used for promotional purposes”) does not meet the standard. The authorization should be specific about what is being used, where it may appear (website, Instagram, ads), and signed separately from treatment consent.
- Whether patients can revoke, and whether you could comply. Authorizations must be revocable. If a patient revokes tomorrow, can you actually find and remove every placement of their photo, including a boosted post from 2024? If you don’t have an index of which photo appears where, build one.
- Whether “anonymized” photos actually are. Cropping the eyes out of a face does less than people think. Tattoos, birthmarks, jewelry, distinctive features, and even filename metadata can identify someone. In a small town, a jawline can be enough.
- Instagram and the rest of social. The website audit means nothing if the same photos sit on Instagram without authorization. Social posts are publications, same rules, and they’re the placements owners forget they made.
The fix costs nothing: a proper one-page marketing authorization form (have your attorney bless the template once), a simple log of which patient photo appears where, and a rule that nothing gets published until the signed form is filed. Then go enjoy the fact that you can use your best marketing weapon without flinching every time a patient gets upset about an unrelated billing issue and starts looking for grievances.
5. SSL, retention, and breach basics: the unglamorous floor
None of these items make headlines until they do. They’re also the fastest section of the audit.
- HTTPS everywhere, no exceptions. Every page, especially anything with a form, must load over TLS. Check for mixed-content warnings, where the page is HTTPS but loads an image or script over HTTP. Enable HSTS so browsers refuse insecure connections. Your host does this free; there is no excuse in 2026.
- Retention: stop hoarding. HIPAA requires retaining compliance documentation, policies, authorizations, and the like for six years. Medical record retention itself is governed by state law, often longer. But your web stack hoards data with no policy at all: form plugin entries from 2021, lead exports on someone’s laptop, intake PDFs in three inboxes. Decide what you keep, where, and for how long, then delete the rest. Data you no longer hold cannot leak.
- Access control. Count your WordPress admin accounts. Every audit I run finds at least one account belonging to a developer or employee long gone. Remove stale accounts, enforce strong passwords, and turn on two-factor authentication for anything touching patient data or the website itself.
- A breach plan that exists before you need it. Under the Breach Notification Rule you have up to 60 days to notify affected individuals. Breaches affecting 500 or more people also require notifying HHS and prominent local media, and your name goes on the public HHS breach portal that journalists read. Write down today: who do we call first (your attorney), who notifies patients, who talks to vendors, where are the BAAs filed. A breach plan written during a breach is a bad plan.
- Backups that don’t recreate the problem. A backup of a database full of intake entries is itself a copy of PHI sitting wherever your backup plugin puts it. Once you’ve moved intake data off the site, purge old backups that still contain it.
What to audit first: my 60-minute order of operations
If you only have an hour this week, run it in this order. It’s sequenced by likelihood of finding a serious problem, fastest checks first.
- Minutes 0 to 15, pixels. Developer tools open, Network tab, load your booking page, intake page, and any thank-you page. Filter for facebook, google-analytics, tiktok, clarity, hotjar. Screenshot what you find. The free Meta Pixel Helper browser extension makes this even faster.
- Minutes 15 to 25, forms. Submit a test entry through your own intake form. Then find where it went: your inbox, your WordPress database, a third-party dashboard. Every place it landed is a place patient data lives.
- Minutes 25 to 40, vendor list. Write down every tool that touched that test submission plus your booking platform, email tools, and chat widget. Mark BAA yes/no/unknown for each. The unknowns are your homework.
- Minutes 40 to 50, photos. Open your gallery page and your Instagram grid. For the five most recent before/afters, can you put your hands on a signed, standalone marketing authorization? If yes for all five, you’re in better shape than most.
- Minutes 50 to 60, the floor. Check for the padlock and mixed-content warnings on every form page, count your admin accounts, and confirm you could state your breach plan in one sentence.
Score yourself honestly. In my experience the typical medspa site fails items 1 and 2 outright, has half a vendor list for item 3, and passes item 5 by accident because their host forced HTTPS. That’s not an insult, it’s the base rate, and every item on this list is fixable in days, not months. I keep a set of free, no-signup tools on this site for exactly this kind of self-serve checking, use them as often as you like.
Compliance and marketing are the same project
Here’s the part most compliance content misses: fixing this list doesn’t weaken your marketing, it removes the ceiling on it. A medspa that can’t safely run pixels needs a marketing engine that doesn’t depend on surveillance, which means ranking for the searches patients actually make and being the answer when they ask AI tools who to trust. I wrote about that second piece in how medspas show up in ChatGPT, and clean, trustworthy site architecture is a ranking input for both.
It also changes the budget math. The est. $100 to $200 per month a compliant stack costs comes out of the same budget as everything else, and I’ve laid out how to think about the whole envelope by revenue stage in how much a medspa should spend on marketing. For what it’s worth, my own model is built for owners who’d rather not fund an agency’s office tower: SEO from $1,500/month flat, websites from $500, landing pages from $300, no contracts, and compliance checks baked into every build because I’d rather lose an hour now than have a client lose a six-figure settlement later. Full numbers are on the pricing page, nothing gated.
One honest caveat to end the checklist: this post covers your website and marketing stack, which is the slice I know deeply. HIPAA also governs your in-office practices, training, and policies, and a healthcare attorney should own that bigger picture. What I can promise is that the website slice, the slice most likely to leak data to ad platforms at scale, is auditable in an hour and fixable in a week.
FAQ
Does HIPAA apply to a cash-only medspa that never bills insurance?
