A medical spa sits in an awkward seam. It runs like a salon — appointment-driven, walk-in friendly, retail on the shelf — but it practices like a clinic: a nurse injects, a provider documents, a client signs consent, and a health history sits on file. The software has to serve both halves at once. Most tools serve one.
That tension is why "what software should a medspa use" is a harder question than it looks, and why so many spas end up either on a salon tool that cannot chart or an enterprise platform that costs more than the practice. This guide lays out what the category actually is, what the software has to do, and how to read the market.
What counts as medical spa software
Medical spa software is the single system a med spa uses to run the business and document care. The complete version covers seven jobs:
- Booking — a multi-provider calendar with online self-booking, deposits, and reminders.
- Client records and clinical charting — a patient chart, not just a contact card: treatment history, allergies, medications, and signed documentation.
- Consent and intake forms — e-signed, versioned, with the signature event captured for the record.
- Payments and invoicing — card, cash, and check recorded against the visit, with end-of-day reconciliation.
- Marketing — email and SMS to the client base, segmented by treatment cycle and recency.
- Reporting — revenue, retention, no-shows, utilization, and the financial close.
- Compliance — HIPAA-grade access control, an audit trail on every read of patient data, and a signed BAA.
A tool that does the first five but not the last two is salon software. The difference is not marketing; it is architecture.
The line between a salon CRM and medical spa software
The single dividing question: does the system treat the client record as a medical chart? Three things follow from the answer.
| Capability | Salon / booking software | Medical spa software |
|---|---|---|
| Client record | Contact + visit history | Clinical chart: history, allergies, meds, documentation |
| Consent forms | Often an add-on or absent | Versioned, e-signed, signature event captured |
| Access control | Role labels | Per-permission, with PHI gated from front desk |
| Audit trail | Rare | Logged on every read of patient data |
| BAA | Usually declined | Signed; the vendor is a Business Associate |
If a vendor will not sign a Business Associate Agreement, the conversation is over for a medical spa — not because the tool is bad, but because it is the wrong category. We wrote a separate piece on what a BAA actually covers and how to read one before signing.
The seven jobs, in detail
1. Booking that handles multiple providers
A med spa with an injector, an esthetician, and a laser tech needs per-provider columns, conflict detection at the moment of booking, and an online booking page that takes a deposit so the slot is not held for free. Deposits and reminders together are the single biggest lever on no-shows — we covered the math in reducing medspa no-shows.
2. A client record that is actually a chart
The retail-versus-medical difference shows up here first. A salon contact card holds a name, a phone number, and a visit list. A medical chart holds the health history, the allergy list, the medication list, the signed consents, the treatment record for each visit, and a complete read/edit audit trail. Clinical notes should be gated to clinical roles, not visible to whoever answers the phone.
3. Consent and intake that hold up
Per-treatment consent is not optional in aesthetics. The software should version templates (so you know which wording a client actually signed), deliver them by a tokenized link, and capture the signature with a timestamp. Charging extra for digital forms — some platforms do, per location — is one of the quiet costs we break down in the pricing guide.
4. Payments tied to the visit
Every appointment should produce an invoice; every payment should reconcile against the drawer at end of day. Watch the card- processing model: some platforms lock you to their processor at their rate, others let you bring your own merchant account. Both can be fine — the trap is not knowing which one you signed up for.
5. Marketing on the same client record
The reason marketing belongs in the same system as the chart: segmentation. “Everyone due for a neurotoxin touch-up in the next two weeks” is a query against appointment and treatment data — impossible to run cleanly if your marketing tool is a separate contact list. The compliance overlay (TCPA consent for SMS, no PHI in marketing copy) is covered in the email and SMS marketing guide.
6. Reporting you can close the day on
At minimum: a daily close-out that matches the drawer, revenue by service and provider, no-show and cancellation rates, and AR aging. The test of a reporting suite is whether the front desk can reconcile the day without a spreadsheet.
7. Compliance that is built in, not bolted on
HIPAA is not a feature you turn on. It is tenant isolation at the database, role-based access resolved on every request, an append-only audit log, encryption at rest and in transit, and a BAA that names those controls. A platform that sells “HIPAA compliance” as a premium add-on is telling you its base product is not built for PHI.
One system or a stitched stack?
Some practices run a booking tool, a separate EMR, a separate payment processor, and a separate marketing platform. It can work, but it has two structural costs: reconciliation (the calendar and the invoices and the chart never quite agree) and a fractured audit trail (when four systems touch PHI, four BAAs and four access models have to hold). For most single- and small-multi-location medspas, one platform on one client record is less work and less risk. Enterprise groups with dedicated IT sometimes choose best-of-breed and accept the integration overhead.
How to read the market
The platforms a medical spa will encounter fall into a few groups: large multi-vertical incumbents (broad, not aesthetics-specific), premium salon-and-spa platforms (beautiful, salon-first), enterprise suites (powerful, priced for chains), budget all-in-ones (cheap, light on clinical depth), and medical-aesthetic specialists (charting-first). Each is the right answer for some practice and the wrong answer for others. We compare the named options — who each is actually for — in the best medical spa software in 2026, and if you are leaving a salon-first tool specifically, the Mindbody alternatives piece is the more focused read.
When you get to a shortlist, the twelve-criteria buyer’s guide is the checklist to run each vendor through.
Frequently asked questions
What is medical spa software?
Medical spa software is the system a med spa runs its business on: a booking calendar, client records, clinical chart notes, e-signed consent forms, payments and invoicing, email and SMS marketing, and reporting — built to handle protected health information under HIPAA. It differs from generic salon or booking software by treating the client record as a medical chart, not just a contact, and by signing a Business Associate Agreement.
Is a medspa CRM the same as medical spa software?
In practice they are used interchangeably. "Medspa CRM" emphasizes the client-relationship side (records, marketing, retention); "medical spa software" emphasizes operations (booking, charting, payments). The platforms that serve medical spas do both, so the two terms point at the same category of product.
Do medical spas need HIPAA-compliant software?
Yes. A medical spa that takes a health history, documents a treatment, or stores before/after photos is creating protected health information, which brings it under HIPAA. The software vendor that stores that data is a Business Associate and must sign a BAA. Generic salon or scheduling tools that will not sign a BAA are not an appropriate system of record for a med spa.
Can one platform replace booking, charting, payments, and marketing?
Yes, and for most medical spas a single system is the right call. Stitching a booking tool to a separate EMR, a separate payment processor, and a separate marketing platform creates reconciliation work and gaps in the audit trail. A platform built for medspas keeps the calendar, chart, invoice, and marketing on one client record.
Where Lumè fits
Lumè is medical spa software built as one system on one client record: a multi-provider booking calendar, clinical charts, e-signed consent, payments, email and SMS marketing, and a full reporting suite — with the BAA included at every tier because there is one HIPAA-compliant architecture, not a compliant tier and a cheaper one. Pricing is public on the pricing page; if you want to see it on your own service menu, the demo is configured on your real data.