California Med Spa Compliance Checklist 2026

Quick Answer

A California med spa must be a Professional Corporation (PC) with an MD, DO, or qualifying 104 NP as controlling owner; registered with the Medical Board of California; run by a medical director under a written agreement; and staffed only with providers authorized by California law to perform the specific services offered. Written physician-approved protocols are required for every procedure, and all advertising must include the supervising physician's name. Missing any of these is a Medical Board violation.

California has the most complex med spa regulatory environment in the US. This checklist covers every compliance category the Medical Board of California checks — organized so you can work through it area by area. Use it before you open, before any inspection, and whenever you add a new procedure or provider.

Each section includes a brief explanation of why the requirement exists and what inspectors look for, so you understand the intent — not just the rule.

What Inspectors Check First

When the Medical Board of California conducts a med spa inspection, they don't work through a random checklist. There is a consistent pattern to what gets examined first:

The Medical Director Agreement — Does it exist? Is it signed? Does it specify actual supervision duties, visit frequency, and chart review requirements? A generic template that doesn't reflect what the director actually does is as problematic as no agreement at all.
Business entity documents — Is the med spa a Professional Corporation? Who holds the controlling interest? Inspectors will check Secretary of State filings and ask to see the PC's operating documents.
Provider licenses and scope — Are the staff performing procedures actually licensed to do so under California law? LVNs and medical assistants doing injectables is the single most commonly cited violation in California med spa inspections.
Treatment protocols — Is there a written, signed protocol for every procedure on the service menu? Are they current, or do they have a physician's signature from three years ago?
Advertising materials — Does the med spa's website and marketing include the supervising physician's name or fictitious name permit number?

If you can walk into an inspection with confident answers to all five of these, you're ahead of most California med spas. Everything else on this checklist is important — but these are where enforcement actions begin.

1. Business Structure

California's Corporate Practice of Medicine (CPOM) doctrine is not a technicality — it is the foundational legal requirement that dictates everything else about how a med spa is organized. An LLC cannot own a California med spa regardless of who operates it. If your structure is wrong, every other compliance effort is built on an illegal foundation.

✓ Entity is a Professional Corporation (PC) — not an LLC or regular corporation

✓ Registered with the California Secretary of State as a Medical Professional Corporation

✓ Physician (MD or DO with active CA license) holds at least 51% controlling interest

✓ OR: qualifying 104 NP under AB-890 is the controlling owner (effective January 2026)

✓ Non-physician investors only participate through a Management Services Organization (MSO) providing non-clinical services

✓ Corporate bylaws address what happens if physician-owner loses their license

✓ See who can own a California med spa for ownership structure details

2. Medical Board of California Registration

California is one of a small number of states that requires med spas to register directly with the state medical board. This isn't a one-time filing — registration must reflect the current medical director and current procedures. An unregistered med spa is operating illegally regardless of how well-structured everything else is.

✓ Registered as a medical spa with the Medical Board of California (mbc.ca.gov)

✓ Medical director license number on file and confirmed current (verify at mbc.ca.gov)

✓ All procedures offered documented with the Board

✓ Registration updated when medical director changes or new services are added

✓ All city and county business licenses current

3. Medical Director Requirements

The medical director is the cornerstone of California med spa compliance. Every procedure you offer must be covered by a physician-approved protocol. Every clinical decision your staff makes happens under the medical director's supervision authority. A "paper" medical director — someone who signed some documents but never actually visits or reviews charts — is a violation waiting to be discovered.

The Medical Director Agreement is the document that defines this relationship. When inspectors arrive, it's the first thing they ask to see. It must exist, be signed, and specifically describe supervision duties — not just say the director will "oversee medical operations."

✓ Written Medical Director Agreement in place — signed and current

✓ Medical director is an MD/DO with active California license OR qualifying 104 NP under AB-890

✓ Agreement specifies: supervision schedule, chart review frequency, minimum visit frequency, availability requirements

✓ Medical director is "immediately reachable" during operating hours (phone, text, or in-person)

✓ Compensation is at fair market value — not percentage of revenue or per-procedure

✓ Medical director has physically visited the facility and can be documented doing so

✓ Chart reviews are being conducted at the agreed frequency with documentation

✓ See California medical director requirements for full details

Need California-compliant SOPs for every item on this checklist?

Our Complete Suite includes 62 physician-approved protocols covering injectables, laser treatments, emergency response, operations, and compliance documentation — all written to California Medical Board standards.

View Complete Suite

4. Staff Credentials & Scope of Practice

California has some of the strictest scope-of-practice rules for aesthetic procedures in the US. LVNs and medical assistants cannot perform injectables — period. This is the violation inspectors find most often. It's not a gray area, not a matter of supervision level, and not something that can be remedied with extra training. The credential either qualifies or it doesn't.

Every provider performing procedures must be credentialed at the correct level for that specific procedure. Laser treatments have different requirements from injectables. Verify each provider's license before they perform their first procedure, and verify again at each license renewal cycle.

✓ All clinical staff licenses verified current — copies on file

✓ Injectables performed only by MD, DO, NP, PA, or RN (with appropriate physician delegation)

✓ LVNs and Medical Assistants are NOT performing injectables (prohibited in California)

✓ Laser and energy-based treatments performed only by appropriately licensed providers under physician supervision

✓ Physician delegation orders in place for RN-administered injectables

✓ Supervision protocols documented for each provider type and each procedure

✓ License expiration dates tracked and renewals completed before expiration

✓ See California injectable scope of practice for provider-by-provider breakdown

5. Treatment Protocols (SOPs)

California requires a written, physician-approved clinical protocol for every procedure a med spa offers. "Protocol" means a specific document — not general training, not verbal instructions, not a note in a staff meeting. The Medical Board considers operating a procedure without an approved SOP to be practicing medicine without appropriate physician oversight.

Protocols must be thorough enough that any qualified provider could follow them consistently. They need to specify patient selection criteria, contraindications, preparation steps, treatment parameters, adverse event response, and follow-up requirements. A one-paragraph "injection guidance" document is not a protocol.

✓ Written SOP for every procedure offered — before the first patient is seen

✓ Each protocol approved and signed by the medical director with date

✓ Protocols cover: patient selection criteria, contraindications, dosing ranges, step-by-step procedure, adverse event response

✓ Protocols reviewed and re-signed at least annually

✓ Protocol review triggered when a new device is introduced or procedure is modified

✓ Staff have reviewed all applicable protocols and acknowledgment documented

✓ Protocols physically accessible in treatment areas (not only on a shared drive)

6. Advertising Compliance

California's advertising rules for medical practices are enforced through the Business and Professions Code, and the Medical Board treats advertising violations seriously. The most common advertising violation: the med spa's website or marketing materials do not display the supervising physician's name. This isn't optional — it's a specific requirement under California law for any facility advertising medical services.

A fictitious name permit can be used instead of the physician's personal name, but the permit itself must be obtained from the Medical Board and used consistently. Non-compliant advertising can trigger an investigation even if clinical operations are perfectly structured.

✓ Supervising physician's name OR fictitious name permit number appears in all promotional materials

✓ Fictitious name permit obtained from Medical Board if operating under a business name

✓ Website, social media, and print materials all reviewed for California advertising compliance

✓ No false efficacy claims ("guaranteed results," "painless," "risk-free," "permanent")

✓ Before/after photos include FTC-required disclaimer ("results may vary" or "results not typical")

✓ Patient testimonials do not include unsubstantiated medical claims

✓ See California advertising rules for the complete breakdown

7. HIPAA Compliance

Med spas are covered entities under HIPAA. This means the full range of HIPAA obligations apply — Notice of Privacy Practices, Business Associate Agreements with all vendors who handle patient data, documented staff training, and a written breach notification policy. California also adds the California Consumer Privacy Act (CCPA) for certain data practices, which overlaps with but is separate from HIPAA.

One HIPAA issue specific to med spas: patient photos. Using a patient's before/after photo in any marketing without a specific, separate written authorization (not buried in a general intake form) is a HIPAA violation. A general consent for treatment does not cover marketing use of patient images.

✓ Notice of Privacy Practices (NPP) posted in office and provided to new patients

✓ Business Associate Agreements (BAAs) signed with EHR, billing, and any other vendors handling PHI

✓ Patient records stored on a HIPAA-compliant platform — not personal email or unsecured cloud storage

✓ All staff have completed HIPAA training — documented with dates

✓ Written breach notification policy and procedure in place

✓ Patient photo/testimonial authorization is a separate, specific written consent — not bundled in general intake

8. Informed Consent

California informed consent requirements for medical procedures are among the most detailed in the country. The consent must be specific to the procedure, given in advance (not immediately before the procedure while the patient is already on the table), and documented in the patient's permanent record. Verbal consent is not sufficient for any procedure.

For procedures with significant risk profiles — laser resurfacing, deep chemical peels, certain body contouring treatments — a more detailed consent process may be required, with a waiting period between consent and treatment. When in doubt, consult with a California healthcare attorney about your specific service menu.

