Still Point — HIPAA Compliance Notice

Overview

Still Point Agency provides digital marketing services to medical aesthetics practices, wellness centers, and other healthcare-adjacent businesses. Because our clients operate in the healthcare space, understanding HIPAA and its implications for marketing activities is essential for both Still Point and the practices we serve.

This notice explains how Still Point Agency approaches HIPAA compliance, what our responsibilities are as a marketing services provider, what our clients' responsibilities are, and how we handle compliance requirements across the various areas of digital marketing we manage.

Important clarification: Still Point Agency is a marketing agency, not a healthcare provider, health plan, or healthcare clearinghouse. We are not directly subject to HIPAA as a Covered Entity. However, when we access systems or data that may contain Protected Health Information (PHI) while performing services for a Covered Entity client, we may qualify as a Business Associate under HIPAA and incur corresponding obligations.

This document does not constitute legal advice. Clients should consult with a qualified healthcare attorney regarding their specific HIPAA compliance obligations.

Our Role Under HIPAA

When Still Point May Be a Business Associate

Under HIPAA, a Business Associate is any person or entity that performs functions or activities on behalf of, or provides services to, a Covered Entity that involve the use or disclosure of Protected Health Information. Still Point Agency may qualify as a Business Associate when we:

Access a client's CRM or practice management system that contains patient contact information or appointment data
Access a client's email marketing platform that holds patient email addresses and treatment history
Set up or manage patient communication systems that may carry health-related information
Access analytics or reporting systems that contain patient-level data

When Still Point Is Not Acting as a Business Associate

Still Point Agency does not act as a Business Associate when we are:

Managing public-facing advertising campaigns on Google or Meta (these platforms do not carry PHI from us)
Creating and posting social media content that does not reference individual patients
Writing and publishing blog posts and landing pages
Managing Google Business Profile listings
Conducting SEO keyword research and optimization
Building or updating website pages that do not contain patient data

For marketing activities that do not involve access to PHI, a Business Associate Agreement is not required. However, we recommend that all clients with HIPAA obligations execute a BAA with Still Point as a matter of best practice.

Business Associate Agreements

A Business Associate Agreement (BAA) is a written contract required by HIPAA between a Covered Entity (the healthcare practice) and a Business Associate (Still Point Agency, in applicable circumstances). The BAA establishes the permitted uses and disclosures of PHI, requires appropriate safeguards, and sets obligations in the event of a breach.

Request a BAA

If your practice is a HIPAA Covered Entity and you are engaging Still Point Agency for services that may involve access to PHI, request a Business Associate Agreement before services begin.

Request a BAA via Email

What Our BAA Covers

When a BAA is executed between Still Point Agency and a client, we agree to:

Use and disclose PHI only as permitted by the BAA and required to perform our services
Implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI
Report any use or disclosure of PHI not provided for by the BAA to the client without unreasonable delay
Report any security incident involving PHI to the client promptly
Ensure that any subcontractors who access PHI on our behalf also agree to the same restrictions and conditions
Return or destroy all PHI upon termination of the engagement, to the extent feasible
Make our internal practices, books, and records available to the U.S. Department of Health and Human Services for compliance review as required

When a BAA Is Required

A BAA is required before Still Point Agency begins work if the engagement involves:

Access to the client's practice management system or EHR for any purpose
Setup or management of patient communication systems (automated appointment reminders, patient recall sequences, etc.)
Access to the client's email marketing lists that include patient health information
Any system where patient names are combined with appointment dates, treatment types, or other health information

What We Access and How We Protect It

Platform Access

In delivering marketing services, Still Point Agency may access the following client systems:

Google Analytics 4 (web traffic and conversion data)
Google Search Console (search performance data)
Google Business Profile (public listing management)
Meta Business Manager (advertising account management)
Google Ads (advertising account management)
Website CMS or hosting backend (for content updates)
CallRail or similar call tracking platforms (call volume and source data)
GoHighLevel or similar CRM (for lead management workflows, if configured by Still Point)
Social media accounts (Instagram, Facebook) for content publishing

Access Controls

All platform access is managed through role-based permissions. Still Point Agency requests the minimum level of access required to perform the contracted services. We do not request administrative access to systems where manager-level access is sufficient. All team members sign confidentiality agreements and receive training on data handling practices.

