HIPAA applies to "covered entities" and their "business associates." According to HHS guidance, a covered entity falls into one of three categories, a health care provider, a health plan, or a health care clearinghouse. Providers only qualify if they transmit information electronically in connection with a transaction in which the HHS has adopted a standard, most commonly insurance billing. Health plans cover insurers, HMOs, employer health plans, and government programs like Medicare and Medicaid, while clearinghouses are entities that convert health information between standard and nonstandard formats on another entity's behalf. As HHS states, "If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules."

For a medical spa, if your business employs a licensed clinician who diagnoses conditions, prescribes treatments, or bills insurance for any portion of services, you likely qualify as a covered entity.

Wellness retreats are a bit different. A retreat centered on yoga, meditation, and nutrition coaching with no licensed medical staff may fall outside HIPAA's scope. However, some retreats now incorporate IV drips, ketamine-assisted therapy, functional medicine consultations, or genetic testing which are services that might involve licensed providers and protected health information (PHI). An approach to determine whether you must comply with HIPAA or not is that if your business collects health histories, lab results, or treatment records tied to identifiable clients, and a licensed provider is involved in care, assume HIPAA applies unless confirmed otherwise.

 

The requirements

HIPAA compliance rests on three main rules, each with implications for a spa or retreat:

  • The Privacy Rule provides how PHI can be used and disclosed. This means client intake forms, treatment notes, and photos can't be shared with third parties including marketing vendors, social media platforms, or even other clients without proper authorization. A common violation could be posting before-and-after photos on Instagram without authorization that specifically covers that, as required under § 164.508(a)(3).
  • The Security Rule addresses how PHI is protected when stored or transmitted electronically. This covers everything from the booking software you use to the tablet clients fill out intake forms on. Spas using consumer-grade tools like generic email, unsecured cloud drives, or non-HIPAA-compliant scheduling apps are common violators. Electronic PHI needs encryption, access controls, and audit logging.
  • The Breach Notification Rule requires covered entities to notify affected individuals, and in some cases HHS and the media, if PHI is exposed. A lost laptop with client intake records or a hacked email account containing lab results can trigger this obligation.

 

HIPAA compliantis a claim you need to be careful making

There's a difference between complying with HIPAA and being able to advertise that you're "HIPAA compliant." According to a piece published by the American Med Spa Association, written by attorney Patrick O'Brien, no government agency actually certifies businesses as HIPAA compliant. The Department of Health and Human Services (HHS) is the only body with authority to assess HIPAA compliance, and no formal third-party certification exists. As health care attorney Jay Reyero, JD, put it in the article, "HHS has been very clear that there is no officially recognized third-party compliance certification."

This matters because the Federal Trade Commission (FTC) polices misleading advertising claims, and "HIPAA compliant" badges or seals can imply a government endorsement that doesn't exist. The AmSpa article points to real enforcement actions on this issue including an FTC complaint against GoodRx for, among other things, using an official-looking HIPAA compliance seal on its site, and a 2016 settlement in which a dental software company was found to have misrepresented its HIPAA compliance.

For spa and retreat owners, the safer practice is to describe what you do to protect client information rather than declaring "HIPAA compliant" status.

 

Compliance gaps in this industry

The requirement for business associate agreements (BAAs) is set out at 45 CFR § 164.504(e), which requires that when a covered entity uses a business associate to carry out health care functions on its behalf, it must have a written contract stating what the business associate will do and requiring it to comply with the privacy and security requirements. Furthermore, business associates are also liable for compliance with certain provisions of the HIPAA Rules, independent of what the contract says.

Staff training is sometimes informal or nonexistent, despite being a required administrative safeguard under 45 CFR § 164.308(a)(5)(i). Estheticians, front-desk staff, and wellness coaches may handle PHI daily without understanding what they can discuss with friends, post on social media, or leave visible on a screen in a treatment room.

Photo and testimonial use is a risk. Authorization for marketing use must be separate from general treatment consent, specific about how images will be used, and revocable, per the authorization elements at 45 CFR § 164.508(c) and the right to revoke at § 164.508(b)(5).

Physical safeguards matter as well, treatment rooms with thin walls, intake forms left on clipboards in waiting areas, or computer screens visible to other clients can be a privacy violation under HIPAA, even without any electronic breach.

 

Building a compliance program

A compliance program for a wellness retreat or med spa should include:

  • A risk assessment - required under 45 CFR § 164.308(a)(1)(ii)(A), a risk assessment should identify where PHI is created, stored, and transmitted throughout the business. Written policies and procedures, required under 45 CFR § 164.316, should cover use and disclosure of PHI, breach response procedures, and data retention timelines.
  • Designating a privacy officer - required under 45 CFR § 164.530(a) for the Privacy Rule and § 164.308(a)(2) for the Security Rule.
  • Technology choices - scheduling, payment, EHR, and communication tools should all be vetted for HIPAA compliance and backed by signed BAAs.
  • Consent forms - authorizations should exist for treatment, for any marketing use of photos or testimonials, and for sharing information with related providers.

 

Proposed updates to the HIPAA Security Rule

In January 2025, HHS proposed an update of the HIPAA Security Rule since its original 2003 publication and 2013 revision. According to "Top 10 takeaways from the new HIPAA security rule NPRM," published by Thomson Reuters, the rulemaking aims to close gaps that have led to inconsistent security practices and growing cyber risk across the healthcare sector.

Some of the proposed changes would be relevant for med spas and wellness retreats that rely on outside vendors and consumer-grade technology:

  • MFA and encryption would stop being optional. Multi-factor authentication and encryption of electronic PHI are currently "addressable" standards, meaning businesses can adopt an alternative if the standard isn't reasonable for them. Under the proposal, both would become mandatory for nearly all systems handling ePHI, with exceptions for certain legacy systems and older medical devices.
  • Vendor oversight. Currently, spas and retreats can rely on a signed BAA and aren't required to actively verify how a vendor implements its safeguards. The proposed rule would require regulated entities to obtain written, expert-validated verification of a vendor's cybersecurity practices before relying on them.
  • Faster breach and termination timelines. Business associates would need to notify covered entities within 24 hours of activating a contingency plan after a security incident, and a departing employee's access to ePHI would need to be cut off within one hour of their last day.
  • New technical methods. The proposal would require an annual inventory and map of all systems that touch ePHI, vulnerability scans every six months, penetration testing annually, and a formal written incident response plan tested every 12 months.

Learn more: What's changing with HIPAA in 2026

 

FAQs

Do clients have a right to see or get a copy of their own records?

Yes, under HIPAA's right of access, covered entities generally must provide individuals with their PHI within 30 days of a request.

 

Does HIPAA still apply if a retreat is located outside the United States?

HIPAA is a US federal law, so it generally applies based on whether the business is a U.S. covered entity, not where the retreat physically takes place.

 

Can a solo practitioner or small spa skip having a privacy officer?

No, even a one-person practice that qualifies as a covered entity must designate someone, even if it's the owner, as the privacy and security official.