Disclaimer: This post is educational and does not constitute legal advice. HIPAA compliance requirements vary by practice type and situation. Consult a qualified healthcare attorney for guidance specific to your practice.
Aesthetic practice owners fall somewhere between one of two camps when it comes to AI and HIPAA.
Camp One has stopped using AI for almost everything. Someone mentioned HIPAA in a Facebook group six months ago and now they are afraid to type a patient’s first name anywhere near a chatbot. They are leaving real operational value on the table because the risk feels undefined and undefined risk feels enormous.
Camp Two has not thought about it at all. They are using AI freely, pasting in appointment details, copying patient notes, uploading intake forms, and assuming that because nothing bad has happened yet, nothing is wrong.
Neither camp is in a good position. And both of them could fix this with about twenty minutes of clarity.
The goal of this post is to give you that clarity. Not legal advice, because that requires an attorney who knows your specific practice. But a working understanding of what HIPAA actually protects, what that means for how you use AI tools, and where the real line is in your day-to-day operations.
HIPAA protects Protected Health Information, which the law defines as individually identifiable health information. The key phrase is “individually identifiable.” For information to qualify as PHI, it needs to meet two conditions: it must relate to a person’s health condition, health care, or payment for health care, and it must be connected to something that could identify who that person is.
The government identifies 18 specific identifiers that can make health information individually identifiable. These include the obvious ones, like name, address, phone number, and Social Security number, but also less obvious ones like dates other than year (including birth dates and appointment dates), geographic data smaller than a state, device identifiers, and photographs.
That last one matters for aesthetic practices specifically. A before-and-after photo attached to a patient record is PHI. A before-and-after photo where the patient is identifiable, even without a name attached, could still qualify.
Here is the practical test to apply before you involve AI in any task: Does this involve information that could identify a specific patient and connects to their health or the care they received?
If yes, you are in PHI territory and need to think carefully about how you proceed.
If no, you are working with general business information and most standard AI tools apply without issue.
Misconception 1: “I cannot use AI at all in my medical spa because of HIPAA.”
This is the one that keeps Camp One stuck, and it is not accurate.
HIPAA governs how you handle Protected Health Information. The majority of tasks that AI can help you with in an aesthetic practice do not involve PHI at all. Writing an Instagram caption about your HydraFacial service, creating a staff training document, building an SOP for your front desk, drafting a team meeting agenda, generating content ideas for your newsletter, analyzing inventory data, rewriting your service descriptions. None of these tasks require patient-identifiable health information. HIPAA has no bearing on them.
Most of what AI can do for your practice operations and marketing falls outside PHI entirely. The fear that HIPAA creates a blanket restriction on AI use is not supported by what the law actually says.
Misconception 2: “As long as I do not mention the patient’s condition, it is fine.”
This one is more nuanced, and it is where Camp Two tends to get tripped up.
PHI does not require you to name the condition explicitly. If you type “My patient Sarah Johnson has an appointment on Thursday for a follow-up” into a standard AI chat, you have potentially created PHI, because you have combined an identifiable name with a health-adjacent appointment at a medical practice, even if you never mentioned what the appointment is for.
The safer framing removes the identifier entirely. “Help me write a follow-up message for a patient coming in for a neurotoxin touch-up” is a prompt that does not create PHI. The AI does not know which patient. There is nothing individually identifiable in what you shared.
The test is not what condition you mentioned. The test is whether a specific person could be identified from what you shared.
Misconception 3: “ChatGPT and Claude are not HIPAA compliant, so I cannot use them.”
This is a partial truth that gets stated as an absolute, and it creates unnecessary paralysis.
Standard consumer versions of AI tools should not be used to process PHI unless your practice has confirmed that the specific product, configuration, and contract structure support HIPAA compliance, including a signed Business Associate Agreement when required.
Some enterprise or healthcare-specific AI offerings may support HIPAA-aligned use cases, but the details change quickly and should be reviewed with your healthcare attorney and the vendor’s current documentation.
But if you are using these tools for tasks that do not involve PHI, the absence of a BAA is not relevant. You do not need a BAA for a vendor who never touches PHI. You need to use the tool for tasks that do not require sharing PHI in the first place.
Both OpenAI and Anthropic offer enterprise-level options with enhanced data security, and the HIPAA compliance landscape for AI tools is evolving quickly. If you have a use case that genuinely requires AI to process PHI, consult your healthcare attorney about current enterprise options and what agreement structure is required.
