NewLilo Booth: Built for independents.Learn more

Pricing

Does HIPAA-Compliant Salon & Med-Spa Software Exist? (And Do You Need It?)

Hunter BergeBy Hunter Berge, Founder & AnalystUpdated June 22, 20263 min read

Yes, but it's rarer than vendors imply, and the software alone won't make you compliant. HIPAA needs a signed Business Associate Agreement with your vendor plus your own safeguards: encryption, access controls, and trained staff. Compliance is shared. If you keep medical records, consent forms, or health intake, you likely need it.

A med-spa practitioner reviewing a digital intake form on a tablet in a clean treatment room.

Key takeaways

  1. 01HIPAA-compliant software exists, but most mainstream booking apps don't market it, and many won't sign the agreement that makes it real.
  2. 02The software is only half the job. HIPAA requires a signed Business Associate Agreement (BAA) with your vendor, plus your own safeguards like encryption and access controls.
  3. 03Compliance is a shared responsibility: even on compliant software, sloppy access habits or an unsigned BAA leave you exposed.
  4. 04You likely need it if you keep medical records, consent forms, or health-related intake: injectables, medical-grade skin work, anything clinical.
  5. 05This is not legal or compliance advice. Confirm your obligations with a qualified professional before you decide.

Does HIPAA-compliant salon and med-spa software exist?

Yes, it exists, but it's less common than the marketing copy suggests. Plenty of tools advertise "secure" or "encrypted," which sound adjacent to HIPAA without meaning it. The narrower reality is that genuine HIPAA compliance for a software vendor hinges on whether they'll sign a specific contract, and most mainstream booking apps simply don't market themselves for it. They were built for haircuts and nail appointments, not protected health information.

So when you're shopping, "we take security seriously" is not the answer you're looking for. The question is whether the vendor offers a signed agreement that puts them on the hook for your clients' health data. That's a much shorter list of options.

What does HIPAA require from your software?

At a high level, two things: a signed agreement and real safeguards. The agreement is a Business Associate Agreement, or BAA, the contract where your software vendor formally accepts responsibility for handling protected health information under HIPAA. Without it, the platform can be technically locked down and still leave you non-compliant.

The safeguards are the technical and administrative protections around the data: encryption in transit and at rest, access controls so only the right people see records, audit trails, and backups. A vendor that signs a BAA but skips the safeguards isn't offering you compliance, and neither is a secure-looking app that won't sign anything. You need both halves, and they have to fit together.

This is also where a lot of "AI" features deserve a second look, since some route your data through outside services; it's worth understanding what an AI assistant does with your client data before you let it near a health record.

Who needs HIPAA-compliant software?

If you keep medical records, clinical consent forms, or health-related intake, you're the one this is written for. That covers injectors, med-spas operating under a medical director, and a lot of medical-grade skin work. It also reaches further than people expect: the moment your lash, brow, or esthetic intake form asks about allergies, medications, or skin conditions, you may be collecting protected health information.

A barber who tracks names and appointment times is usually in a different category. The dividing line isn't your trade, it's the data you store. If your forms ask health questions, assume you're closer to the line than your salon's signage suggests.

To be clear, this is not legal or compliance advice. Where exactly you fall is a question for a qualified professional who can look at your specific setup.

Whose job is compliance, the software's or yours?

Both, and that split is the part vendors gloss over. HIPAA treats compliance as a shared responsibility. Your vendor is accountable for the platform's safeguards and signs the BAA to formalize it. You're accountable for everything around the platform: who you give access to, whether your team is trained, whether you lock your screen at the front desk, whether you reuse a password across five logins.

Compliant software shrinks your risk. It can't carry it by itself. The cleanest tool in the world won't help if a shared login is taped to the monitor. The U.S. Department of Health and Human Services publishes the actual rules, and reading them with a professional beats guessing.

How does Lilo handle HIPAA?

Lilo offers HIPAA compliance through a signed BAA, arranged by going through Lilo rather than a toggle you flip in settings. That distinction matters: a self-serve switch isn't the same as a signed agreement, and we don't pretend otherwise. The compliance is backed by 256-bit encryption and automatic backups, and your organization's data stays siloed and is never used to train the AI.

If you're weighing whether a platform takes this seriously, the details of how we encrypt, back up, and wall off data are laid out on the security page. For the BAA itself, the path is a conversation, not a checkbox, because the agreement is a real legal commitment on both sides. None of this replaces advice from your own compliance professional. It's the floor, and the rest of the building is yours.

Lilo publishes this guide and offers HIPAA compliance via a signed BAA, so treat us as an interested party. This article is general information, not legal or compliance advice. Features are current as of June 2026.

Frequently asked questions

Two things working together: the vendor's technical safeguards and a signed agreement. The software needs encryption in transit and at rest, access controls, and audit logging so protected health information is locked down and traceable. But the piece that makes it legally meaningful is a Business Associate Agreement, the contract where the vendor accepts responsibility for handling your patients' data under HIPAA. Software with strong security but no BAA is not compliant in the way that matters. And a BAA on top of weak security isn't either. You need both. Before you trust any tool with health records, confirm it offers a signed BAA and ask what safeguards back it up.

It depends on what you keep, not what you're called. If you store medical records, consent forms tied to a clinical procedure, or health-related intake like allergies, medications, or skin and injectable history, you're likely handling protected health information and HIPAA may apply. Injectors, medical-grade skin work, and med-spas operating under a medical director are the clearest cases. A hair-only salon that keeps names and appointment times usually isn't in the same bucket. But the lines blur fast once intake forms ask health questions. This isn't legal advice, so confirm your specific obligations with a qualified compliance professional or attorney before you decide.

No, and assuming so is a common way operators get caught out. HIPAA frames compliance as shared. The vendor is responsible for the platform's safeguards and signs a BAA to accept that role. You're responsible for how you use it: who has access, whether staff are trained, whether you reuse passwords, whether you leave a screen open at the front desk. Compliant software lowers your risk, but it can't fix sloppy habits around it. Think of the BAA as splitting the duty, not handing it off entirely. The U.S. Department of Health and Human Services publishes the official rules at hhs.gov, and reviewing them with a professional is worth the hour.

Usually not, and this trips people up. Plenty of booking apps either don't support HIPAA at all or treat the BAA as a manual step you have to request, sometimes only on a higher plan. A self-serve toggle in your settings is not the same as a signed agreement. The safe move is to ask directly, in writing, before you migrate your data: do you offer a signed BAA, on which plan, and what does it cover? With Lilo, HIPAA compliance is available through a signed BAA arranged by going through Lilo, not a switch you flip yourself, and it's backed by encryption and automatic backups. Get the answer documented either way.

You're carrying risk that ranges from a breach you can't contain to regulatory penalties, depending on the situation and your state. If protected health information leaks because it sat in a tool with no BAA and weak safeguards, you're exposed both legally and with your clients, whose trust is hard to win back. The severity varies, and that's the point: this is the kind of question you don't want to answer from a blog post. The U.S. Department of Health and Human Services lays out enforcement and the rules at hhs.gov. If you keep any health-related records, treat a conversation with a compliance professional as part of the cost of doing that work.

Sources

  1. HIPAA for ProfessionalsU.S. Department of Health & Human Services
Start growing today

Your chair. Your clients. Your app.

Lilo Booth is built for independent renters — $20/month, no feature gating, AI included. Start with 30 days free.

30-day free trialNo credit card requiredSetup in 5 minutes