Med Spa Compliance Checklist: 12 Things Your State Board Will Check
Medical spas operate at the intersection of aesthetics and medicine—which means they sit squarely in the crosshairs of state medical boards, nursing boards, and pharmacy boards simultaneously. Most compliance failures aren't the result of bad actors; they're the result of spa owners who didn't know what they didn't know. This checklist covers the 12 areas regulators investigate most aggressively, with enough detail to help you spot gaps before they become violations.
Disclaimer: This article is general information, not legal advice. Regulations vary significantly by state and change frequently. Engage qualified healthcare counsel licensed in your state before making compliance decisions.
Why Med Spa Compliance Is Uniquely Complex
A nail salon is regulated by a cosmetology board. A physician's office answers primarily to the state medical board. A medical spa—offering injectables, laser treatments, IV therapy, hormone pellets, and weight-loss medications under one roof—may answer to four or five agencies at once. Every service line adds a regulatory layer. Every employee credential expands the oversight footprint. And because the industry has grown faster than most states' regulatory frameworks, boards are actively auditing, updating guidance, and initiating enforcement actions at a pace that accelerated sharply in the mid-2020s.
"The medical spa industry generates billions in revenue, but a substantial portion of that activity happens outside the legal structures states require. Boards are catching up."
The 12-Item Compliance Checklist
1. Corporate Structure — Are You CPOM-Compliant?
The Corporate Practice of Medicine (CPOM) doctrine prohibits non-physicians from owning or controlling a medical practice in roughly 30 U.S. states. If you are not a licensed physician and you own 100% of a single-entity "med spa LLC," you may be operating illegally in CPOM states regardless of whether you have a medical director on paper. The compliant structure in these states typically involves a physician-owned professional corporation (PC) that employs or contracts with clinicians, supported by a separate management services organization (MSO) that handles business operations for a flat fair-market-value fee. MDside's PC-MSO model is built around exactly this architecture.
2. Medical Director Agreement — Does It Actually Define Supervision?
Having a "medical director" whose name appears on a website but who has never set foot in the facility is a board violation waiting to happen. Your physician agreement must specify: services being supervised, supervision method (on-site vs. remote), frequency of chart review, procedure approval process, and how the physician can be reached in real time. Vague one-page agreements are routinely cited as inadequate. The agreement must be executed between the physician and the licensed entity providing clinical services—not the lay-owned business entity.
3. Scope of Practice — Who Is Doing What?
Every procedure performed at your facility must be within the scope of practice of the person performing it under the laws of your state. Botox and filler are prescription medications; in most states, only a physician, nurse practitioner, or physician assistant may administer them, and a registered nurse may do so only under direct orders. Laser and energy-based device rules are even more fragmented—some states restrict operation to physicians; others allow aestheticians with specific training certifications. Document each provider's credential, verify scope before assigning procedures, and review state rules annually because they change.
4. Standing Orders and Treatment Protocols
Where on-site physician presence is not required for every treatment, state boards expect documented standing orders signed by the supervising physician. These are written instructions authorizing specific procedures for specific patient populations under defined conditions. Generic templates downloaded from the internet will not satisfy scrutiny. Protocols must be tailored to your service menu, reviewed regularly, and signed by the supervising physician—not the business owner or office manager.
5. Prescription Drug Handling and Storage
Neuromodulators (such as botulinum toxin products), dermal fillers, and weight-loss medications are prescription drugs. Controlled substances used in some treatment protocols (certain weight-loss compounds, some topical preparations) trigger DEA registration and state controlled-substance licensing requirements. Boards audit: storage temperatures, security, disposal logs, ordering authority, and whether the individual ordering and receiving the medication is licensed to do so. Purchasing Botox through a non-licensed third-party distributor or a "membership club" that bypasses prescription channels is a federal violation.
6. Patient Medical Records — Content, Retention, and Access
Medical spas must maintain medical records that meet the same standards as any clinical practice: patient history, informed consent documents, clinical notes, treatment parameters, photographs (pre and post), adverse event documentation, and follow-up. Most states require retention of adult patient records for a minimum of seven to ten years. Records must be stored securely, accessible to the patient upon request, and protected from unauthorized access. Paper charts in an unlocked back room fail on multiple dimensions simultaneously.
7. Informed Consent — Specific, Signed, and Witnessed
A generic "I consent to treatment" waiver does not constitute informed consent under medical law. Informed consent must describe the specific procedure, its material risks and benefits, alternatives (including no treatment), who will perform it, and what to do in the event of an adverse reaction. It must be obtained before the procedure by a licensed practitioner—not front desk staff—and retained in the patient record. Boards look at consent forms; plaintiffs' attorneys look at them even harder.
8. Facility Licensure
Some states require a medical spa or outpatient clinic license separate from business registration. Others require a pharmacy permit if you compound or dispense medications on-site. A handful of states are beginning to require licensure specifically for medical spas as a distinct facility type. Operating without required facility licensure can trigger both board action and civil penalties. Research your state's Department of Health requirements in addition to medical board rules—they are often different agencies.
9. HIPAA Privacy and Security Compliance
Every medical spa that provides healthcare services and transmits protected health information (PHI) electronically is a HIPAA covered entity. Required elements include: a Notice of Privacy Practices posted and distributed to patients, a designated Privacy Officer, documented workforce training, Business Associate Agreements (BAAs) with every vendor that handles PHI (your EHR vendor, your payment processor if it sees PHI, your marketing platform if it's connected to patient data), and a written Security Risk Assessment updated at least annually. HIPAA enforcement actions against small healthcare businesses have increased steadily. See our guidance on platform security and data handling.