Possibly not as a covered entity, since HIPAA technically attaches to providers who transmit electronic transactions to insurers. But most medspas operate under a medical director whose practice is covered, and the FTC’s Health Breach Notification Rule plus state privacy laws apply regardless. GoodRx paid $1.5 million under that FTC rule in 2023 without being a HIPAA covered entity. Treat patient data as protected either way, and confirm your status with a healthcare attorney.
Is Google Analytics 4 HIPAA compliant?
No. Google states plainly that customers must not send protected health information to Google Analytics, and Google will not sign a business associate agreement for GA4. You can keep GA4 on generic pages like your blog if you strip it from booking, intake, and confirmation pages, or switch to a privacy-focused analytics tool that signs a BAA or collects no identifiable data.
Can I run the Meta Pixel on my medspa website?
Not on any page that touches appointments, treatments, or patient identity. The Markup found the Meta Pixel sending appointment details from hospital websites in 2022, and regulators followed with enforcement actions. If you advertise on Meta, keep the pixel off booking and intake flows, scrub health details from any server-side events, and get written legal guidance before trusting consent banners to cover you.
What is a BAA and which vendors need one?
A business associate agreement is a contract that makes a vendor legally responsible for protecting patient data it handles for you. Any vendor that stores or transmits identifiable patient information needs one: form builders, booking platforms, CRMs, email tools, transcription services, and your host if patient data lives on the server. No BAA means you carry the liability alone.
Are before-and-after photos a HIPAA violation?
They can be. Full-face photos are one of HIPAA’s 18 identifiers, so publishing them for marketing requires a signed, specific, revocable authorization from the patient. A general consent line buried in your intake paperwork does not count. Cropped photos can still identify someone through tattoos, birthmarks, or jewelry. Get a standalone marketing authorization for every photo you publish, including on Instagram.
Is WordPress HIPAA compliant?
WordPress itself is just software, so the real question is where patient data ends up. A WordPress marketing site that stores zero patient data can sit safely on ordinary shared hosting. The moment a plugin saves intake answers to your database or emails them unencrypted, you have a problem, because most shared hosts will not sign a BAA. Keep the site PHI-free and route patient data to BAA-covered platforms.
Which form builders will sign a BAA?
IntakeQ, Jotform on its Gold plan, Formstack, and Hushmail all offer BAAs, and Google Forms is covered when you sign Google Workspace’s BAA. Purpose-built medspa platforms such as Aesthetic Record and Boulevard advertise HIPAA compliance too. Confirm the signed BAA actually exists before launch, since some vendors only include it on specific plans.
What happens if my medspa website leaks patient data?
HIPAA’s Breach Notification Rule gives you up to 60 days to notify affected individuals. Breaches involving 500 or more people also require notifying HHS and local media, and your practice lands on the public HHS breach portal. Penalties scale with negligence, with the top tier past est. $2 million per year. Document everything and call a healthcare attorney the same day you discover a breach.
Do cookie consent banners make tracking pixels legal?
Not by themselves. HIPAA requires a valid authorization for disclosures of protected health information used in marketing, and regulators have signaled that a cookie banner click is not that. A banner helps with state privacy laws, but it does not convert the Meta Pixel on your booking page into a compliant setup. Remove trackers from patient-facing flows instead of relying on banners.
How much does it cost to make a medspa website HIPAA compliant?
Less than most owners fear. A BAA-backed form tool runs est. $30 to $100 per month, HIPAA-eligible email runs est. $10 to $30 per user, and removing pixels from booking pages costs nothing but an hour of work. The expensive path is ignoring it: FTC settlements in 2023 ran $1.5 million for GoodRx and $7.8 million for BetterHelp.
Can I use Mailchimp or Klaviyo for patient emails?
Not for anything containing patient health information. Mailchimp’s terms prohibit using it to send or store PHI and it does not sign BAAs, and mainstream marketing platforms generally take the same position. Use them for generic newsletters anyone could receive, and move appointment reminders and treatment follow-ups to a HIPAA-eligible platform like Paubox or your BAA-covered booking system.
How often should I re-audit my medspa website for compliance?
Quarterly, and after every meaningful change to your site. Pixels creep back in through tag managers, theme updates, and new landing page tools. Marketing hires add tracking without asking. I have seen a clean site fail an audit three months later because a new chat widget stored conversations about treatments on a non-BAA server. Put a recurring 30-minute audit on the calendar.
Want a second set of eyes on your medspa site?
I’ll run this exact checklist on your website live on a call, pixels, forms, BAAs, photos, the lot, and tell you what I’d fix first. No deck, no pressure, no contract. 9 years of doing this, 37 five-star Upwork reviews, and I answer my own phone.
Prefer to talk right now? Call +91 97297 12388 or message me on WhatsApp.
Your patients trust you with their faces and their medical histories. Making sure your website deserves that trust takes about an hour to assess and about a week to fix, and it’s the cheapest insurance your medspa will ever buy. If you’d rather not do it alone, book a free 30-minute call and we’ll go through your site together.
Frequently asked questions
Does HIPAA apply to a cash-only medspa that never bills insurance?
Is Google Analytics 4 HIPAA compliant?
Can I run the Meta Pixel on my medspa website?
What is a BAA and which vendors need one?
Are before-and-after photos a HIPAA violation?
Is WordPress HIPAA compliant?
Which form builders will sign a BAA?
What happens if my medspa website leaks patient data?
Do cookie consent banners make tracking pixels legal?
How much does it cost to make a medspa website HIPAA compliant?
Can I use Mailchimp or Klaviyo for patient emails?
How often should I re-audit my medspa website for compliance?
Want me to do this for you?
Book a free 30-min strategy call. I’ll review your site live and ship 3 specific fixes you can use this week. No pitch.
