Client data privacy for massage therapists — beyond the HIPAA question

Ask a room of massage therapists whether HIPAA applies to them and you'll get a dozen different answers. The honest one is: it depends, and for a lot of cash-only solo practices, it may not. But that question — am I a HIPAA-covered entity? — is the wrong place to start.

The duty you already have

Whether or not HIPAA applies, you owe your clients confidentiality. Your licensing board expects it. Your professional association's code of ethics requires it. And your clients simply assume it — they tell you about injuries, pregnancies, surgeries, and stress, trusting it stays between you.

So the real question isn't "do I have to comply with a federal law?" It's "am I handling my clients' information the way I'd want mine handled?"

Where information quietly leaks

Most privacy problems in a small practice aren't dramatic breaches. They're small, ordinary leaks:

• Client details texted from your personal phone, living in your message history forever.
• Intake forms on paper, or in a shared notes app.
• Booking tools that sell or share usage data, or load advertising trackers on pages tied to your clients.
• Spreadsheets of names and numbers synced to who-knows-where.

None of these feel risky in the moment. Together they're the actual exposure.

What good privacy looks like

You don't need an IT department. You need tools that default to protecting your clients:

• Messages from a real business number, not your personal cell.
• Records that are encrypted and isolated to your practice.
• No data selling and no ad trackers on anything that touches client information.
• A clear agreement (a BAA) available if your practice needs one — without a sales call.

Privacy as a feature, not a fear

Some software sells HIPAA with fear. We think that's backwards, and informed buyers see through it. The better frame is the one you already live by: your clients trust you, and your tools should make that trust easy to keep.

That's how Stillbook is built. Trackers live only on our public marketing pages — never on your dashboard, your booking page, or the links your clients use. We don't sell data. And if you want a BAA, you accept it in-app in a minute. Confidentiality shouldn't be a tier you upgrade to.