Medical spa software glossary

Medical spa software

The system a med spa runs the business and documents care on: booking, client records, clinical charting, e-signed consent, payments, marketing, and reporting — built to handle protected health information under HIPAA.

Medspa CRM

A customer-relationship system built for medical spas. Used interchangeably with "medical spa software"; it emphasizes client records, marketing, and retention on top of the same booking, charting, and payments stack.

EMR / EHR

Electronic Medical Record / Electronic Health Record — the clinical chart where providers document treatments, history, allergies, and medications. In a med spa, the EMR and the booking/CRM are ideally one system on one client record rather than two.

HIPAA

The U.S. Health Insurance Portability and Accountability Act. Its Security and Privacy Rules govern how protected health information is stored, accessed, and shared. A med spa that documents treatments or stores health histories is subject to it.

PHI (Protected Health Information)

Individually identifiable health information — a client’s health history, treatment record, or before/after photos tied to their identity. Creating or storing PHI is what brings a med spa, and its software vendor, under HIPAA.

BAA (Business Associate Agreement)

The contract that makes a vendor (your CRM, SMS, or email provider) legally responsible for protecting PHI under HIPAA. A med spa’s software vendor is a Business Associate and must sign one; the quality of the BAA, not just its existence, is what matters.

Covered Entity

Under HIPAA, the healthcare provider (the med spa) that creates and holds PHI and carries the primary compliance obligations. The BAA allocates some of those obligations to the vendor, but does not transfer the Covered Entity’s own responsibilities.

Business Associate

A vendor that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity — e.g., the CRM that stores client charts. Business Associates must sign a BAA and meet HIPAA Security Rule safeguards.

Clinical chart note

The provider-authored record of a visit: what was assessed, performed, and planned. Distinct from a free-text "notes" field — a real chart note is attributable to an author, timestamped, and access-controlled to clinical roles.

Treatment record

Structured documentation of a specific treatment (product, dose, areas, settings). In aesthetics this often includes injectable mapping and photo documentation tied to the appointment.

Consent form / e-signature

A per-treatment or intake form the client signs before care. Done right, the template is versioned (so you know which wording was signed) and the signature event is captured with a timestamp for the record.

Audit log

An append-only record of who viewed or changed PHI, and when. HIPAA expects access to patient data to be auditable; a strong platform logs every read of a client record, not just edits.

Tenant isolation

An architecture where each practice’s data is partitioned so one customer can never see another’s. Enforced at the database, it is a foundational control for multi-tenant healthcare software.

Role-based access control (RBAC)

Restricting what each staff member can see and do by role and permission — e.g., the front desk can book and take payment but cannot read clinical chart notes. The "minimum necessary" principle in practice.

POS (point of sale)

Where a visit becomes a paid invoice — card, cash, or check recorded against the appointment, with end-of-day reconciliation against the drawer.

No-show rate

The share of booked appointments where the client neither arrives nor cancels. In spas without deposits it commonly exceeds 20%; deposit-on-book plus reminders can cut it to single digits.

Deposit-on-book

Taking a deposit at the moment of online booking so a slot is not held for free. The single biggest software lever on no-shows.

Schedule utilization

The share of a provider’s available hours that are booked. A core operations metric for staffing and capacity decisions.

Membership

A recurring plan a client pays for in exchange for included or discounted services — a retention and predictable-revenue tool the software bills and redeems against.

Package

A bundle of prepaid sessions (e.g., a series of treatments) sold up front and drawn down over multiple visits, tracked as credits against the client record.

TCPA

The Telephone Consumer Protection Act, which governs marketing SMS in the U.S. Sending promotional texts requires prior express consent; reminder and marketing messaging in a med spa has to respect it (separately from HIPAA).

For the bigger picture, read the complete guide to medical spa software, or see how the platforms compare in the best medical spa software in 2026.