Medical Spa Business Operations
1. What is OSHA and does it apply to medical spas?
a. Congress created the Occupational Safety and Health Administration (OSHA) to ensure safe and healthful working conditions for workers by setting and enforcing laws and regulation and by providing training, outreach, education and assistance. It applies to medical spas because medical spas are a working place with employees that need to be in a safety and healthful working condition.
b. What are some of the key responsibilities under OSHA for med spas?
Med spas must maintain medical equipment and tools in safe conditions, maintain procedure policies, and provide employee safety training for workplace hazards. If hazardous chemicals exist in the workplace, a detailed written hazard program must be implemented.
https://www.osha.gov/healthcare/standards
https://www.osha.gov/complianceassistance/quickstarts/health-care
c. What’s the most frequently cited OSHA violation in medical spas?
Bloodborne pathogens, including needle safety laws, are the most frequently cited violations.
d. Are lasers subject to OSHA requirements?
Yes, OSHA has standards implemented for laser hazards. Specifically personal protective equipment standards.
https://www.osha.gov/laser-hazards/standards
2. What is the FDA and what do they do?
The FDA is a federal government agency and it is responsible for protecting and regulating foods, drugs, vaccines, medical devices, cosmetics, and tobacco.
How the FDA relates to medical spas is that some of the devices are regulated by the FDA as are many of the injectables.
https://www.fda.gov/about-fda/fda-basics/what-does-fda-do
3. Does a medical spa need to obtain a license to operate?
No. To operate, it must be one of the following approved entities: a sole proprietorship of a physician, a PC, PLLC or PLLP. The medical spa if it is considered a salon then there must be a license to operate from the Minnesota Board of Cosmetology. Note that a medical spa is different from a salon, as it provides medical services, and is therefore outside the scope of the Minnesota Board of Cosmetology. The only exception is a company that is consciously providing both medical services and non-medical esthetic services within the scope of authority of the Board of Cosmetology.
https://www.revisor.mn.gov/statutes/cite/319B.07
4. What is HIPAA?
This is a federal privacy law relating to the personal information of patients being handled by healthcare providers or other entities for the purpose of ensuring that the information is being handled properly.
https://www.hhs.gov/hipaa/for-professionals/index.html
https://aspe.hhs.gov/reports/health-insurance-portability-accountability-act-1996
a. What is the HITECH Act?
i. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act (ARRA), was passed to encourage the adoption and meaningful use of electronic health information technology. It has sections related to HIPAA for tougher compliance and increased penalties for non-compliance of it.
b. Who is a ‘covered entity’ under HIPAA?
i. health plans
ii. health care providers (medical spas)
iii. health care clearinghouses
c. What administrative requirements are provided in the HIPAA Security and Privacy Rules?
i. Training to employees on the policies and procedures
ii. Safeguard protected health information (passwords, encryption, HIPAA secure software)
iii. Approval to make complaints
iv. Have and apply sanctions
v. Documentation
This is generally achieved by an internal HIPAA policies and procedures manual that staff use as annual training and outlines the HIPAA rules and what to do in the event of a breach.
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
d. Should a medical spa provide patients with a notice that includes how their health information will be used, and of the patient’s rights regarding their health information?
Yes, notice must be given to the patients letting them know how their health information may be used or shared along with the patient’s written acknowledgement of the notice. However, an ‘indirect treatment provider’ is not required to distribute a Notice of Privacy Practices except to provide a copy to a patient upon request. Regardless the Minnesota Health Records Act generally requires all providers to provide the Access to Health Records – Notice of Rights (MN).
https://www.health.state.mn.us/facilities/notices/index.html
e. Must a med spa make efforts to limit the use or disclosure of a patient’s PHI?
There is no Minnesota law on medical spas and their requirements; however, the HIPAA Privacy Rule does not allow health care providers to disclose PHI to media personnel without a HIPAA-compliant authorization signed by the patient or his or her personal representative. Similarly the Minnesota Health Records Act limits use and disclosure of confidential health information. It is always recommend medical spas use the Minnesota Standard Consent Form to Release Medical Information and the Access to Health Records – Notice of Rights (MN).
https://www.health.state.mn.us/facilities/notices/index.html
https://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html
5. Does my state have its own version of HIPAA? How does it differ?
Minnesota has two state laws related to HIPAA: Minnesota Health Records Act and Minnesota Government Data Practices Act (MGDPA). The Minnesota Health Records Act is the most applicable to a Medical Spa because generally medical spas do not take state funding in practice. Because the Minnesota Health Records Act is more strict than federal law (HIPAA), the Minnesota Health Records Act is the final rule to the extent that it conflicts with federal law, and is more strict (such as with how to handle psychotherapy notes.)
