HIPAA Compliance
Table of Contents
Is Aesthetix CRM HIPAA Compliant?
Yes, Aesthetix CRM can be used in a HIPAA-compliant manner and is designed for this use. Aesthetix CRM was built for the medical aesthetics industry with security and privacy as foundational requirements. All data stored on the platform is encrypted at rest (AES-256) and in transit (TLS 1.2+), and our secure and standard communication methods can be used in a HIPAA-compliant manner.
Platform Architecture
Aesthetix CRM is built on GoHighLevel’s CRM infrastructure (which is hosted on Google Cloud Platform), with Twilio powering all telephony and messaging, DigitalOcean and Vercel providing application hosting, and Supabase providing database services. Aesthetix CRM maintains signed Business Associate Agreements (BAAs) with each of its Infrastructure Providers. HIPAA compliance mode is enabled across all customer sub-accounts on HighLevel and Twilio, which activates encryption at rest (AES-256), encryption in transit (TLS 1.2+), and access controls at the infrastructure level.
When you sign a BAA with Aesthetix CRM, you are covered by a chain of BAAs from Aesthetix CRM through to each Infrastructure Provider that handles your data:
- You (Covered Entity) → Aesthetix CRM (Business Associate) → HighLevel, Twilio, DigitalOcean, Vercel, Supabase (Subcontractors)
HIPAA Privacy & Security Rule Compliance
The two HIPAA requirements that apply to the relationship between Aesthetix CRM, the customer (the Practice or Agency), and the practice’s patients are the HIPAA Privacy Rule and the HIPAA Security Rule.
Security
Our database automatically encrypts all data before it is written to disk. No setup or configuration is required. The data is automatically and transparently decrypted when read by an authorized user.
With server-side encryption, Google manages the cryptographic keys on your behalf using the same hardened key management systems used for their own encrypted data, including strict key access controls and auditing. Each database object’s data and metadata is encrypted under the 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys.
Standard (“Non-Secure”) Communication
SMS, Email, Phone Calls, WhatsApp messages, Instagram DMs, Facebook Messages, and Google My Business messages are Standard (Non-Secure) Communications. These conversations are stored in a HIPAA-compliant manner. However, because these communications leave Aesthetix CRM’s control before reaching the intended recipient, Aesthetix CRM cannot guarantee the security of standard communication throughout its entire journey. This limitation is not unique to Aesthetix CRM — these communication channels have this limitation regardless of which provider powers them. Despite this, standard communication channels can still be used in a HIPAA-compliant manner, provided that you take care to use them correctly.
Phone Calls
Twilio powers the Aesthetix CRM phone system. The technology underlying Aesthetix CRM telephony, including voicemail storage and transcription, is HIPAA-compliant. All PHI is stored within the Aesthetix CRM app and not in insecure areas of your personal phone. Patient names, phone numbers, call history, and voicemails are stored securely.
Email Messages
You can send one-on-one or mass marketing email messages on Aesthetix CRM. All emails are stored on the platform in a HIPAA-compliant manner with HIPAA-compliant encryption for all mail in transit. However, we cannot control the patient’s device or security settings. Despite this, email can still be used in a HIPAA-compliant manner in many cases. Establishing patient preference for this channel is an important step in regulatory compliance.
Text Messages (SMS)
You can send traditional SMS text messages on Aesthetix CRM. Because of the limitations of SMS itself, we cannot guarantee the full security of messages sent with this technology. Despite this, SMS texting can still be used in a HIPAA-compliant manner in many cases. Establishing patient preference for this channel is straightforward.
Establishing Patient Preference
Your patients may prefer to use standard channels such as SMS texting to communicate with you. If you have made those patients aware of potential security limitations and offered secure alternatives, you have a strong argument that your use of such channels is compliant with HIPAA. You should document this patient preference.
Template for patient consent (general guidance only — consult legal counsel for your specific situation):
“I, [Patient Name], hereby consent and state my preference to have my provider, [Provider Name], and other staff at [Practice Name] communicate with me by email or standard SMS messaging regarding various aspects of my medical care, which may include, but shall not be limited to, test results, prescriptions, appointments, and billing. I understand that email and standard SMS messaging are not confidential methods of communication and may be insecure. I further understand that there is a risk that email and standard SMS messaging regarding my medical care might be intercepted and read by a third party.”
Please Note: This template is not legal advice and is provided for general guidance ONLY. Please consult with legal counsel to consider the specifics of your situation
AI Chat & AI Employee Features
Our AI Chat and AI Employee tools are built with privacy and security in mind, and we maintain Business Associate Agreements (BAAs) with our AI vendors. Data sent through AI features is encrypted.
Important: AI features are not approved for processing Protected Health Information (PHI). You should not enter PHI into AI chats or prompts. These tools are designed to assist your team with productivity, communication, appointment scheduling, and patient engagement — not to store or process medical records.
We continually review our AI vendors and conduct risk assessments to ensure safeguards remain current. We will continue strengthening these features as regulations evolve and more guidance becomes available, with the goal of expanding approved use cases over time.
Your Security Responsibilities
As a HIPAA Covered Entity, you share responsibility for maintaining the security of PHI processed through Aesthetix CRM. Your responsibilities include:
- Enabling multi-factor authentication (MFA) for all users with access to PHI, particularly on the external email accounts used for login and account recovery
- Limiting user access based on role (principle of least privilege) — restricting access to bulk imports, exports, and mass messaging to authorized personnel
- Promptly removing access for terminated personnel
- Regularly reviewing user access rights and permissions
- Promptly notifying Aesthetix CRM at legal@aesthetixcrm.com of any suspected or actual unauthorized access or credential compromise
- Maintaining your own HIPAA compliance program, including policies, training, and risk assessments
Business Associate Agreement
BAA Required for PHI. If your practice is a Covered Entity (or otherwise subject to HIPAA) and you will use Aesthetix CRM to process PHI, you must have a signed Business Associate Agreement (BAA) on file with Aesthetix CRM.
How to Sign. Request your BAA by emailing support@aesthetixcrm.com. We will provide an e-sign link.
What Happens If You Don’t Sign. Accounts without a signed BAA may have access to PHI-related features limited (for example, patient messaging and contact exports) after notice.
BAA Chain. Your BAA with Aesthetix CRM is supported by BAAs between Aesthetix CRM and each of our Infrastructure Providers (HighLevel, Google Cloud, and Twilio). HIPAA compliance mode is enabled across all customer sub-accounts on these platforms.
Related Documents
- Terms of Service: https://aesthetixcrm.com/terms/
- Privacy Policy: https://aesthetixcrm.com/privacy/
- Data Processing Addendum: https://aesthetixcrm.com/dpa/
- Sub-Processor List: https://aesthetixcrm.com/sub-processors
Contact
Privacy Officer: Eric Dunn
Email: privacy@aesthetixcrm.com
Legal: legal@aesthetixcrm.com
Support: support@aesthetixcrm.com
Phone: (833) 479-1777