Blog/ Email for med spas

HIPAA-Compliant Med Spa Email & Messaging: What You Can Automate (and What You Can't)

AI Emaily Team·· 28 min read

The short answer

HIPAA-compliant med spa email means automating only the low-risk, consent-based messages, appointment scheduling, reminders, and general marketing, while keeping anything that reveals a diagnosis, treatment, photo, or record in the hands of a human on a secure channel. Whether HIPAA even applies to your clinic depends on how you bill and transmit data, so confirm your status and controls with your own compliance officer or counsel.

A plain-English guide to HIPAA-compliant med spa email: what PHI is, when a med spa is a covered entity, what you can safely automate (marketing and scheduling with consent) versus what stays human (treatment details, photos, records), plus a compliant-send checklist and templates. General guidance, not legal advice.

On this page
  1. 01What this guide is (and what it is not)
  2. 02What is PHI, and why does it decide everything?
  3. 03Is a med spa even a HIPAA covered entity? (The honest, nuanced answer)
  4. 04What is safe to send (and automate) vs. what is risky
  5. 05Consent and opt-in: the foundation under everything
  6. 06The Privacy Rule and the Security Rule, as they touch email
  7. 07Business Associate Agreements (BAAs): the vendor question
  8. 08The compliant-send checklist
  9. 09Compliant templates (no PHI, ready to use)
  10. 10What you should never let an automation send on its own
  11. 11How AI Emaily helps you stay on the safe side (honestly)
  12. 12Putting it together

What this guide is (and what it is not)#

If you run a med spa, an aesthetic clinic, or an elective dental practice, you almost certainly want to automate the repetitive parts of your inbox, the instant reply to a 9 p.m. Botox inquiry, the consultation reminder, the pricing-range answer you type twenty times a week. You also, quite reasonably, worry about HIPAA. The two goals are not in conflict, but the line between them is easy to blur, and getting it wrong is expensive. This guide is a practical, plain-English map of HIPAA-compliant med spa email: what you can safely automate, what has to stay human, and how to think about the difference.

One thing up front, in bold, because it matters: this is general educational guidance, not legal advice. HIPAA is a federal law with detailed rules, and how it applies to your specific clinic depends on facts we cannot see from here, how you bill, what systems you use, whether you transmit certain transactions electronically, and which state privacy laws layer on top. Nothing below is a substitute for a conversation with your own compliance officer, your privacy counsel, or the U.S. Department of Health and Human Services (HHS), which enforces HIPAA. Treat this as a way to ask better questions, not as a compliance sign-off.

The good news is that the overwhelming majority of the messages a med spa sends every day, the ones that actually leak revenue when they go unanswered, are the low-risk ones. A booking confirmation, an appointment reminder, an acknowledgment that you received an inquiry, a general newsletter about a seasonal promotion: these are the workhorses of a busy clinic, and they are the messages best suited to automation. The sensitive material, a patient's diagnosis, their specific treatment plan, their before-and-after photos, their medical history, is a smaller slice, and it is exactly the slice that should stay with a human on a secure channel. The whole art of compliant automation is drawing that line cleanly and never letting a machine cross it on its own.

What is PHI, and why does it decide everything?#

HIPAA protects a specific category of information called protected health information, or PHI. Understanding PHI is the single most useful thing you can do, because once you can recognize it, almost every other question about email answers itself. PHI is, roughly, individually identifiable health information: any information that relates to a person's past, present, or future physical or mental health, the care they receive, or the payment for that care, when it is tied to something that could identify them. The formal definitions live in the federal HIPAA regulations at 45 CFR 160.103, and they are broader than most clinic owners assume.

The identifying part is the trap. People often think PHI means a chart or a lab result. But an ordinary email can become PHI the moment it combines a person's identity with a health fact. "Sarah, your CoolSculpting session is confirmed for Thursday" ties a named individual to a specific treatment, that is health information about an identifiable person. So is a subject line that reads "Your Botox follow-up." So is a before-and-after photo, even without a name, if the face is recognizable. So is an appointment reminder that names the procedure. The health fact does not have to be dramatic; it just has to be about that person's care.

Contrast that with information that is not PHI. A person's email address on your marketing list, sitting next to a general newsletter about a Mother's Day promotion, is not PHI, because nothing there reveals anything about that individual's health or treatment. "We have appointments available next week, book here" sent to your whole list is not PHI. A pricing sheet is not PHI. The distinction is not the channel or the tool; it is whether the message reveals identifiable health information about a specific person.

The quick PHI test

Ask two questions of any message: (1) Does it identify a specific person? (2) Does it reveal something about that person's health, treatment, or payment for care? If the answer to both is yes, treat it as PHI and keep it on a secure, human-controlled channel. If either answer is no, it is likely safe for general, consent-based automation. When you are unsure, treat it as PHI and check with your compliance officer.

It is worth being honest about how easily the line gets crossed in a real med spa inbox, because the failure mode is rarely a dramatic data breach. It is usually a well-meaning automation that names a treatment in a reminder, or a photo attached to a testimonial request, or a reply that quotes the patient's original message back to them, a message that happened to describe their skin condition in detail. None of these feel like "medical records." All of them can be PHI. The reason to internalize the PHI test is that it lets you build automations that are useful without ever letting them touch the sensitive slice.

Is a med spa even a HIPAA covered entity? (The honest, nuanced answer)#

Here is the part that trips up half the internet's advice on this topic, including advice that sounds confident. HIPAA does not apply to every business that touches health information. It applies to covered entities and their business associates. A covered entity, under 45 CFR 160.103, is a health plan, a health care clearinghouse, or a health care provider who transmits certain health information electronically in connection with a HIPAA-covered transaction, things like electronically submitting a claim to insurance, checking eligibility, or requesting authorization. The trigger is not "provides medical treatment." The trigger is that specific electronic-transaction test.

This is why med spas sit in a genuinely gray zone, and why you should not take a blanket "med spas are/aren't covered" claim at face value. A med spa that is purely cash-pay, never bills insurance, and never electronically transmits one of those standard HIPAA transactions may not be a covered entity in the strict HIPAA sense. A med spa attached to a physician's practice that bills insurance for some services, or that runs a medical weight-loss arm that submits claims, may well be a covered entity, at least for those functions. Two clinics offering the same Botox service can land on opposite sides of the line based on their billing setup. That is not a loophole to exploit; it is a fact pattern to verify.

But do not exhale too early if you conclude HIPAA might not apply to you, because three important things remain true even then. First, your clinic almost certainly still operates as a licensed medical practice under state law, and states have their own medical-privacy and consumer-data statutes, some stricter than HIPAA, that absolutely do apply to patient information regardless of your HIPAA status. Second, the FTC has taken the position that unfair or deceptive handling of health data, including breaches, can violate consumer-protection law even outside HIPAA, and it has enforced the Health Breach Notification Rule against health apps and non-HIPAA entities. Third, and most simply: patients expect their aesthetic and medical information to be private, and a leak, whether or not a regulator ever calls it a "HIPAA violation," is a reputational and trust catastrophe for a clinic whose entire business runs on discretion.

Do not guess your covered-entity status, confirm it

Whether your specific med spa is a HIPAA covered entity depends on how you bill and what you transmit electronically, and it can differ service by service within the same clinic. This guide cannot tell you your status. Have your compliance officer or health-care attorney make that determination in writing, and revisit it whenever you add insurance billing, a new service line, or a new vendor. Assume you must protect patient information either way, and let the legal analysis refine the specifics.

The practical upshot is comforting rather than paralyzing. Whether or not HIPAA technically binds your clinic, the safe operating posture is the same: automate the low-risk, general, consent-based messages, and keep identifiable health information on secure, human-controlled channels. If you build your inbox that way, you are compliant under the strict HIPAA reading, you are on the right side of state privacy law, and you are honoring the trust your patients place in you, all at once. The legal determination refines the edges; it does not change the core discipline. So the rest of this guide assumes you want to hold the higher standard regardless, which is exactly what a serious clinic should do.

What is safe to send (and automate) vs. what is risky#

With the PHI test in hand, you can sort almost any med spa message into one of two buckets. The safe bucket contains messages that are either not about an identifiable person's health at all, or that a patient has clearly consented to receive on the channel you are using. The risky bucket contains anything that reveals a diagnosis, a specific treatment, a clinical detail, a photo, or a record, especially over unencrypted email or SMS to a general address. The line is not always obvious at the margins, which is why the table below is worth keeping near your team.

Notice a subtle but important point: the same underlying event can produce a safe message or a risky one depending on how it is worded. "Your appointment is confirmed for Thursday at 2 p.m., reply STOP to opt out" is safe. "Your lip filler touch-up is confirmed for Thursday" names a treatment and is far riskier. The compliant move is almost always to strip the clinical specificity out of the automated message and let the patient supply the context. The reminder can say "your appointment," not "your labiaplasty consult." The follow-up can say "how are you feeling after your visit?" without naming what was done.

Generally safe to send / automate (with consent)Risky, keep human and on a secure channel
Instant acknowledgment of a new inquiry ("Thanks, we got your message and will reply shortly").Any reply that quotes back a patient's described symptoms, condition, or history.
Appointment confirmations and reminders that reference "your appointment," not the specific procedure.Reminders or confirmations that name the treatment, diagnosis, or body area.
General marketing and newsletters to a consented list (promotions, seasonal offers, new-service announcements).Marketing that targets people based on a treatment they received or a condition they have.
Pricing ranges, hours, location, parking, general pre-visit prep, and FAQ answers.Individualized treatment plans, dosing, eligibility decisions, or clinical recommendations.
"We have openings next week, book here" and general rebooking nudges.Before-and-after photos, chart notes, lab or intake results, or consent forms with health data.
Post-visit "how are you doing?" check-ins that invite the patient to reply on a secure channel.Detailed aftercare tied to a named procedure sent to an unverified email or phone number.
Review and testimonial requests that do not state what the patient was treated for.Any message that reveals the person is a patient of a service that is itself sensitive.

Two clarifications keep clinics out of trouble here. First, "safe" always assumes you have the right consent for the channel and content, which the next section covers, and that you are not naming sensitive services. Second, the risky column is not a list of things you can never send, it is a list of things you should not automate blindly or send over an insecure channel. A patient's treatment plan is perfectly fine to discuss; it just belongs in a secure portal, a phone call, or an encrypted message a human sends deliberately, not in an autosend that fires without eyes on it.

Automation without consent is where compliant intentions go to die. Two separate consent questions matter for a med spa, and clinics routinely conflate them. The first is HIPAA authorization for using or disclosing PHI in certain ways. The second is marketing consent, the permission you need under email and texting laws to send promotional messages at all. They are different regimes, and you need to satisfy both.

On the HIPAA side, the rules distinguish between communications that are treatment-related and communications that are marketing. Under 45 CFR 164.508, most uses or disclosures of PHI for marketing require a written HIPAA authorization from the individual, a specific, informed opt-in, not a buried checkbox. There are narrow exceptions (for example, certain face-to-face communications or a reminder about a product or service the patient is already receiving can be treated differently), but the safe assumption is that using health information to market to someone needs their explicit authorization. This is one more reason to keep automated marketing general: a promotion sent to your whole consented list, not targeted using anyone's health data, sidesteps the thorniest part of this rule.

On the marketing-law side, promotional email in the U.S. is governed by the CAN-SPAM Act, which the FTC enforces. CAN-SPAM requires, among other things, that you not use deceptive subject lines, that you identify the message as an ad where relevant, that you include a valid physical postal address, and, crucially, that you honor opt-out requests promptly and give recipients a clear way to unsubscribe. Text-message marketing carries its own consent requirements. The practical rule of thumb: get clear opt-in before you add anyone to a marketing flow, keep a record of when and how they consented, and make opting out one click or one reply away.

  1. 1

    Capture consent explicitly and record it

    Use a clear, unbundled opt-in at intake and on web forms that states what the person is agreeing to receive (appointment messages, marketing, or both) and on which channels. Store the timestamp, the wording they saw, and the source. Vague or pre-checked consent is not consent you want to rely on.

  2. 2

    Separate transactional from marketing consent

    Booking confirmations and reminders are transactional and expected; general promotions are marketing and need their own opt-in. Let patients agree to one without the other, and treat the two flows separately in your system.

  3. 3

    Keep automated marketing general, not health-targeted

    Send promotions to a consented list without segmenting by treatment received or condition. The moment a campaign is built on "everyone who got filler," you are using PHI for marketing, which generally needs HIPAA authorization.

  4. 4

    Honor opt-outs immediately and everywhere

    Include a working unsubscribe link in every marketing email and a STOP option in texts, and process withdrawals fast across every list. A single valid physical postal address in your footer is a CAN-SPAM requirement, not a nicety.

  5. 5

    Verify the channel before sending anything sensitive

    Confirm you are sending to the address or number the patient gave you and consented to use, and never move clinical detail onto an unverified or shared channel. When in doubt, route the patient to a secure portal or a phone call.

The Privacy Rule and the Security Rule, as they touch email#

HIPAA's two central rules do different jobs, and email lives at the intersection. The Privacy Rule governs what you may use and disclose, and to whom: it says PHI should be shared on a minimum-necessary basis, that patients have rights over their information, and that marketing uses generally require authorization. The Security Rule governs how you must protect PHI that lives in electronic form (ePHI): it requires administrative, physical, and technical safeguards, access controls, audit controls, integrity protections, and transmission security among them, to keep ePHI confidential and intact.

For email specifically, a few consequences follow. The minimum-necessary principle argues for keeping identifiable health detail out of messages that do not need it, which is exactly why compliant reminders say "your appointment" rather than naming the procedure. The transmission-security expectation is why sending PHI over ordinary, unencrypted email to a general address is risky: standard email is more like a postcard than a sealed envelope. HHS guidance has long acknowledged that a covered entity may communicate with patients by email, including when a patient requests it, but it also expects reasonable safeguards, and where the risk is meaningful, that points toward encryption or a secure portal rather than plain email.

None of this means email is off-limits. It means the sensitive content belongs on a protected path, and the routine, non-identifying content can travel the ordinary path with consent. A clinic that keeps clinical detail in a secure portal, uses plain email only for general and scheduling messages, records its consents, and can show an audit trail of who accessed and sent what is doing the substantive work the Privacy and Security Rules ask for. As always, your compliance officer should map these rules to your exact systems, because the required safeguards are risk-based and depend on your environment.

Plain email is a postcard, treat it that way

Standard, unencrypted email can be read in transit and sits in inboxes and servers you do not control. Keep diagnoses, treatment details, photos, and records off it. Use a secure patient portal or an encrypted channel for anything identifiable and clinical, and reserve ordinary email for general, scheduling, and consented marketing messages that pass the PHI test.

Business Associate Agreements (BAAs): the vendor question#

If your clinic is a HIPAA covered entity and you let a vendor create, receive, maintain, or transmit PHI on your behalf, that vendor is a business associate, and HIPAA requires a Business Associate Agreement (BAA) with them before that data changes hands. A BAA is a contract that binds the vendor to protect PHI, use it only as permitted, report incidents, and meet the relevant Security Rule safeguards. It is not optional paperwork; handing PHI to a vendor without a BAA is itself a compliance failure, independent of whether anything ever goes wrong.

This is where a lot of clinics quietly slip. Your email provider, your booking software, your CRM, your texting tool, your AI assistant, any of these can become a business associate if it handles PHI for you. The questions to ask every vendor are concrete: Will this tool touch PHI? If so, will you sign a BAA? What safeguards do you provide, and where is the data stored? Many mainstream marketing and email tools will not sign a BAA and are simply not designed to hold PHI, which is a strong signal to keep PHI out of them entirely and use them only for general, non-identifying messaging.

There is a cleaner path that sidesteps much of this: design your automated messaging so that no PHI flows through the general-purpose vendors in the first place. If your marketing tool only ever sends non-identifying promotions to a consented list, and your scheduling reminders say "your appointment" without clinical detail, then those tools are not handling PHI, and the BAA question narrows to the systems that genuinely do, your medical record system, your secure portal, and any tool a human uses to send identifiable clinical content. Fewer systems touching PHI means fewer BAAs, a smaller attack surface, and a simpler audit.

A tool is not your compliance officer

No software vendor, including an AI email client, makes your clinic HIPAA-compliant by itself. Compliance is an organizational responsibility, your policies, your consents, your BAAs, your safeguards, and your staff training. A tool can support compliant workflows and reduce risk, but you still own the determination of your covered-entity status, the BAAs you need, and the controls around PHI. Confirm all of it with your compliance officer or counsel.

The compliant-send checklist#

Before any med spa message goes out, especially any automated one, it should clear a short checklist. Bake this into your process so it happens every time rather than relying on someone to remember. If a message cannot pass every step, it is not ready to automate, and it may need a human to send it deliberately on a secure channel instead.

  1. 1

    Run the PHI test

    Does the message identify a specific person AND reveal something about their health, treatment, or payment? If yes, it is PHI, do not autosend it over plain email, and route it to a secure, human-handled path.

  2. 2

    Confirm consent for this content and channel

    Do you have a recorded opt-in that covers what you are sending (transactional vs. marketing) and the channel you are using? No consent, no send. Marketing built on health data needs HIPAA authorization.

  3. 3

    Strip clinical specifics from anything automated

    Reword to "your appointment," "your visit," "your recent service." Remove procedure names, diagnoses, body areas, and photos from any message a machine sends without human review.

  4. 4

    Choose the right channel for the content

    General and scheduling messages can go by ordinary email or text with consent. Identifiable clinical detail goes only through a secure portal or encrypted channel, sent by a person.

  5. 5

    Include the compliance basics on marketing

    Every promotional email needs a working unsubscribe link, honors opt-outs promptly, and carries a valid physical postal address. Texts need a clear STOP option. This is CAN-SPAM and texting-law hygiene.

  6. 6

    Put a human in the loop for anything uncertain

    If a message is ambiguous, borderline, or clinical, it should require explicit human approval before it sends, never a blind autosend. Default to review when in doubt.

  7. 7

    Keep an audit trail

    Log what was sent, to whom, when, on what channel, and who approved it. An audit trail is both a Security Rule expectation and your best evidence that your process works.

Compliant templates (no PHI, ready to use)#

Here are messages a med spa can send and, where noted, safely automate, because they pass the PHI test: they are either not about an identifiable person's health, or they carefully avoid naming any treatment or condition. Swap in your details, and keep the discipline of leaving clinical specifics out. Start with the instant inquiry acknowledgment, the single highest-value automated message a clinic sends, because it catches the after-hours lead before they book elsewhere.

Instant inquiry acknowledgment (safe to autosend)
SubjectThanks for reaching out to [Clinic Name]
Hi [First Name], thank you for contacting [Clinic Name], we received your message and a member of our team will follow up shortly to help you book a consultation.
In the meantime, you can view our hours and location here, or reply to this email with a few times that work for you.
We look forward to seeing you.

The appointment reminder is the next workhorse. Note that it never names the treatment, it says "your appointment," which keeps it safe while still doing its job of cutting no-shows.

Appointment reminder (safe to autosend, no treatment named)
SubjectReminder: your appointment at [Clinic Name]
Hi [First Name], this is a friendly reminder of your appointment with [Clinic Name] on [Date] at [Time].
Please arrive about 10 minutes early. Need to reschedule? Reply to this message or call us at [Phone].
See you soon.

A general post-visit check-in keeps patients cared for without stating what was done. It invites them to reply, which moves any clinical conversation onto a channel a human controls.

Post-visit check-in (safe, invites a human reply)
SubjectHow are you feeling after your visit?
Hi [First Name], thank you for visiting [Clinic Name]. We wanted to check in and see how you are doing.
If you have any questions, just reply here and a member of our team will get back to you, or call us at [Phone] and we are happy to help.
Take care, and thank you for trusting us.

General marketing to a consented list is safe as long as it is not targeted using anyone's health data and carries the required unsubscribe and postal-address footer. This is the kind of promotion you can send broadly.

General promotion (consented list, CAN-SPAM footer required)
SubjectThis month at [Clinic Name]: openings and a seasonal offer
Hi [First Name], we have appointments available over the next two weeks and a limited seasonal offer for our community.
Book your visit here, or reply and we will find a time that works for you.
[Clinic Name] · [Full physical mailing address] · Unsubscribe: [working link]

Finally, a secure-handoff message for when a patient asks a clinical question by email. Rather than answering with health detail over plain email, you acknowledge and redirect to a secure channel, which a human sends deliberately.

Secure handoff (human-sent, moves clinical detail off plain email)
SubjectFollowing up on your question
Hi [First Name], thanks for your question. So we can share the right details securely, we will follow up through [secure portal / phone] rather than regular email.
You can expect a message or call from us at [Time frame]. If you would prefer a specific time, let us know.
We appreciate you, and we will be in touch shortly.

What you should never let an automation send on its own#

It is worth stating the hard boundaries plainly, because they are the ones that create real exposure. No matter how good your automation is, certain things should never leave your clinic without a human deciding to send them, and never over an insecure channel. If a workflow could ever generate one of the following on autopilot, that workflow is misconfigured.

  • Any message that names a diagnosis, condition, procedure, medication, or body area tied to an identifiable person.
  • Before-and-after photos, intake forms, chart notes, lab or test results, or anything from the medical record.
  • Individualized clinical advice, dosing, eligibility decisions, or treatment recommendations generated without a clinician's review.
  • Marketing that is targeted using patients' health information (for example, a campaign built from "everyone who received a specific treatment").
  • Replies that quote back a patient's described symptoms or history into an unsecured thread.
  • Anything sent to an address or number the patient has not confirmed and consented to, or after they have opted out.
  • Any message where the automation is even slightly unsure whether it contains PHI, uncertainty is a stop sign, not a proceed.

When unsure, a human decides, not the machine

The safest automated system for a clinical setting is one that knows its own limits. If a draft might contain PHI, name a treatment, or answer a clinical question, it should be held for explicit human approval, or refused entirely, rather than sent automatically. Design your inbox so the risky path always requires a person, and the automatic path only ever carries the safe, general, consented messages above.

How AI Emaily helps you stay on the safe side (honestly)#

Here is the honest framing first, because you should be suspicious of any tool that claims to "make you HIPAA-compliant." AI Emaily is an AI-native email client, not a compliance authority, and it does not, by itself, make your clinic a HIPAA-compliant operation. Compliance is your organization's responsibility: your covered-entity determination, your policies, your consents, your Business Associate Agreements where required, your staff training, and the safeguards around PHI. No software replaces that work, and you should confirm your setup with your own compliance officer or counsel. What a well-designed AI email client can do is make the compliant path the easy default and the risky path hard to take by accident, which is exactly where most clinics slip.

The core design choice that matters here is that AI Emaily keeps a human in the loop by default. It runs in Manual, Copilot, and Autopilot modes, and for a clinical setting the right posture is approval-before-send: Copilot drafts the reply, the acknowledgment, the reminder, and a person reviews and approves it before anything leaves. The repetitive, low-risk messages, the instant inquiry acknowledgment, the "your appointment" reminder, the general promotion to a consented list, are the ones you can let run more automatically, because they are built to carry no PHI. The sensitive material, the treatment questions and clinical detail, stays with a human, on the channel your clinic has chosen for secure communication. The tool's job is to draft fast and catch the routine work, not to answer clinical questions on its own.

Two more features do quiet but important work. First, everything is auditable and reversible: AI Emaily keeps an audit trail of what was drafted, approved, and sent, and offers undo, which supports both the Security Rule's audit expectations and your own ability to show your process works. Second, the product is built around guardrails that block risky autosends, the design intent is that a message which looks like it contains sensitive or clinical content is held for human approval rather than fired automatically, keeping the clinical and PHI-bearing messages off the automatic path. That is the whole philosophy in one line: automate the marketing, booking, and reminder messaging that leaks your revenue, and keep the clinical, identifiable content human.

AI Emaily is a tool, not a HIPAA solution by itself

AI Emaily supports compliant workflows, approval-before-send, audit trails, undo, and guardrails against risky autosends, but it is not, on its own, a HIPAA-compliant solution, and it does not make your clinic compliant. You remain responsible for your covered-entity determination, your BAAs, your consents, and your safeguards. Confirm what your specific clinic needs, including whether and how you can send PHI, with your compliance officer, your counsel, or HHS.

Putting it together#

The path to HIPAA-compliant med spa email is less about heroic technology and more about a clean line, drawn once and held consistently. Learn to recognize PHI, and you can sort every message you send. Automate the safe, general, consented ones, the instant acknowledgment, the reminder that says "your appointment," the promotion to a list that opted in, because those are the messages whose delays actually cost you bookings. Keep the identifiable clinical content, the diagnoses, treatments, photos, and records, with a human on a secure channel, because that is the slice HIPAA and your patients care most about protecting.

Around that line, do the organizational work: get your covered-entity status determined rather than guessed, capture and record consent, sign BAAs with any vendor that touches PHI, keep sensitive content off plain email, and keep an audit trail. A tool like AI Emaily can make the compliant path the effortless one, drafting the routine messages, keeping a human in the loop before send, blocking risky autosends, and logging it all, but it supports your compliance program; it is not your compliance program.

And because this is important enough to repeat: none of this is legal advice, and your specifics may differ. Before you finalize how your clinic emails and texts patients, confirm the details with your compliance officer, your privacy counsel, or HHS. Get that right, and you can move fast on the messages that grow your clinic without ever putting a patient's trust, or your practice, at risk.

Frequently asked

Ready when you are

Automate the messaging that grows your clinic, keep the clinical work human.

AI Emaily drafts the instant replies, reminders, and follow-ups, holds sensitive content for human approval with undo and a full audit trail, and keeps PHI off the automatic path. A tool that supports your compliance program, not a replacement for it. Start free.

  • No credit card
  • Free plan forever
  • Every provider