By Alex Thiersch, CEO of the American Med Spa Association

Medical spas must use marketing best-practices to succeed, but must also be aware of common patient privacy issues that could leave the practice in hot water. All of a medical spa's operations must be overseen by both an innovative business eye and a careful, meticulous medical eye. When it comes to marketing, these two perspectives can clash and, if this clash breaches patient privacy, the business can be hit with severe penalties.

Fines for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) can be huge, and most states have patient privacy laws that are even stricter than the federal standard. Patient information can include—but is not limited to—email addresses, birth dates, social security numbers, and treatment information. Even the fact that a patient is being treated at your facility can be considered private information.

This is not to say that you shouldn't engage in marketing; you absolutely should. Digital marketing and social media in particular are cost-effective ways to increase the reach of your business. Problems arise when the drive to grow your client base mixes with the unfamiliarity of or neglect of laws and regulations.

Common Patient Privacy Mistakes

1. Publicly reaching out to a patient. Engaging with clients is a central tenet of social media marketing. You want to create a sense of connection and community. You must remember, however, that in a medical spa your customers are also patients. Commenting publicly to a client on social media in order to thank them for coming in, or reminding them of a future appointment, or discussing their treatment in any way are all potential breaches of that patient's privacy.
2. Responding to comments whether positive or negative. This is risky for the same reasons as listed previously. If patients comment about an experience they had at your business, responding to them can be seen as breaching their privacy, and responding to negative reviews can be especially risky. If, in your response, you inadvertently reveal any private information, then not only do you have a customer who is angry with you, but you also have a customer that can report you for a privacy breach in an industry where investigations from regulators are largely driven by customer complaints. The Washington Post looked into this issue earlier in 2016 and made note of several situations where responses landed businesses in regulatory hot water. "The consumer complained to the Office for Civil Rights within the U.S. Department of Health and Human Services, which enforces HIPAA. The office warned the dentist about posting personal information in response to Yelp reviews." The Post further notes that the Office for Civil Rights, "is currently investigating a New York dentist for divulging personal information about a patient who complained about her care, according to a letter reviewed by ProPublica." Do yourself a favor and don't respond to negative reviews.
3. Publishing photos without proper consent. Before-and-after photos are a powerful method of attracting new patients. Without the proper signed consent forms, however, you cannot publish patient photos to your website, blog, social media, or any other platform. Additionally, if you post photos of your facility or an event at which you're offering treatments, you should be very careful to ensure you are not publishing a photo showing any patient in the background who has not signed a consent form.

What Can You Do?

The No. 1 rule when mixing marketing with medicine is you must be informed. The defense, "I didn't know what the law was," never works. Medical spas are governed by several different licensing boards and a slew of individual laws that vary from state to state, so be sure to consult a health care attorney (preferably with experience with aesthetics) that is familiar with the laws in your state. Know the regulations that apply to your business, and err on the side of caution.

As far as concrete things you can do, keep the following in mind.

1. For treatment reminders and thank-yous, a personal email or phone call should be used in place of reaching out via social media.
2. Consent forms are a necessity when displaying any photography of patients or of medical procedures on any platform, and be sure to note that traditional consent forms for before-and-after photos are not necessarily sufficient for using photos on your social media channels.
3. The best ways to fight bad reviews are providing superior patient care and encouraging your happy customers to post positive reviews.

Also, keep in mind that once you understand what you need to do to protect your patients' privacy in your marketing, you must train your staff to do the same. Your staff must know the regulations as well as you do, since you will be on the hook for any breach. Establish marketing procedures and guidelines, have them in writing, and make sure your staff knows them backward and forward.

For more ideas on how to build a profitable and legally compliant medical spa attend an AmSpa Medical Spa & Aesthetic Boot Camp and be the next med spa success story.