Lumè
← Journal

Compliance

Digital intake & consent forms for medical spas: the complete guide

Paper intake and consent forms are quietly one of the riskiest parts of running a medical spa: forms that never get signed, a clipboard handed over while the client is already in the chair, and a filing cabinet that no one wants to be searching during an audit or a complaint. Here's what a real digital forms system does, the forms every medspa needs, and how to set them up so consent is always signed before the treatment.

The Lumè team11 min read

Every medical spa runs on two kinds of paperwork: intake (who the client is, their health history) and consent (proof they understood and agreed to a specific treatment). Get these wrong and you have both an operational headache and a real liability. Get them right — digital, signed in advance, and stored on the chart — and they become invisible infrastructure that protects you.

Intake vs. consent: not the same thing

They’re often lumped together, but they do different jobs and follow different rules:

  • Intake collects information — contact details, medical history, medications, allergies, emergency contact. Usually signed once per client and updated when something changes.
  • Consentis a legal acknowledgement that the client understands a treatment’s risks and agrees to it. For clinical procedures it should be signed fresh per treatment and versioned, so you can always prove exactly what the client agreed to, and when.

Why paper (and generic PDFs) fall short

A clipboard or an emailed PDF technically “works,” but it fails in the ways that matter:

  • Forms don’t get signed. If consent depends on someone remembering to hand over a form, eventually it gets skipped — usually on the busiest day.
  • No version trail.When you update your consent wording, a paper pile can’t tell you which version a client signed two years ago. A complaint is the worst time to discover that.
  • PHI in the wrong places. Health history sitting in an inbox or an unsecured PDF tool is a HIPAA problem. Forms collect protected health information and have to be handled accordingly.
  • It’s slow. Filling forms in the waiting room eats appointment time and starts the visit on a clipboard instead of a conversation.

What a real medspa forms system does

1. E-signature with a tamper-evident record

The client signs on their phone; the system stores the signed document, the signature, a timestamp, and the form version. That’s legally valid under the ESIGN Act and stronger evidence than paper — you can show exactly what was agreed and when. See what a BAA actually covers for the compliance backdrop.

2. Auto-sent at booking

The highest-leverage feature: when a client books a service that requires consent, the system automatically emails a secure link to read and sign before they arrive. No front-desk scramble, no forms signed in the chair. This is part of what good medspa scheduling software should do, not a separate bolt-on.

3. Versioned, per-treatment consent

Each consent is tied to the treatment and frozen at the version the client signed. Update your wording later and historical records stay exactly as they were signed — the audit-proof default.

4. Configurable recurrence (once vs. every visit)

Intake is usually “once per client.” Clinical consent is safest “every visit/procedure.” You should be able to set this per form and have the system enforce it — recognising when a once-only form is already “on file” so you don’t re-ask, and prompting a fresh signature when the rules require one.

5. Stored on the client’s chart

A signed form is only useful if the provider can see it. It should live on the client record, viewable with the signature, next to the chart and appointment — not in a separate forms silo or an email thread.

6. Service-linked assignment

Map a consent to the services it covers once, and every future booking of those services pulls it in automatically. A laser consent attaches to laser services; an injectable consent to injectables.

The forms most medical spas need

  • New client intake — contact info, medical history, medications, allergies, emergency contact (once per client).
  • General treatment consent — the baseline consent and policies (cancellation, photo release, payment terms).
  • Procedure-specific consent — neurotoxin, dermal filler, laser/IPL, chemical peel, microneedling, permanent makeup, etc. Each has its own risks and should have its own consent.
  • Photo / marketing release — before-and-after photos used for documentation and, with explicit consent, marketing.
  • Financial / deposit policy acknowledgement — no-show and cancellation terms, deposit and refund policy.

How to set them up well

  1. Start from your current forms. Rebuild your existing wording as structured, signable forms — keep the language your attorney or state board approved.
  2. Set recurrence per form. Intake once; clinical consent per visit/procedure.
  3. Map consents to services. So the right form sends automatically when each service is booked.
  4. Turn on auto-send at booking. Both online bookings and staff-created appointments should trigger the form.
  5. Confirm it lands on the chart. Verify the provider can open the signed form with the signature before the visit starts.

Frequently asked questions

What is the difference between an intake form and a consent form?

An intake form collects information — contact details, medical history, medications, allergies — usually once per client and updated as things change. A consent form is a legal record that the client understands a specific treatment's risks and agrees to it; for clinical procedures it should be signed fresh per treatment (or per visit) and versioned, so you can always show exactly what the client agreed to and when.

Are digital (electronic) consent forms legally valid for a medspa?

Yes. Electronic signatures are legally recognized for this purpose in the US under the ESIGN Act, provided you capture intent to sign and keep a tamper-evident record (who signed, what version, and when). A good medspa system stores the signed document, the signature, a timestamp, and the form version on the client's chart — which is stronger evidence than a paper form in a filing cabinet.

How should consent forms be sent to clients?

The best practice is automatically, at booking: when a client books a service that requires consent, the system emails them a secure link to read and sign before they arrive. That removes the front-desk scramble, gets forms signed in advance, and means the provider can confirm consent is on file before the treatment starts.

How often should a client re-sign a consent form?

It depends on the form. Intake is typically signed once and updated when health changes. Clinical consent for procedures like neurotoxin or laser is safest signed every visit/procedure (each is a distinct treatment) — though some stable consents can be set to once-per-client. Pick per-form, and let the system enforce it so it can't be forgotten.

Lumè does all of the above — build your intake and consent forms once, map them to services, and they’re auto-sent at booking, e-signed before the visit, and stored on the client’s chart with a full audit trail and a BAA included. See it on your own forms in a 30-minute demo, or read the HIPAA checklist for medspas.

Keep reading

Get a demo

See exactly how Lumè fits your medspa.

A focused 30-minute walkthrough of the platform, tailored to how your spa runs. The first call is the demo.

Get a demo