Med Spa Charting Software: How to Manage Consents, Photos, and Treatment Plans (2026)

Med spa charting is awkward because the work is awkward. Half the visit is medical — a licensed injector pushing 24 units of Botox into the glabella, or a laser tech firing an Nd:YAG at a series 3-of-6 session. The other half is retail — the same patient leaves with a $180 vitamin C serum and a rebooking for filler in 90 days. Most generic EHRs were not built for this hybrid. Most retail POS systems were not built for HIPAA. So med spas end up with a paper consent on a clipboard, a phone full of unencrypted before/after photos, a sticky note tracking "she got 20 units forehead, 8 crow's feet" from last visit, and a Square account that has no idea any of this happened. This guide walks through what good med spa charting actually looks like in 2026, and the seven steps to get there — eConsent, photo workflow, Botox unit tracking, filler syringe logs, laser session series, treatment plan acceptance, and retail cross-sell — without leaving the platform.

A clean med spa visit produces five artifacts in a specific order, and every one of them is tied to the same patient record:

1. eConsent signed before the patient walks in. Sent the day before via SMS or email. Signed on their phone. Stored encrypted, dated, and ready to retrieve in an audit. 2. Before photo captured at consistent angles and lighting. Front, left oblique, right oblique. Patient hair pulled back. No filters. Stored against the patient chart, not in the camera roll. 3. Treatment logged in real time with units, syringes, lots, and zones. "24 units Botox forehead, 8 units crow's feet R, 8 units crow's feet L, lot #C5841, expires 2027-03." The injector enters this on a tablet during or immediately after the procedure, not from memory at the end of the day. 4. After photo at the matching angles. Same lighting, same distance, same poses. Stored next to the before. The chart now has a comparison view. 5. Next visit booked before the patient leaves. Botox at 90 days. Laser session 4-of-6 at 30 days. Skincare reorder reminder at 45 days.

If any of those five steps lives outside the chart — on paper, in a phone gallery, in a separate POS — your charting is broken. Not in a "we should clean this up someday" way. In a HIPAA exposure, lost-revenue, lost-patient way.

Paper consent on a clipboard at check-in is the single most common charting mistake at small and mid-size med spas, and it is the easiest one to fix. Three reasons paper consent fails:

It eats time at the front desk. A new patient filling out a 4-page Botox consent at the counter is 8-12 minutes the receptionist is not booking, not selling retail, not answering the phone. Across a 30-patient day that is 4-6 hours of staff time.

It is not actually compliant once it leaves the room. Paper consents end up scanned eventually, stored in a folder on a laptop, sometimes emailed unencrypted to the medical director. That is exactly the workflow the OCR cites in HIPAA enforcement actions.

It blocks photo and treatment workflow. No injector should be picking up a syringe before consent is signed. If consent is on paper and not yet signed, you have either a delayed appointment or a non-compliant procedure.

The fix is to send eConsent the day before. The booking confirmation triggers an SMS and email with a link to the procedure-specific consent (Botox, dermal filler, laser hair removal, IPL, microneedling — they are different forms with different risk language). The patient signs on their phone with a finger or stylus, the signed PDF is stored encrypted against their chart with a timestamp and IP, and the front desk sees a green "consent on file" indicator at check-in. If consent is not signed by the time they walk in, your platform should either prompt them to sign on a tablet on arrival or block check-in until it is signed. There is no third option that protects you legally.

Before/after photos are simultaneously your most powerful marketing asset and your biggest HIPAA exposure. A med spa with a strong before/after library converts consults at 50%+. A med spa whose injector keeps photos in their personal phone gallery is one stolen phone away from a regulatory event. Both things are true at the same time, and the workflow has to handle both.

Capture standards (the part most med spas skip):

- Three angles minimum: front, left 45-degree oblique, right 45-degree oblique. For lower face filler, add a profile. For body procedures, full anterior, posterior, and laterals. - Consistent distance. Use a marked spot on the floor. 4 feet from the wall is a reasonable standard. - Consistent lighting. Same overhead light, same ring light, same time of day where possible. Natural window light photos cannot be compared to fluorescent room photos. - Hair pulled back, makeup off, no jewelry. This is for facial procedures; the goal is to isolate the treated area. - No filters, no Portrait mode background blur, no beauty modes. Stock iPhone or iPad camera in default photo mode.

