Last Updated: June 7, 2026
MoreScales ("we," "our," or "us") is fully committed to maintaining the privacy, confidentiality, and security of Protected Health Information (PHI) in strict accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Omnibus Rule of 2013, and all applicable state and federal privacy regulations. As a premier digital marketing, CRM automation, and AI integration agency serving MedSpas, aesthetic clinics, and healthcare providers across the United States, we recognize the critical importance of safeguarding patient data.
Operating as a "Business Associate" under HIPAA regulations, we understand that our clients (the "Covered Entities") entrust us with sensitive information necessary to execute effective patient acquisition, follow-up, and retention strategies. This comprehensive HIPAA Compliance Statement outlines the rigorous administrative, physical, and technical safeguards we have implemented to ensure that all PHI processed, transmitted, or stored through our systems remains secure, private, and fully compliant with regulatory standards.
HIPAA requires that Covered Entities only engage with third-party vendors who can guarantee the protection of PHI through a formal legal contract known as a Business Associate Agreement (BAA). MoreScales executes a comprehensive BAA with every healthcare client before any services commence or any PHI is accessed.
Our standard BAA strictly defines our responsibilities regarding the permitted uses and disclosures of PHI, our obligation to implement appropriate safeguards, our duty to report any unauthorized uses or disclosures (including security incidents and breaches), and our commitment to ensuring that any subcontractors we engage also agree to the same strict restrictions and conditions. We do not process, store, or transmit PHI without a fully executed BAA in place.
Protected Health Information (PHI) encompasses any individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a Covered Entity or its Business Associates. This includes, but is not limited to, patient names, contact details, appointment dates, treatment types (e.g., Botox, dermal fillers, laser treatments), medical history, billing information, and before-and-after photographs.
At MoreScales, we adhere to the "Minimum Necessary" rule. Our systems, AI chatbots, and CRM workflows are meticulously designed to request, collect, and process only the absolute minimum amount of PHI required to achieve the intended marketing or scheduling purpose. We actively discourage the collection of highly sensitive medical data through top-of-funnel marketing channels and strictly route any necessary clinical communications through secure, encrypted, and HIPAA-compliant portals.
MoreScales has implemented a robust framework of administrative safeguards to manage the selection, development, implementation, and maintenance of security measures that protect electronic PHI (ePHI).
To protect our electronic information systems and the facilities in which they are housed from unauthorized physical access, tampering, and environmental hazards, MoreScales enforces stringent physical safeguards.
Our primary infrastructure is hosted on top-tier, HIPAA-compliant cloud environments (such as Amazon Web Services and Google Cloud Platform). These data centers feature 24/7/365 on-site security personnel, biometric access controls, CCTV surveillance, mantraps, and redundant power and environmental controls. For our corporate offices and remote workforce, we enforce a strict "Clean Desk" and "Clear Screen" policy. All company-issued devices (laptops, mobile phones) are physically secured, equipped with biometric or strong password locks, and feature remote-wipe capabilities in the event of loss or theft. We do not permit the storage of PHI on unauthorized, unencrypted, or personal removable media (e.g., USB drives).
Our technical infrastructure is engineered from the ground up with security and compliance as foundational principles. We utilize enterprise-grade technical safeguards to control access to ePHI and monitor activity within our systems.
As a marketing agency, we are acutely aware of the strict HIPAA regulations governing the use of PHI for marketing purposes. HIPAA clearly distinguishes between standard healthcare operations and marketing communications.
We ensure that our automated CRM campaigns, SMS follow-ups, and email newsletters comply with the Telephone Consumer Protection Act (TCPA) and the CAN-SPAM Act, in addition to HIPAA. We do not use PHI to market third-party products or services without explicit, written HIPAA authorization from the patient. When utilizing patient testimonials, reviews, or before-and-after photos in advertising campaigns (such as Facebook or Google Ads), we ensure that the MedSpa has obtained a signed, legally binding HIPAA media release and authorization form from the patient prior to publication.
Despite the most robust security measures, the threat landscape is constantly evolving. MoreScales maintains a comprehensive Incident Response Plan (IRP) designed to rapidly detect, contain, investigate, and remediate any suspected security incidents.
In the event of a confirmed breach of unsecured PHI, our policy dictates immediate action. While the HIPAA Breach Notification Rule allows up to 60 days for notification, MoreScales is committed to notifying our Covered Entity clients without unreasonable delay, and strictly within the timeframe specified in our BAA (typically within 48 to 72 hours of discovery). We will provide our clients with all available information regarding the nature of the breach, the specific PHI involved, the individuals affected, and the mitigation steps we have taken, empowering the Covered Entity to fulfill its regulatory notification obligations to patients and the Department of Health and Human Services (HHS).
To deliver our comprehensive suite of services, MoreScales occasionally integrates with third-party software providers (e.g., specialized AI models, SMS gateways, cloud hosting providers). Under the HIPAA Omnibus Rule, our subcontractors who create, receive, maintain, or transmit PHI on our behalf are also directly liable for HIPAA compliance.
We maintain a rigorous vendor risk management program. Before sharing any PHI with a subcontractor, we conduct thorough due diligence to verify their security posture and mandate the execution of a Subcontractor Business Associate Agreement (SBAA). This ensures that the chain of trust remains unbroken and that your patients' data is protected at every layer of our technology stack.
MoreScales retains PHI only for as long as is necessary to fulfill the purposes outlined in our service agreements and BAAs, or as required by law. When PHI is no longer needed, or upon the termination of our contract with a Covered Entity, we ensure the secure destruction and disposal of all ePHI.
Our data destruction protocols adhere to the National Institute of Standards and Technology (NIST) Special Publication 800-88 Guidelines for Media Sanitization. We utilize cryptographic erasure (crypto-shredding) for cloud-based data and secure, certified physical destruction for any hardware that has reached the end of its lifecycle, ensuring that PHI cannot be recovered or reconstructed under any circumstances.
HIPAA grants patients specific rights regarding their health information, including the right to access their PHI, request amendments, request an accounting of disclosures, and request restrictions on certain uses. As a Business Associate, MoreScales is fully equipped and obligated to assist our Covered Entity clients in fulfilling these patient requests promptly and efficiently within the statutory timeframes.
HIPAA compliance is not a one-time achievement; it is a continuous, ongoing process. We employ automated security scanning, intrusion detection systems (IDS), and continuous monitoring tools to oversee our network traffic and infrastructure 24/7. Furthermore, we periodically engage independent, third-party cybersecurity firms to conduct penetration testing and comprehensive HIPAA compliance audits. These external assessments ensure that our safeguards remain effective against emerging threats and aligned with the latest regulatory guidance from the HHS Office for Civil Rights (OCR).
Transparency and open communication are core values at MoreScales. If you are a current or prospective client, a patient of one of our clients, or a regulatory official with questions, concerns, or inquiries regarding our HIPAA compliance program, data security practices, or to report a suspected security incident, please contact our designated Privacy and Security Officer immediately: