Aesthetix CRM is built for med spas and other practices that handle protected health information (PHI). HIPAA compliance mode is enabled on every Aesthetix CRM account, so there's nothing to purchase or switch on. It activates encryption of electronic protected health information (ePHI), access controls, and audit logging at the infrastructure level, and Aesthetix CRM enters into a Business Associate Agreement (BAA) with your practice. This guide explains what that covers, how to get your BAA in place, how responsibilities are shared, and how to handle PHI safely.
This article is informational only and is not legal advice. It describes what Aesthetix CRM's HIPAA features do and how to use them. It does not create any legal guarantee or describe your specific legal obligations. For guidance on what HIPAA requires of your practice, please consult your own compliance or legal advisor.
ā ļø Important: Do not put PHI into AI features
AI features are not approved for processing Protected Health Information. Do not enter PHI into any AI chat, prompt, or generated content. This includes the AI Employee suite (Conversational AI, Voice AI, and Content AI), Premium Workflow AI Actions, Reviews AI, and Funnel AI. Use AI features for productivity, communication, appointment scheduling, and patient engagement, not to store or process medical records. Keep separate, HIPAA-appropriate processes for any medical information. Aesthetix CRM maintains Business Associate Agreements with its AI vendors as an added safeguard, but AI features still must not be used to store or process PHI. The full list of AI subprocessors is available on our sub-processor list.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, United States legislation that establishes data privacy and security provisions for safeguarding medical information. When people refer to "HIPAA compliance" in the context of marketing and patient communication, they're usually referring to Title II (Administrative Simplification), and specifically two rules:
HIPAA Privacy Rule: national standards to protect patient health information. (official text)
HIPAA Security Rule: standards for the security of electronic protected health information. (official text)
Under HIPAA, your practice (the entity that provides care to patients) is the covered entity. A vendor that handles PHI on your behalf is a business associate. Aesthetix CRM acts as your business associate and enters into a Business Associate Agreement (BAA) with your practice. Your BAA with Aesthetix CRM is in turn supported by BAAs between Aesthetix CRM and each of its core infrastructure providers (HighLevel, Twilio, DigitalOcean, Vercel, and Supabase), so PHI is covered down the chain. Email you send through the platform is delivered through HighLevel's email infrastructure, and any downstream email providers are covered under HighLevel's BAA. Our AI vendors are addressed separately above.
Because HIPAA mode is already active on your account, the main step on your side is putting a signed BAA in place between your practice and Aesthetix CRM. A signed BAA is required before you use the Services to process PHI.
Request your BAA by emailing [email protected].
You'll receive an e-sign link to review and sign the agreement with your practice's details and authorized signer.
Aesthetix CRM counter-signs, and you receive a fully executed copy for your records.
Keep your executed BAA on file with your other compliance documentation, and re-sign using the same process if your authorized signer or practice details change.
HIPAA compliance is a shared responsibility between Aesthetix CRM and your practice.
Aesthetix CRM provides:
HIPAA compliance mode enabled at the infrastructure level
Encryption of ePHI: AES-256 at rest and TLS 1.2+ in transit
A BAA with your practice, plus BAAs with each core infrastructure provider
Access controls and audit logging capabilities
Your practice is responsible for:
Enabling multi-factor authentication (MFA), especially on the external email accounts used to log in and recover your account, since account access and password resets run through email. Each user should also enable MFA on their own Aesthetix CRM login under My Profile.
Administering user roles and permissions on a least-privilege basis, and promptly removing access for terminated personnel
Performing regular access reviews
Obtaining proper consent for communications (TCPA and HIPAA)
Reporting any suspected breach to [email protected]
Maintaining your own HIPAA compliance program
Aesthetix CRM encrypts all data before it's written to disk (AES-256) and protects it in transit (TLS 1.2+). No setup or configuration is required, and there's no change to how you access the service: data is automatically and transparently decrypted when read by an authorized user. Cryptographic keys are managed on your behalf using hardened key-management systems with strict access controls and auditing.
These safeguards apply across everything your account stores, including Contacts, Notes, Custom Fields, SMS/MMS, voice recordings, email bodies and attachments, form and survey submissions, calendars, and invoices. (Remember that AI features remain off-limits for PHI, regardless of encryption.)
Do I need to enable HIPAA or buy an add-on?
No. HIPAA compliance mode is included and active on every Aesthetix CRM account. There's nothing to purchase or toggle on.
What do I need to do, then?
Put a signed BAA in place before processing any PHI. Email [email protected] to request it, then sign the e-sign link you receive. Accounts without a signed BAA may have PHI-related features limited.
Can I use AI features with PHI?
No. Do not enter PHI into any AI feature, including the AI Employee suite (Conversational AI, Voice AI, and Content AI), Premium Workflow AI Actions, Reviews AI, and Funnel AI. They aren't approved for processing PHI. Aesthetix CRM maintains BAAs with its AI vendors as an added safeguard, but AI features still must not be used to store or process PHI. Use them for productivity, communication, scheduling, and engagement only.
Who at my practice should sign the BAA?
An authorized representative of your practice (the covered entity), typically an owner, officer, or compliance lead. Check with your compliance or legal advisor if you're unsure.
What if I think a breach has occurred?
Report any suspected breach promptly to [email protected], and follow your own practice's incident-response process.
Where should I keep my signed BAA?
Download the fully executed copy and store it with your other HIPAA documentation.
