HIPAA Compliance Checklist for Aesthetic Practice Software
Choosing practice management software for your MedSpa? Here's the HIPAA compliance checklist you need before signing up — from BAAs to audit logs to AI-specific considerations.
If you run a medical aesthetics practice, you're handling protected health information (PHI). Patient names, treatment records, before-and-after photos, payment history — it's all PHI. And if your practice management software isn't HIPAA compliant, you're the one on the hook, not the software vendor.
Here's what to actually verify before choosing a platform.
1. The Business Associate Agreement (BAA)
This is non-negotiable. Any vendor handling PHI on your behalf must sign a Business Associate Agreement. Without one:
- You're violating HIPAA
- You have no legal recourse if they mishandle patient data
- Your liability insurance may not cover breaches through un-vetted vendors
What to ask: "Will you sign a BAA before I upload any patient data?" If they hesitate or say "we're HIPAA compliant but don't sign BAAs" — walk away.
2. Encryption: In Transit AND At Rest
HIPAA requires PHI be encrypted both while moving (in transit) and while sitting in storage (at rest). This means:
- TLS 1.2+ for all data transmission (web, mobile app, API calls)
- AES-256 encryption for stored data, including database backups
- Encrypted backups — a backup sitting unencrypted in S3 is a breach waiting to happen
What to ask: "What encryption standard do you use for data at rest? Are your database backups encrypted?"
3. Access Controls and Audit Logs
Every access to PHI must be logged and attributable. Your software should provide:
- Role-based access control (RBAC): Front desk shouldn't see what the medical director sees
- Audit trails: Who accessed which patient record, when, and what they did
- Automatic session timeouts: No PHI sitting on an unlocked screen in an empty room
- Failed login tracking: Detect and alert on brute force attempts
What to ask: "Can you show me the audit log interface? How do I see who accessed a specific patient's record?"
4. The AI-Specific Compliance Gap
This is the new one most checklists miss. If your platform uses AI — for clinical suggestions, lab interpretation, appointment scheduling — you need additional diligence:
- Is PHI sent to third-party AI APIs (OpenAI, Anthropic, etc.)? If yes, do those vendors have BAAs?
- Is PHI used to train AI models? It shouldn't be — this would violate HIPAA's minimum necessary rule
- Are AI recommendations auditable? You need to be able to trace an AI suggestion back to the data that produced it
At Darael, we route AI clinical intelligence through our own infrastructure with BAA-covered providers, and patient data is never used for model training.
What to ask: "Does your AI send patient data to third-party APIs? Is patient data ever used for model training?"
5. Breach Notification Protocol
HIPAA requires covered entities to notify patients within 60 days of discovering a breach. Your software vendor is your first line of defense:
- Do they have automated intrusion detection?
- What's their incident response SLA? (Hours matter, not days)
- Will they notify you proactively if they detect a breach?
What to ask: "What's your incident response SLA? When was your last penetration test?"
6. Data Portability and Deletion
HIPAA gives patients the right to access and request deletion of their records. Your software must support:
- Exporting complete patient records in a standard format
- Permanent, verified deletion (not soft-delete or "archive")
- Data retention policies that are transparent and configurable
What to ask: "How do I export a complete patient record? How do you handle deletion requests?"
The Quick-Reference Checklist
Before signing with any practice management vendor:
- BAA signed and on file (before any PHI is uploaded)
- AES-256 encryption at rest; TLS 1.2+ in transit
- Encrypted database backups
- Role-based access controls with audit logs
- AI data handling: PHI not sent to un-BAA'd third parties; not used for model training
- Documented incident response SLA with proactive breach notification
- Patient data export and verified deletion supported
- Annual third-party penetration testing (ask for the summary report)
- SOC 2 Type II certification (complementary to HIPAA, not a replacement)
The Bottom Line
HIPAA compliance isn't a feature checkbox. It's an operational characteristic of how the software is built, deployed, and maintained. A vendor who can't answer these questions clearly probably doesn't have the answers.
Darael was built HIPAA-first — not compliance bolted on after the fact. Schedule a compliance walkthrough with our team to see how we handle PHI at every layer of the stack.