✓ Written informed consent for every procedure, every patient, every visit

✓ Consent form covers: risks, benefits, alternatives, and expected outcomes for the specific procedure

✓ Patient given time to read and ask questions before signing — not rushed at time of treatment

✓ Patient signature obtained before treatment begins

✓ Signed consent stored in patient record and retained per California medical record retention requirements (minimum 7 years)

9. Emergency Protocols

The Medical Board requires med spas to have a written emergency response protocol for each procedure that carries anaphylaxis or serious adverse event risk. "We'd call 911" is not a protocol. The protocol must specify: what symptoms trigger the response, who on staff is responsible for each action, what medications are on-site and where they are stored, and how the incident is documented.

Anaphylaxis is the most common emergency scenario in med spa settings, occurring with injectables, chemical peels, and certain topical treatments. Staff training must include recognition of early anaphylaxis symptoms — not just severe reactions. A patient who leaves the facility and goes into anaphylaxis in the parking lot is still a liability event for the med spa.

✓ Written emergency response protocol for each procedure with adverse event risk

✓ Emergency protocols posted visibly in all treatment rooms

✓ All staff trained in anaphylaxis recognition, epinephrine administration, and when to call 911

✓ Epinephrine (EpiPen or equivalent) accessible in every treatment area, checked for expiration

✓ Emergency contact numbers and nearest ER posted at every treatment station

✓ Adverse event documentation process defined — how incidents are recorded and reported

✓ Emergency protocols reviewed and updated at least annually — or after any adverse event

10. Malpractice Insurance

Every provider performing procedures at the med spa must carry malpractice insurance that covers those specific procedures. Coverage gaps are common when a provider's policy was written for a different practice context — for example, an NP whose policy was written for primary care may not cover cosmetic injectables without an endorsement.

The med spa itself should also carry a general liability policy. Malpractice insurance covers professional negligence; general liability covers premises incidents, equipment failures, and slip-and-fall claims. Both are needed.

✓ Professional malpractice insurance in place for every provider performing procedures

✓ Coverage specifically includes all procedures offered (verify with insurer — cosmetic procedures often require endorsement)

✓ Policy current and not lapsed — renewal dates tracked

✓ Certificates of insurance on file for all providers

✓ General liability policy in place for the facility

Run through this checklist before your first patient, before adding any new procedure, and before any inspection. If you discover gaps, address them before operating — not after a citation.

This checklist is for informational purposes only and does not constitute legal or medical advice. California compliance requirements are complex and change frequently. Consult a California healthcare attorney to review your specific situation.

Frequently Asked Questions

What are the most common California med spa compliance violations? + −

The most common violations are: operating without a written Medical Director Agreement, allowing LVNs or medical assistants to perform injectables (prohibited in California), failing to include the supervising physician's name in advertising, operating as an LLC instead of a Professional Corporation, and missing or outdated physician-approved treatment protocols.

Does a California med spa need to register with the Medical Board? + −

Yes. All medical spas in California must register with the Medical Board of California. Registration requires physician (or qualifying 104 NP) information, medical director details, and documentation of the Professional Corporation structure. Operating without registration is a violation.

What do Medical Board of California inspectors check first? + −

Inspectors typically start with the Medical Director Agreement (does it exist, is it current, does it specify the required supervision activities?), the business structure (is the entity a Professional Corporation with a physician in control?), and staff credentials (are the providers performing injectables actually licensed to do so under California law?). They then review treatment protocols and advertising materials.

Can an LVN perform Botox injections in California? + −

No. Licensed Vocational Nurses (LVNs) cannot perform Botox or filler injections in California. This is one of the most commonly cited violations. Injectables must be administered by an MD, DO, NP, PA, or RN with appropriate physician supervision. Medical assistants also cannot perform injectables in California.

How often should a California med spa update its treatment protocols? + −

Treatment protocols should be reviewed and signed by the medical director at least annually, and any time a new procedure is added, a new device is introduced, or a provider change occurs. Protocols with outdated physician signatures are a common inspection finding in California.

What happens if a California med spa fails a Medical Board inspection? + −

Depending on the severity, consequences range from a written warning and required corrective action plan to temporary suspension of operations, formal disciplinary action against licensed providers, civil fines, and referral for criminal prosecution for serious CPOM violations. The Medical Board can also issue a public citation that becomes part of the permanent record.

California Med Spa Compliance Checklist 2026 — Complete Guide