Lumè
← Journal

Compliance

Before-and-after photos for medical spas: storage, HIPAA, and marketing

Before-and-after photos are the single most persuasive thing a medical spa owns — proof of outcomes that documents the work and sells the next client better than any ad. They're also a HIPAA liability the moment they land in a phone camera roll or an Instagram DM. Here's how to capture, store, and use clinical photos the right way, with consent that actually holds up.

The Lumè team10 min read

Almost every medspa takes before-and-after photos. Far fewer handle them safely. The default workflow — snap it on a personal phone, maybe text it to the client, maybe post it — quietly moves protected health information out of every system designed to protect it. The good news: doing this right isn’t harder, it’s just deliberate.

Why before-and-after photos matter

They do two jobs at once:

  • Documentation. A dated photo on the chart is clinical evidence of the starting point and the result — invaluable for planning follow-ups, handling a complaint, and tracking outcomes across a treatment series.
  • Marketing. Real results are the most credible marketing in aesthetics. A consistent before-and-after beats any stock image — and feeds the channels that win new clients (see how to get more medspa clients).

The catch: the same photo that’s great marketing is, legally, protected health information. So the storage question comes first.

The HIPAA problem with the phone-and-social workflow

A clinical photo of an identifiable client who received treatment is PHI. The common workflow breaks that in several places at once:

  • Personal phones.The photo syncs to a personal cloud (iCloud, Google Photos), backed up outside any BAA, visible to anyone with the phone. That’s PHI on an uncontrolled device.
  • Texts and DMs.Messaging a photo to a client — or between staff — sends PHI over channels that aren’t built or covered for it.
  • Shared drives and email.A “Before/After” folder on Google Drive or a photo emailed to the front desk is PHI sitting outside your compliant system.
  • Posting without specific consent. Marketing use requires its own explicit consent — clinical consent to be photographed is not permission to publish.

What compliant photo management looks like

1. Photos live on the chart, not the phone

Capture straight into the client’s record in your medspa software, so the image lives with the treatment, access is limited to staff who need it, and it’s covered by your BAA. Nothing persists in a personal camera roll.

2. Access-controlled and audit-logged

Only authorized staff should see clinical photos, and access should be logged — the same standard as the rest of the chart. That’s part of the broader HIPAA checklist for medspas.

3. Two separate consents

Keep them distinct: consent to be photographed for the clinical record, and a separate, explicit marketing release to use the images publicly. The marketing release should say where images may appear and let the client withdraw it. Build both into your intake & consent forms.

4. Consistent capture

Standardize angle, distance, lighting, and background, and remove makeup/jewelry from the treatment area. Consistency is what makes the comparison credible — and credible is what documents outcomes and converts prospects.

Using photos in marketing the right way

  1. Get a specific marketing release — in writing, per client, separate from clinical consent.
  2. Honor the scope.Use the images only where the client agreed (e.g. Instagram and website, not paid ads, if that’s what they signed).
  3. Minimize identifierswhere you can — crop to the treatment area unless the face is the point and they’ve agreed.
  4. Make withdrawal easy. If a client asks you to take an image down, do it promptly and note it.

Frequently asked questions

Are before-and-after photos protected by HIPAA?

Yes. A clinical photo of an identifiable client, tied to the fact that they received treatment, is protected health information. That means it has to be stored and accessed like any other PHI — in a HIPAA-compliant system under a BAA, access-controlled and audit-logged — not in a personal phone camera roll, a shared drive, or a messaging app.

Can a medical spa post before-and-after photos on social media?

Only with the client's explicit, specific consent to use their images for marketing — which is separate from clinical consent to be photographed for the record. Get it in writing, make clear where the images may appear, and let the client withdraw it. Marketing use without that specific consent is both a HIPAA violation and a trust-breaker.

Where should a medspa store before-and-after photos?

On the client's chart inside your medspa software, where the photo lives with the treatment record, access is limited to staff who need it, and everything is logged and covered by a BAA. Storing them on a phone, in Google Photos, or in an email thread takes PHI outside your compliant system and is the most common way medspas create risk.

How do I take consistent before-and-after photos?

Standardize it: same angle, same distance, same lighting, neutral background, no makeup or jewelry in the treatment area, and capture the "before" at every relevant visit. Consistency is what makes the comparison credible — and credible photos are what convert prospects and document outcomes.

Lumè keeps clinical photos on the client’s chart — access- controlled, audit-logged, and covered by a BAA — with photo and marketing consent built into the forms, so before-and-afters are an asset instead of a liability. See it on your own workflow in a 30-minute demo.

Keep reading

Get a demo

See exactly how Lumè fits your medspa.

A focused 30-minute walkthrough of the platform, tailored to how your spa runs. The first call is the demo.

Get a demo