Storage standards (the part regulators care about):

Photos must be stored encrypted at rest, accessible only to authorized staff, and tied to the patient chart with the date, the procedure, and the practitioner who took them. They cannot live in a personal device camera roll. They cannot be texted between staff. They cannot be uploaded to a generic Google Drive folder. The standard 2026 workflow is: a tablet at the photo station with a chart-linked camera app, photo captured directly into the patient record (not the device gallery), AES-256 encryption at rest, role-based access, and a retention policy that matches your state's medical record retention rules (typically 7-10 years).

Comparison view:

The payoff for doing capture and storage right is the comparison view. Pull up a patient's chart, switch to the photo tab, and see all visits side-by-side at matching angles. Patients see real progress. Injectors see what worked and what did not. Your marketing team — with a separate, explicit photo release consent — can pull anonymized comparable cases for social. None of that works if the angles are inconsistent or if the photos are scattered across three injectors' phones.

A Botox visit is not "she got Botox today." It is a specific number of units in specific anatomical zones, drawn from a specific lot, with a specific expiration. Charting it as anything less is a clinical and legal risk.

The minimum data per Botox treatment:

- Date and provider. Who injected, when. - Product. Botox, Dysport, Xeomin, Jeuveau, Daxxify — they are not interchangeable units. - Lot number and expiration. Required for any product recall response. - Reconstitution. Volume of saline used, concentration (e.g., 100 units in 2.5 mL = 4 units per 0.1 mL). - Units per zone. Forehead (frontalis), glabella (corrugators/procerus), crow's feet left, crow's feet right, brow lift, masseter L/R, neck/platysma, lip flip, gummy smile, chin/mentalis. Itemize. - Total units this visit. - Running total this calendar year. Some patients track this for budgeting; some providers track it because tachyphylaxis (resistance) becomes a discussion point above 200 units/year for some patients.

A proper med spa chart has a Botox tab where every visit is a row, every row is itemized by zone, and the running total updates automatically. The injector can see at a glance: "She got 24 in the forehead last time and complained of brow heaviness. This time we drop to 18." That is the entire reason to chart this — clinical decisions are better when the data is in front of you, not reconstructed from memory or a Post-it note.

Dermal filler charting is similar to Botox but with different units. You are tracking syringes (or partial syringes), not units. You are tracking specific products with very different rheologies — Juvéderm Voluma vs. Restylane Lyft vs. RHA 4 are not interchangeable, and the chart should reflect what was actually used in case of complications.

The minimum data per filler treatment:

- Date and provider. - Product and specific formulation. "Juvéderm Voluma XC" — not just "Juvéderm." Specific formulations matter for indication, depth, and reversibility. - Lot number and expiration. - Syringe count per zone. Cheeks 1.0 syringe (0.5 each side), nasolabial folds 0.5, lips 1.0, chin 0.5, jawline 1.0 each side. Total: 4.0 syringes. - Cannula vs. needle, gauge, depth. "25g cannula, supraperiosteal" or "27g needle, mid-dermal." This is the data that matters when a patient calls three days later with vascular concerns. - Hyaluronidase availability and patient allergies confirmed. Pre-procedure checkbox in the chart, not implied.

Lot tracking is the part most med spas underweight. When a manufacturer issues a recall or a quality alert, you have hours to identify every patient who received the affected lot. If lot numbers live on a sticker in a logbook in a cabinet, that response is going to be slow and incomplete. If lot numbers are in the EHR, you run one query and have a list of patients to call.

Most laser treatments are sold as packages — 6 sessions of laser hair removal, 4 sessions of IPL photofacial, 3 sessions of fractional CO2. Charting a series correctly means three things have to work together: the package itself (sold, prepaid, expires when), the sessions completed (3 of 6, with dates), and the device settings used per session (so the next provider can replicate or escalate).

What the chart should show:

- Package status. "Laser Hair Removal — Lower Legs — 6 sessions. 3 completed. 3 remaining. Expires 2027-05-01." - Per-session record. Date, provider, device used (e.g., Candela GentleMax Pro, Cynosure Elite+), settings (fluence J/cm², pulse duration ms, spot size mm, cooling), patient response (post-treatment erythema, perifollicular edema), and a per-session photo. - Escalation path. Most laser hair removal protocols increase fluence at sessions 2 and 4 if tolerated. The chart should make the prior session's settings visible so the current provider can dose appropriately. - Test spot for new patients. Documented before the first full session, especially for darker Fitzpatrick types.