Misconception 4: “My patients signed a consent form, so I can use their information.”
HIPAA has specific, formal requirements for patient authorization that go beyond a general treatment consent form. A standard consent for treatment does not grant you permission to share a patient’s PHI with third-party AI tools.
This is one for your healthcare attorney. The authorization question is fact-specific and practice-specific, and the cost of getting it wrong is not worth the shortcut.
Misconception 5: “Before-and-after photos are fine to use in AI tools for marketing.”
This one depends entirely on identifiability.
A before-and-after photo where the patient’s face is clearly visible is PHI if it connects to their health care at your practice. Uploading it to a standard AI image tool without proper safeguards in place is a problem.
A before-and-after photo where the patient has consented specifically to marketing use, where your legal framework supports that use, and where you are working within a compliant system is a different situation entirely.
If you are using before-and-after photos for marketing, the question is not whether AI is involved. The question is whether your consent framework and data handling are legally sound. That is a conversation for your healthcare attorney.
Misconception 6: “My marketing tasks are all off-limits.”
Marketing content does not inherently involve PHI. Writing a promotional email about your upcoming Botox special does not require patient-identifiable health information. Drafting a social media campaign for a new treatment offering does not require patient-identifiable health information. Creating an email sequence for new client nurture does not require patient-identifiable health information.
Marketing tasks cross into PHI territory when you try to personalize them with specific patient data, reference an individual patient’s treatment history, or use identifiable photos without proper authorization. The task itself is not the problem. What you bring into the task is.
Tasks that involve general business information, generic patient communication templates, operational content, and marketing copy that does not reference specific patient data are appropriate for standard AI tools. Specifically:
- Writing Instagram captions, email newsletters, and promotional copy about your services
- Drafting SOPs, staff training materials, and internal team communications
- Creating patient education content about treatments (generic, not individualized)
- Building scripts for front desk phone calls and patient follow-up templates
- Analyzing inventory data, financial summaries, and operational reports that do not contain patient identifiers
- Writing Google review responses (without referencing the reviewer’s treatment details)
- Generating content calendars, blog posts, and marketing strategy documents
- Drafting job postings, interview guides, and HR communications
These tasks involve PHI or potential PHI, and require either a different approach, a compliant tool with appropriate agreements, or legal guidance before proceeding:
- Analyzing appointment records or patient files that include names, contact information, or dates
- Personalizing patient communications using individual treatment histories
- Uploading spreadsheets or documents that include patient identifiers
- Processing intake forms, health history documents, or clinical notes
- Using identifiable patient photos in AI tools for any purpose
Write a one-paragraph AI policy for your practice. It does not need to be a legal document. It needs to be a clear, written statement of what your team does and does not include in AI prompts, so that no one is making that decision under pressure at the end of a busy day.
A starting point:
“We do not include patient names, appointment dates, treatment histories, contact information, before-and-after details tied to specific individuals, or any other identifying information in AI prompts. All AI tools in our practice are used for general operations and marketing only. If you are unsure whether something is appropriate to include, do not include it. Ask before you share.”
One paragraph. Shared with your team. Revisited any time you add a new AI tool to your practice.
HIPAA compliance for AI tools is a developing area. The guidance is evolving, the tools are evolving, and what is true about a specific platform’s compliance status today may be different in six months. This is not a reason to avoid AI in your practice. It is a reason to build operational habits around it now, understand the framework clearly, and stay close to how the regulations develop.
The practices that will use AI most effectively in the years ahead are not the ones waiting for perfect clarity. They are the ones building responsible habits now, with an understanding of what the rules are designed to protect and why.
Subscribe to Our Newsletter
Stay up-to-date with our email newsletter to receive important updates, news, and offers!
About the Author
Daniela Woerner is the founder of Addo Aesthetics and creator of the Growth Factor® Framework, a proven system that’s helped hundreds of spa owners build profitable, systemized businesses. With 20 years in the aesthetics industry, she transforms overworked service providers into confident Spa CEOs through strategy, systems, and soul-led support. Daniela is also the host of Spa Marketing Made Easy, a top-ranked podcast with over 1 million downloads, where she shares real-world strategies to help spa professionals grow with clarity and confidence.