See:
https://www.ag.state.mn.us/consumer/Handbooks/ManageHealthcare/CH08.asp
https://www.revisor.mn.gov/statutes/cite/144.291
https://www.health.state.mn.us/facilities/ehealth/privacy/docs/practices.pdf
https://www.health.state.mn.us/communities/practice/resources/chsadmin/data-mgdpa.html
6. I don’t accept insurance so am I still subject to HIPAA or the Minnesota Health Records Act requirements?
Generally yes, but it depends on your services and company. Nearly all providers are subject to the Minnesota Health Records Act. In addition, HIPAA has become the gold standard for patient privacy and security, even if it *technically* did not apply to your services. Also, note that business associates of covered entities must follow parts of the HIPAA regulations. Examples of business associates include:
i. Companies that help doctors get compensation for providing health care
ii. Companies that help administer health plans
iii. Outside lawyers, accountants, and IT specialists
iv. Companies that store or destroy medical records
7. What are some of the safety measures that apply when handling needles/sharps?
Sharps handling safety measures include but are not limited to:
a. Locating a sharps disposal container, or have one nearby
b. Assessing the patient’s ability to cooperate
c. Asking for help if necessary
d. Requesting the patient to avoid sudden movement
e. No hand passing exposed sharps from one person to another
f. Having a predetermined neutral zone for placing/retrieving sharps
g. Make it known that sharps are being passed
8. What are the common employer defenses to an allegation of a workplace violation?
The most common defenses are either that the employee acted against the safety efforts placed by the employer, that the employee acted outside of the scope of their employment, or that the employer did not know of, or could not reasonably have known the presence of a violation.
9. How often must a medical spa review and update their exposure control plan?
It is advised that at a minimum it be reviewed and updated annually and more frequently if necessary.
https://www.osha.gov/laws-regs/standardinterpretations/2004-01-20-0
10. Can a physician use a picture album containing patient photos?
Healthcare providers may take and have photographs of patients for medical, scientific and educational purposes, but only if written consent is given by the patient. For marketing purposes, an additional informed consent must be signed by the patient.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
11. May a physician leave a message on a patient’s answering machine? Verify an appointment with a family member or spouse?
Yes, it is allowed under the HIPAA Privacy Rule, however providers should always use their best professional judgment to limit the information that is disclosed and make sure it is in the best interests of the patient.
12. If a patient posted a message or a review on a medical spa’s social media page, can and how should the medical spa respond?
It is common and allowed to make general statements about the medical spa and its treatment to patients and commitment to patient satisfaction, but nothing else that would go beyond engaging with the patient directly and posting any confidential patient information. You should consult with an attorney before responding to negative reviews and/or reviews involving specific patient health information.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
13. May a med spa use a sign in sheet or call out names of patients in the waiting room?
Yes, as allowed by HIPAA.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
14. Is it legal to purchase drugs like Botox and fillers from overseas? From Canada, Europe, or Asia?
It is not allowed under the FDA to purchase Botox and Filler from outside the U.S. without proper documentation.
15. Can medical spas sell retail products i.e. skin creams?
Yes; however, for tax purposes, the med spa must apply with the Minnesota Department of Revenue for a Sales and Use Tax Permit to collect and pay any required taxes on the retail products sold. In addition, if revenue sharing is occurring, this must be disclosed to the patient. For example if the provider is receiving a commission from a patient purchasing a certain product, this must be disclosed.
https://www.revenue.state.mn.us/sales-and-use-tax
16. Can staff take commissions on non-medical retail products?
Yes, but only if the retail products are not medical and do not require a prescription. Also, generally the financial relationship should be disclosed.
17. Do medical spas have to charge sales tax on retail products?
Yes, the medical spa must apply with the Minnesota Department of Revenue for a Sales and Use Tax Permit to collect and pay any required taxes on the retail products sold.
https://www.revenue.state.mn.us/sales-and-use-tax
18. Do I need to charge sales tax on procedures like Botox?
Prescription medicines, retail products, drugs, and medical devices provided by a physician or medical facility are exempt from sales tax in Minnesota.
19. Can a medical spa practice under a fictitious name or an assumed name or “Doing Business As” or “DBA”?
Yes, but only if it has registered the name with the Minnesota Secretary of State.
20. Can a medical spa require patients to sign an arbitration agreement as a condition for providing medical care?
There is no Minnesota law on medical spas and arbitration agreements so they are allowable if drafted correctly.