The per-session photo is non-negotiable. A patient at session 5 of laser hair removal who feels "it is not working" is a different conversation when you can pull up session 1 and session 5 side-by-side and show the actual reduction. Most patients underestimate their progress.

A consultation that does not produce a written, signed treatment plan is a consultation you mostly lose. The patient leaves with a vague memory of "she said maybe Botox and a syringe of filler," shops your competitor, and either books elsewhere or never books at all. Med spas that consistently produce a written plan at the end of every consult convert at 1.5-2x the rate of those that do not.

The treatment plan is a document that lives in the patient chart and shows:

- The recommended treatment(s) with specific products and quantities. "Botox: 24 units forehead, 24 units glabella, 16 units crow's feet — 64 units total. Juvéderm Voluma: 2 syringes for cheek volumization." - Itemized pricing. Each line with the price and any package or membership discount applied. - Total cost and any deposit required. - Recommended sequencing. "Botox today, return at 2 weeks for filler so the upper face is settled before adding volume." - Maintenance schedule. "Botox every 90 days, Voluma touch-up at 12 months." - Acceptance signature. Patient signs (electronically) at the end of the consult to accept the plan, with the option to accept partial scope.

The signed plan triggers two things automatically: a deposit charge or financing application (CareCredit, Cherry, Alphaeon), and the booking of the first treatment appointment before the patient leaves. If the first appointment is not booked at the consult, you are betting on the patient remembering to call back. That bet loses 60-70% of the time.

Retail is the highest-margin revenue in a med spa. A vitamin C serum sold at $180 with a 60% margin nets more than the third syringe of filler in a busy month. But retail only works if it is recommended in context, not pushed at checkout. The right place to recommend retail is in the chart, by the treating provider, tied to the procedure the patient just received.

What the workflow should do:

- Pre-loaded protocols by procedure. After laser hair removal: zinc-based mineral SPF, gentle cleanser. After microneedling: copper peptide serum, occlusive moisturizer for 48 hours, no actives for 5 days. After Botox: nothing topical, no heat for 4 hours, no lying flat for 4 hours. The chart should pre-populate these recommendations based on what was done. - Provider notes added in the chart, not the POS. The injector adds "recommended SkinCeuticals C E Ferulic" to the chart. That recommendation flows to the front desk. - Front desk closes the loop. "Dr. Patel recommended C E Ferulic for the morning routine. We have it stocked — would you like to add it today?" That is a different sales conversation than a cold "would you like any products?" - Follow-up reorder reminders. A 1 fl oz serum lasts ~45 days. The system should send a reorder reminder at day 40 with a one-tap reorder link, ideally with auto-ship enrollment for repeat customers.

The charting system has to be the source of truth for retail recommendations. If the recommendation lives only in the injector's head, it dies at the door.

Deelo's Practice app is the HIPAA-grade chart that handles everything in this guide in a single workflow. Patient records, eConsent forms (procedure-specific templates with annual renewal), encrypted photo storage with a chart-linked camera, structured Botox and filler logs (units per zone, lots, expirations, running totals), laser session series tracking with per-session settings and photos, treatment plan generation with electronic acceptance, and retail recommendations that flow from the chart to the POS.

What makes the all-in-one approach different for med spas specifically: Practice (charting + EHR), Forms (eConsent templates and signatures), Bookings (online scheduling with deposit collection), Marketing (post-procedure SMS, reorder reminders, rebooking campaigns), Invoicing and POS (procedure billing and retail in one register), and Design (the marketing-ready before/after library, with separate consent gates) all share one patient record. The injector logs 24 units of Botox once. That entry triggers the chart update, the after-photo prompt, the rebooking suggestion, the retail recommendation, the invoice, and the 90-day campaign enrollment — without anyone re-keying the data into a second or third system.

Pricing: Free tier for solo providers running fewer than 100 visits/month. Starter at $19/seat/mo for small med spas (1-5 staff). Business at $39/seat/mo adds advanced marketing automation, lead scoring, and custom reporting. Enterprise at $69/seat/mo for multi-location groups with SSO, advanced compliance reporting, and dedicated account management. HIPAA-grade encryption, BAA on request, audit logs, and role-based access on every tier.