10. Anti-Kickback and Fee-Splitting Compliance
Federal and state anti-kickback laws prohibit exchanging anything of value to induce referrals of healthcare services. For med spas, common traps include: paying a percentage of revenue to a medical director (versus a flat fair-market-value fee), revenue-sharing arrangements with referring providers, and certain types of patient referral commissions. Any compensation arrangement involving a licensed professional and a clinical service must be reviewed through an anti-kickback lens. The safe harbor requires that fees reflect fair market value for the actual services provided, in writing, and not contingent on referral volume.
11. Advertising and Claims Compliance
Medical boards regulate how physicians and the practices they supervise advertise. Prohibited practices typically include: before-and-after photos that imply guaranteed outcomes, testimonials that make specific efficacy claims, use of physician names or credentials in advertising without the physician's written consent, and misleading claims about training or board certification. The FTC and state consumer protection agencies also regulate health claims independently of medical boards. Have a licensed healthcare attorney review your website copy, social media, and any promotional materials before publishing.
12. Emergency Protocols and Safety Equipment
Adverse reactions to injectables, anaphylaxis from topical anesthetics, and complications from laser treatments do occur. Many states require medical spas to have documented emergency response protocols, trained staff, and specific equipment on-site—minimally, epinephrine auto-injectors and a written protocol for calling emergency services. Some states require a crash cart and AED. Document your emergency plan, train staff on it at least annually, and keep records of that training.
- Pull your medical director agreement and confirm it specifies supervision method, frequency, and real-time availability.
- List every procedure performed and verify each provider's scope of practice in your state for that procedure.
- Check your informed consent forms—do they name the specific procedure and list material risks?
- Confirm you have signed BAAs with every vendor that touches patient data.
- Verify the entity structure: if you're in a CPOM state, is a physician-owned PC the clinical entity on every clinical contract?
Working With a PC-MSO Platform vs. Going It Alone
Many med spa operators piece together compliance by hiring a part-time medical director, downloading a consent form template, and hoping for the best. The problem is that compliance isn't a checklist you complete once—it's an ongoing operational discipline that requires licensed clinical leadership, documented protocols, and structured oversight. A PC-MSO platform like MDside's physician network provides the pre-built clinical structure: physician-owned professional corporations, medically supervised protocols, credentialed provider networks, and compliance documentation baked into the service layer—so you're not reinventing the wheel while also running a business.
If you're building out your cash-pay service menu alongside your compliance infrastructure, see our companion guide: Building a Cash-Pay Wellness Menu: GLP-1, TRT, ED & Aesthetics—it covers how to structure service lines compliantly while building a profitable menu.
State Variation: Why You Can't Use a National Template
There is no federal "med spa law." The rules come from state medical practice acts, nursing practice acts, pharmacy laws, facility licensing statutes, and agency guidance documents—all of which vary by state and are interpreted differently by different boards. A supervision structure that's compliant in Florida may violate Texas law. A procedure an aesthetician can legally perform in Georgia may require an RN in California. The only reliable approach is to engage a healthcare attorney licensed in each state where you operate, review compliance at least annually, and structure your clinical relationships through entities with ongoing legal oversight built in.
Frequently asked questions
Does a med spa need a physician medical director in every state?
Most states require that a licensed physician (or in some states, an NP or PA under a collaborative agreement) supervise all medical procedures performed at a medical spa. The specific title, supervision ratio, and on-site presence requirements vary significantly by state—always confirm current requirements with qualified healthcare counsel before opening.
What is CPOM and why does it matter for med spas?
Corporate Practice of Medicine (CPOM) is the doctrine that prohibits unlicensed corporations from owning or controlling a medical practice. In CPOM states, a non-physician business owner cannot employ physicians or direct clinical decisions. Med spas in these states must be structured with a physician-owned professional corporation (PC) handling the medical side, with a separate management services organization (MSO) providing business services—a common arrangement called a PC-MSO structure.
Can my non-physician aesthetician perform laser treatments or injectables?
Scope of practice for laser treatments, injectables (like Botox and dermal fillers), and other energy-based devices varies widely by state. Some states restrict these procedures to physicians or APPs; others allow licensed aestheticians or nurses to perform them under physician supervision. Performing procedures outside a provider's scope of practice is a board violation and can result in criminal charges. Always verify scope rules with a healthcare attorney licensed in your state.
How often must the medical director be on-site at a med spa?
There is no universal rule. States range from requiring the physician to be physically present for every procedure to allowing remote supervision with protocol-driven standing orders. Most states that allow remote supervision still require documented supervision agreements, regular on-site visits (often monthly), and real-time availability by phone or telehealth. Check your state medical board's published guidance and any applicable nursing or pharmacy board rules.
What are the most common reasons med spas get cited by state boards?
Common citation triggers include: procedures performed outside practitioner scope of practice, inadequate or missing physician supervision documentation, improper dispensing or storage of prescription medications (especially biologics like Botox), absent or incomplete patient medical records, failure to obtain informed consent before procedures, and unlicensed facilities performing services that require a clinical license. A proactive compliance audit—ideally with healthcare counsel—is the best defense.
Do med spas have to follow HIPAA?
Yes. Any medical spa that provides healthcare services and transmits health information electronically is a covered entity under HIPAA. This means you need a HIPAA Privacy Policy, designated Privacy Officer, patient Notice of Privacy Practices, Business Associate Agreements (BAAs) with any vendor that handles protected health information, and documented staff training. State privacy laws—some stricter than HIPAA—may add additional obligations.