Credential Security

Platform credentials and access tokens provided by clients are stored securely using encrypted credential management systems. Access is limited to Still Point team members actively working on that client account. Credentials are not shared outside of Still Point Agency or used for any purpose other than delivering services to the applicable client.

Data Minimization

Still Point Agency applies the principle of data minimization: we access only the data necessary to perform contracted services and we do not retain client data beyond the period necessary for service delivery and reasonable business record-keeping.

What We Do Not Access or Store

Still Point Agency does not access, store, process, or transmit the following:

Patient medical records, clinical notes, or health history. Patient insurance information. Social Security numbers or government ID numbers. Patient financial records. Any information stored in an Electronic Health Record (EHR) system such as Aesthetic Record, PatientNow, Nextech, or similar platforms. Patient-specific treatment plans or clinical outcomes.

If a client's marketing strategy requires analysis of patient-level data (for example, segmenting email lists by treatment type for targeted campaigns), that analysis must be performed by the client using their own HIPAA-compliant systems. Still Point can advise on strategy and provide content, but we do not access systems containing this type of data without a fully executed BAA and explicit written authorization.

Marketing Compliance for Healthcare Practices

HIPAA has specific rules about using PHI for marketing purposes. The key rule: a healthcare provider cannot use PHI to market goods or services without patient authorization, with limited exceptions (such as face-to-face communications and promotional gifts of nominal value).

In practical terms for Still Point's clients, this means:

Permitted Without Authorization

Advertising to the general public (Google Ads, Meta Ads targeting demographics -- not existing patients by name)
Creating and publishing content on your website and social media for public consumption
Sending appointment reminders and treatment follow-ups to existing patients (these are healthcare operations, not marketing)
Sending general health information newsletters to patients who have not opted out
Promoting your services through your Google Business Profile listing

Requires Patient Authorization

Sending promotional emails to patients specifically because of their treatment history (e.g., "You had Botox six months ago, time for a touch-up") -- this constitutes using PHI for marketing
Sharing patient information with a third-party marketing company for the company's own marketing purposes
Targeted advertising campaigns that use patient data uploaded to ad platforms (custom audiences built from patient email lists that include treatment information)

Still Point Agency advises clients on compliant marketing strategies. When a client wants to implement a marketing tactic that touches patient data, we will flag any potential HIPAA implications and recommend appropriate safeguards or authorization processes before proceeding.

Before and After Photographs

Before and after photographs are among the most powerful marketing assets for aesthetic practices. They are also among the most regulated. Still Point Agency will only use before and after images in marketing when the following requirements are met:

Written Patient Consent Requirements

A separate, specific written consent must be obtained from each patient whose images are used in marketing -- consent for treatment does not imply consent for marketing use
The consent must specifically describe how the images will be used (website, social media, Google Ads, print, etc.) and must be revocable
The consent must be signed before the images are published in any marketing material
Clients must retain signed consents and provide copies to Still Point upon request

Image Standards

Before and after images must be genuine, unaltered representations of patient results
Images may not be edited, filtered, or otherwise altered in ways that misrepresent the actual treatment outcome
Basic color correction and cropping for consistency are permissible if they do not materially alter the depiction of results
Stock photos represented as patient results are prohibited
Images sourced from the device manufacturer (BTL, InMode, etc.) may only be used if the manufacturer's licensing terms permit marketing use by the practice

Disclosure Requirements

Per FTC guidelines, all before and after images used in advertising must reflect results that are reasonably typical for patients. If the results shown are exceptional, appropriate disclosure is required (e.g., "Results may vary" or "Individual results not guaranteed"). Still Point will include appropriate disclosures in all advertising materials featuring patient results.

Testimonials and Patient Reviews

Google Reviews

Google reviews are submitted voluntarily by patients and are in the public domain. Responding to Google reviews does not require specific HIPAA authorization from the patient. However, review responses must be carefully written to avoid disclosing PHI. Still Point Agency follows these rules when managing client review responses:

We never confirm or deny that the reviewer is a patient of the practice
We never reference any specific treatment, procedure, medication, or appointment in a review response
We never include any information about the reviewer's health condition or medical history
We always invite the reviewer to contact the practice directly to resolve any concerns

Testimonials in Marketing Materials

Using patient testimonials in marketing materials (website, ads, social media) requires written patient authorization. The authorization should specify the exact content to be used, where it will appear, and how long it will be used. Still Point will request confirmation of written authorization before publishing any testimonial that identifies a patient by name, image, or any other identifying information.

