Security & HIPAA

    Protected health information,protected.

    Aesthetika is a HIPAA-compliant platform built for medical spas and any practice that handles PHI. Here are the exact controls, named plainly.

    HIPAA compliantBAA includedAES-256 encryptedAudit logged

    We sign a BAA with every practice.

    A Business Associate Agreement is the first thing a compliance advisor looks for. Ours specifies our safeguards, breach notification timelines, how PHI is used, and secure destruction when you leave.

    The controls

    Named safeguards, no hand-waving.

    The concrete signals medspa buyers vet vendors for. Every one is built in.

    Signed BAA

    We sign a Business Associate Agreement with every practice, specifying safeguards, breach notification, and PHI handling on termination.

    AES-256 encryption

    Protected health information is encrypted in transit and at rest, so records and photos are unreadable if intercepted.

    Role-based access

    Least-privilege access by role, with automatic session timeouts, so staff only see what their job requires.

    Audit logging

    Every access to a client record is recorded, giving you a complete trail of who viewed or changed what, and when.

    Encrypted backups

    Secure, encrypted backups and disaster recovery, so your records survive a bad day without exposing PHI.

    PHI-safe by design

    Charts, intake, consents, and before-and-after photos are handled as protected health information from the first tap.

    Straight about scope

    What we do, and what we don't claim.

    Overpromising on compliance is a red flag. Here's the honest line.

    What Aesthetika does

    • Sign a Business Associate Agreement with every practice
    • Encrypt protected health information in transit and at rest (AES-256)
    • Store client charts, intake, consents, and before-and-after photos as PHI
    • Log every access to a record, with role-based access and session controls

    What we won't say

    • ×Call itself 'HIPAA certified' — no such certification exists for software
    • ×Claim the software alone makes your practice compliant
    • ×Act as an EMR, e-prescribing, good-faith-exam, or telehealth system
    • ×Store or handle PHI without a signed BAA in place

    Aesthetika is a HIPAA-compliant platform, and HIPAA compliance is shared. We secure the software and sign your BAA; your practice still owns its policies, training, and risk assessments. There is no government 'HIPAA certification' for software, so we never claim one.

    Compliance questions

    The short answers.

    Do I have to replace my EMR or GFE and telehealth tools?

    No. Aesthetika runs your front desk, records, payments, and marketing on HIPAA-compliant infrastructure. It stores charts, intake, consents, and before-and-after photos, but it is not an EMR and does not do e-prescribing, good-faith exams, or telehealth. Pair it with your clinical tools where you need them.

    Do you sign a Business Associate Agreement (BAA)?

    Yes. We sign a BAA with every practice that handles protected health information on Aesthetika. It covers our safeguards, breach notification, and how PHI is handled and destroyed.

    Are client records and before-and-after photos secure?

    Yes. PHI and treatment photos are encrypted in transit and at rest using AES-256. Access is role-based with session controls, backups are encrypted, and every access to a record is written to an audit log.

    Does this make my practice HIPAA compliant?

    It is a shared responsibility. We provide a HIPAA-compliant platform and sign your BAA. Your practice still owns its policies, staff training, and risk assessments. There is no such thing as a 'HIPAA certified' product, so we never claim one.