21% NO-SHOWS
TO 6%.
HIPAA-clean.
A 5-location med spa group needed a CRM that could handle HIPAA intake forms, BAA signing, before/after image consent, and clinical SMS reminders. Every off-the-shelf option failed at least one of those. Zay Custom built a HIPAA-tier custom CRM. No-show rate dropped from 21% to 6%. Intake-to-treatment time halved.
Every off-the-shelf CRM failed compliance.
Generic CRMs Could Not Sign BAAs
HubSpot, Pipedrive, Salesforce small-business tier did not offer signed Business Associate Agreements. Storing patient PHI in any of them was an out-of-the-box HIPAA violation.
Medical EMRs Were Wrong for Marketing
EMRs like Athena and DrChrono handled clinical compliance but had no marketing pipeline, no lead nurture, no campaign attribution. The marketing team was running a parallel Google Sheet of leads.
12 Paper Forms Per Patient
Each new patient signed 12 paper forms, scanned into a shared drive by the front desk, then manually keyed into the EMR. 25 minutes per intake. Errors common.
21% No-Show Rate, Bleeding Revenue
On a $400 average treatment, every no-show was $400 of empty chair time plus the cost of the booked-out staff. Across 5 locations, ~$240k a year in no-show revenue lost.
"We needed a marketing CRM that did not violate HIPAA. Nobody sold one. ZRG built one. Eight weeks from spec to live across all 5 locations."
21% to 6%.
~$170k/yr recovered.
Two-way SMS reminders sent 48h, 24h, and 2h before each appointment did most of the work. Reschedules happened inside SMS without a front-desk call.
Two weeks to one week.
Digital intake meant patients filled forms before they arrived. Front desk no longer scanned, keyed, and waited on consent signatures.
More throughput, less front-desk strain.
Same staffing. 81% more visits handled. The intake time savings unlocked capacity nobody knew was there.
Every compliance + ops
metric moved.
Six core modules. All HIPAA-audited.
HIPAA Intake Forms
Digital intake forms with encrypted at-rest storage, signed BAAs auto-attached to each patient record, audit log on every field edit.
BAA Signing Flow
Patients sign Business Associate Agreement in under 2 minutes via DocuSign integration. Auto-filed to patient record with timestamp + IP.
Before/After Image Vault
Tagged image storage with patient-consent tracking. Images cannot be used in marketing without explicit re-consent. Audit log on every view and export.
SMS Reminders
Two-way SMS confirmations 48h, 24h, and 2h before. Doctor-licensed staff only could initiate clinical messages. Compliance log built in.
Role-Based Access
Front desk, MA, RN, NP, MD each see only what they are licensed to see. Audit log per role per action.
Insurance + Payments
Stripe Connect for cards, manual entry for cash/check, payment plans built in. Receipts auto-attached to chart.
- ◆$25,000 setup — full build, integration, training, HIPAA audit by third party.
- ◆$1,500/month HIPAA hosting — dedicated VPC, encrypted at rest, full audit log retention, BAA-covered infra.
- ◆8 weeks spec to live — from kickoff to all 5 locations operational.
- ◆100% client-owned — code, database, hosting all owned by the med spa group. No vendor lock.
A med spa that runs on its own software.
No-shows at 6%
Industry average is 18-22%. The group now operates well under industry baseline. Two-way SMS plus deposit-on-booking did the heavy lifting.
HIPAA-audited and signed
Third-party HIPAA audit completed at month 3. All BAAs in place. No more PHI living in marketing spreadsheets or generic CRMs.
Throughput up 81%
Same square footage, same staff count, 81% more visits handled. The biggest unlock was the front desk reclaiming 25 minutes per intake.
- See Zay Custom builds, pricing, and HIPAA tier details.
- Compare with our general custom CRM case study for the non-HIPAA version of the build.
- See Zay CRM Growth if your business does not need a HIPAA tier.
Need a CRM nobody sells?
Zay Custom builds start at $12,500. The HIPAA tier (signed BAA, dedicated VPC, audit logs) starts at $25,000 setup, $1,500/month hosting. We build it, you own it.