Incentivized Reviews

Practices may not offer discounts, free services, or other incentives in exchange for positive reviews. This violates FTC guidelines and, in some states, may violate consumer protection laws. Still Point will never implement a review generation strategy that offers incentives for positive reviews. Ethical review generation involves making it easy for genuinely satisfied patients to leave reviews through automated post-visit request systems.

Texas-Specific Regulations

Texas has enacted specific regulations governing medical spa operations and advertising. Still Point Agency's marketing work is designed with these requirements in mind.

HB 3749 / Jennifer's Law

Physician Oversight Requirements

Effective September 1, 2025. Requires physician delegation and supervision for certain aesthetic procedures. Marketing materials must accurately reflect the supervising or treating provider's qualifications and the level of physician oversight available at the practice.

Texas January 2025 Rules

Physician Disclosure in Marketing

New rules effective January 2025 require clear disclosure of the treating or supervising physician in medical spa advertising. Provider credentials must be accurately represented. Still Point will not publish marketing materials that misrepresent provider qualifications.

Corporate Practice Doctrine

Ownership and Control

Texas maintains constraints on corporate ownership of medical practices. Marketing materials for med spas must not imply corporate or non-physician ownership or control in ways that violate applicable law. Still Point reviews client organizational structure before making representations about ownership in marketing.

Texas Medical Practice Act

Scope of Practice

Marketing content must not imply that non-physician providers are performing procedures outside their licensed scope of practice. Still Point verifies provider credentials and scope representations in all marketing content.

Ongoing regulatory monitoring: Texas medical spa regulations are actively evolving. AmSpa (American Med Spa Association) has noted that proposed legislation could significantly impact the medical aesthetics industry. Still Point Agency monitors regulatory developments and will flag any changes that may affect client marketing obligations. Clients should maintain their own relationship with a qualified Texas healthcare attorney for legal compliance guidance.

FTC Compliance

The Federal Trade Commission (FTC) regulates advertising for healthcare and aesthetic services, including requirements for truthful and non-deceptive claims. Still Point Agency applies FTC guidelines in all marketing materials we create and manage.

Key FTC Requirements We Apply

Truthful claims: All advertising claims must be truthful and supported by competent and reliable scientific evidence. We do not write copy that includes unsubstantiated superiority claims.
No deceptive claims: We do not create advertising that is likely to mislead reasonable consumers. This includes misleading omissions as well as affirmative misstatements.
Results disclosures: When advertising results that are not typical, appropriate disclosures are required ("Results may vary," "Individual results not guaranteed"). We include these disclosures wherever required.
Testimonial guidelines: Testimonials must reflect the honest opinions of the endorser and must represent results that are typical, or be accompanied by clear disclosure of atypical results. Compensated testimonials must be disclosed.
No fake reviews: We never create, purchase, or solicit fake reviews. All review generation activities involve real patients submitting their genuine opinions.

Claims We Will Not Write

"Best" or "#1" claims without verifiable, current, and documented basis
"Guaranteed results" or "guaranteed outcomes" without a documented guarantee program
"Clinically proven" without citation to specific clinical evidence
Before and after results attributed to a treatment when other factors may have contributed
Device capability claims that exceed FDA clearance
Any claim that a client's provider has qualifications they do not hold

FDA Advertising Rules for Aesthetic Devices

The FDA regulates the marketing of medical devices including the aesthetic devices that many of our clients use. Marketing claims about FDA-cleared devices must stay within the bounds of the device's FDA clearance.

What This Means in Practice

We only claim FDA clearance for indications that are actually cleared. For example, Emsculpt NEO is cleared for abdomen, buttocks, arms, calves, and thighs -- we do not claim it is FDA-cleared for other body areas.
We do not claim that a device "treats" a medical condition unless the device is specifically cleared by the FDA to treat that condition.
We distinguish between "FDA-cleared" and "FDA-approved" -- these have different regulatory meanings and we use the correct term for each device.
We do not make claims about off-label uses of devices in advertising materials, even if the off-label use is common in clinical practice.

