“Consent” in an aesthetic clinic is not one thing. It is at least four different things — and confusing them is one of the most common compliance mistakes practitioners make.
A patient can consent to their treatment, refuse photo consent, give marketing consent, and have their capacity formally assessed — all in the same appointment, all documented separately. If any of those are missing, or if they have been bundled into a single form that the patient signed without really reading, your legal and regulatory position is weaker than you think.
This guide breaks down exactly what types of consent your aesthetic clinic needs, the UK and US regulatory requirements for each, and the most common places practitioners get it wrong.
The four types of consent every aesthetic clinic needs
1. Treatment consent
Treatment consent is the cornerstone of everything. For consent to be legally valid in both the UK and US, it must be:
- Voluntary: given without pressure from practitioners, family, or financial incentives such as time-limited discounts
- Informed: the patient understands the procedure, its realistic expected outcomes, all material risks, alternatives, and what happens if they decline
- Capacious: the patient has the mental capacity to understand, weigh, and communicate their decision
- Continuing: reconfirmed if the treatment plan changes or significant time has elapsed
Critically, treatment consent must be treatment-specific. A generic form that lists generic risks fails both CQC inspection and legal scrutiny. You need separate consent documentation for Botox, dermal fillers, thread lifts, chemical peels, laser treatments, and every other procedure you offer.
2. Photo consent
Photo consent is entirely separate from treatment consent. Patients can consent to treatment and refuse to be photographed. They can also consent to clinical storage of images and refuse marketing use, or vice versa.
Your photo consent should specify:
- Whether before and after images will be taken
- How and where they will be stored
- Who has access to them
- Whether they may be used in training materials
- Whether they may be used in marketing — this must be a separate opt-in, never assumed
3. Marketing consent (UK GDPR / US CAN-SPAM)
In the UK, marketing consent is governed by GDPR and the Privacy and Electronic Communications Regulations (PECR). Key requirements:
- Consent must be freely given — you cannot make it a condition of treatment
- It must be specific: a patient who consents to receiving appointment reminders is not automatically consenting to promotional emails
- It must be as easy to withdraw as to give
- Existing patients can receive relevant service information under the “soft opt-in” rule — but genuine marketing campaigns require explicit consent
In the US, the CAN-SPAM Act applies to commercial emails. Healthcare marketing communications that reference treatments must also consider HIPAA restrictions on using protected health information (PHI) in marketing without explicit authorisation. If in doubt, obtain explicit consent.
4. Capacity assessment
Documenting that you assessed a patient’s capacity is not just good practice — in the UK, it is a requirement under the Mental Capacity Act 2005. You must assume capacity unless you have a reason to doubt it, but you must record your assessment and what you observed.
Signs that should prompt a formal capacity assessment: the patient cannot explain what the treatment involves, they have unrealistic expectations despite your explanation, they seem to be under pressure from someone with them, or they seem confused or distressed. If you have doubts, do not proceed.
UK requirements: what CQC inspectors look for
For CQC-registered aesthetic clinics, consent threads through all five key inspection domains — Safe, Effective, Caring, Responsive, and Well-Led. The two areas that cause the most problems during inspection are consent documentation and medicines management.
The Montgomery v Lanarkshire ruling (2015) fundamentally changed UK consent law. It established that clinicians must disclose all risks that a reasonable person would consider material to their decision — not just risks the clinician considers significant. This means you cannot decide which risks to mention based on clinical judgment alone. If a complication could meaningfully affect a patient’s decision, you must discuss it.
The CQC also expects a cooling-off period — a minimum of 24–48 hours between initial consultation and treatment — for cosmetic procedures. The CQC’s standard requires evidence that patients had time to reflect, not just a signed form obtained in the same appointment.
For a detailed breakdown of CQC consent requirements, see our complete guide to consent management for CQC compliance.
US requirements: HIPAA, state boards and medspa compliance
In the US, aesthetic clinic consent requirements are shaped by HIPAA, state medical board regulations, and — for medspas specifically — the requirement to obtain appropriate authorisations before using patient information for anything beyond direct treatment.
HIPAA consent vs HIPAA authorization
These are different things and the confusion between them is common. A HIPAA Notice of Privacy Practices (which patients acknowledge at registration) is not the same as a HIPAA authorisation for using patient information in ways beyond treatment, payment, and health operations.
Specifically relevant for aesthetic clinics:
- Using before and after photos in marketing requires a specific HIPAA authorisation, not just a treatment consent form
- Sending marketing communications that reference a patient’s specific treatment or condition requires written authorisation
- General wellness communications (e.g. seasonal promotions not referencing a specific treatment) may fall outside the HIPAA marketing definition — but take legal advice for your specific situation
State-level requirements
Several states have requirements that go beyond federal minimums. California (CCPA), New York, and Texas each have state-specific privacy and consent considerations for healthcare providers. As regulations evolve rapidly in this space, the safest approach is: obtain explicit written consent for every distinct use of patient information, and review your consent process with a healthcare attorney familiar with your state.
The most common consent mistakes in aesthetic clinics
Using one generic consent form for all treatments
The fastest way to fail a CQC inspection or lose a complaint is to present a generic form as your consent documentation. Each treatment carries unique risks that must be specifically addressed. If your Botox form and your thread lift form look the same, they are not fit for purpose.
Obtaining consent and performing the treatment in the same visit
For new patients or significant procedures, this bypasses the cooling-off principle. Even if it is technically legal for some procedures, it weakens your position significantly if a patient later claims they felt pressured. A two-stage process — consultation, then treatment at a separate appointment — protects both patient and practitioner.
Bundling photo and marketing consent into the treatment form
A single form with a single signature does not satisfy the requirement for specific, separately obtained consent for photos and marketing. If challenged, a bundled form may be found invalid for the bundled elements even if the treatment consent itself was valid.
No record of the capacity assessment
“I assessed capacity and it was fine” is not a record. Document what you observed, what questions you asked, and that the patient demonstrated understanding, ability to weigh the decision, and voluntary agreement. This takes sixty seconds to add to a clinical note — and it matters enormously if a patient later claims they did not understand what they agreed to.
How Consentz handles the consent layer
Consentz includes a full consent library with treatment-specific forms for all major aesthetic procedures, separate photo and marketing consent modules, GDPR-compliant consent tracking, and an automated cooling-off enforcement feature that prevents treatment booking within your specified reflection period.
Every consent record is timestamped, non-deletable, and linked directly to the patient file — so whether you face a CQC inspection, an insurance claim, or a patient complaint, your records are immediately retrievable and legally defensible.
You can also explore our library of free medical templates and our CQC compliance automation guide for more on keeping consent inspection-ready.
Frequently asked questions
1. Do I need a separate consent form for every treatment, or can one form cover multiple procedures done in the same appointment?
You need separate consent for each treatment. If a patient is having Botox and lip filler in the same appointment, they need separate consent documentation for each, covering the specific risks of each procedure. The paperwork is manageable digitally — on paper, it quickly becomes impractical, which is one of the strongest arguments for digital consent.
2. Does CQC require a written cooling-off period, or is verbal discussion enough?
Written documentation is strongly expected by CQC inspectors. Verbal discussion is not sufficient evidence that a cooling-off period occurred. Your records should show the date information was provided and the date consent was confirmed — two separate dates for cosmetic procedures.
3. Can I use a patient’s before and after photos on Instagram without getting separate consent?
No. Using clinical photography in any public-facing marketing requires specific, written opt-in consent that clearly states the images may be used for marketing purposes. Treatment consent, even if it mentions photography, is not sufficient. See our full guide on before and after photo consent.
4. If a patient signed a consent form two years ago, do I need to get a new one?
If the patient is returning for the same treatment, the same practitioner, within a reasonable time frame, reviewing and reconfirming existing consent is typically sufficient — but you must document that review. If the treatment plan has changed, if a significant amount of time has passed, or if there have been changes to the patient’s health history, re-consent is required.
5. In the US, does HIPAA apply to all aesthetic clinics or just medspas?
HIPAA applies to any entity that electronically transmits health information in connection with a covered transaction — which includes most aesthetic clinics and medspas that process insurance claims or use electronic health records. If you accept insurance or use digital records systems, HIPAA almost certainly applies to you. If in doubt, assume it does and proceed accordingly.