Device-Specific Compliance

Before writing content about any device, Still Point Agency verifies the device's FDA clearance status and cleared indications. We maintain awareness of the cleared indications for commonly marketed devices including Emsculpt NEO, EmFace, Emsella, Morpheus8, Moxi, BBL Heroic, Hydrafacial, and CoolSculpting, among others.

If a client wants to market a device use that may be outside its FDA clearance, Still Point will decline to create that content and will advise the client to consult with a regulatory attorney before advertising that use.

Client Compliance Obligations

Compliance with HIPAA, FTC guidelines, FDA advertising rules, and Texas medical spa regulations is ultimately the responsibility of the client practice. Still Point Agency supports compliance in our work but cannot guarantee compliance with regulations that depend on the client's own operations, clinical practices, and business structure.

What Clients Are Responsible For

Maintaining all licenses required to operate a medical spa or aesthetic practice in Texas
Ensuring appropriate physician oversight and supervision as required by Texas law
Obtaining and retaining written patient consents for all before and after images and testimonials used in marketing
Ensuring that all information provided to Still Point for use in marketing materials is truthful and accurate
Notifying Still Point promptly if any information previously provided for marketing use changes (provider qualifications, device clearances, etc.)
Implementing a HIPAA-compliant Notice of Privacy Practices and related policies in their practice
Ensuring that any practice management systems containing PHI that may be accessed by Still Point are covered by a BAA
Consulting with qualified legal counsel on their specific HIPAA compliance obligations

Indemnification: As noted in our Terms of Service, clients agree to indemnify Still Point Agency for any compliance violations or claims arising from information provided by the client that was inaccurate, or from the client's failure to obtain required patient consents. Compliance is a shared responsibility -- we handle the marketing side, you handle the clinical and practice governance side.

Incident Response

In the event that Still Point Agency becomes aware of any unauthorized access to, use of, or disclosure of PHI in connection with our services, we will:

Notify the affected client without unreasonable delay and in no case later than 60 days after discovery
Provide the client with a description of what occurred, the types of information involved, the steps we are taking to investigate, and the steps we recommend the client take to protect affected individuals
Cooperate fully with the client's own incident response and any regulatory investigation
Take immediate steps to contain the incident and prevent further unauthorized access or disclosure

Clients are responsible for determining whether an incident constitutes a reportable breach under HIPAA and for fulfilling any breach notification obligations to affected individuals, the HHS Office for Civil Rights, and the media (where applicable). Still Point Agency will support this process but the legal obligation to notify rests with the Covered Entity (the client).

Reporting a Security Concern

If you become aware of any unauthorized access to systems that contain PHI accessible by Still Point Agency, or if you have a security concern about any aspect of our data handling, please contact us immediately:

Security and Incident Reporting

Email: hello@stillpoint.agency

Subject line: URGENT: Security Incident

Emails marked with this subject line are treated as priority and will receive a response within 4 business hours during normal business hours.

Legal Disclaimer

This document does not constitute legal advice. The information contained in this HIPAA Compliance Notice is provided for informational purposes only and reflects Still Point Agency's general approach to compliance in providing marketing services to healthcare-adjacent clients.

HIPAA compliance requirements are complex and fact-specific. Whether your practice qualifies as a Covered Entity, what obligations apply to your specific operations, and whether particular marketing activities require patient authorization are legal questions that depend on your specific circumstances. You should consult with a qualified healthcare attorney for guidance on your specific compliance obligations.

Still Point Agency makes no representation that this notice covers all compliance requirements applicable to your practice or that following the approaches described herein will guarantee compliance with HIPAA or any other applicable law.

This notice is reviewed and updated periodically. The most current version is always available at stillpoint.agency/hipaa-compliance.html. Material changes will be communicated to active clients via email.

Contact and BAA Requests

For questions about this HIPAA Compliance Notice, to request a Business Associate Agreement, or to discuss any compliance-related aspect of our services:

Still Point Agency — Compliance