1. Business Licensing & Registration
Before your first patient walks through the door, you need the right business structure and licenses in place. Florida has specific requirements for medical practices that differ from standard businesses.
✅ Business Licensing Checklist
Business entity formed — LLC, PLLC, or PA registered with Florida Division of Corporations (sunbiz.org)
Local business tax receipt — obtained from your county or municipality
Certificate of Use/Occupancy — from local building and zoning department
AHCA Healthcare Clinic license — required if billing third-party payers for medical services
NPI number — National Provider Identifier if submitting any insurance claims
Federal EIN — Employer Identification Number from the IRS
2. Medical Director Requirements
This is one of the most important — and most frequently violated — compliance areas. Florida law requires a licensed physician to supervise all medical procedures. A "ghost" medical director who is listed on paper but never shows up creates serious liability.
✅ Medical Director Checklist
Licensed MD or DO — active Florida license, in good standing with no sanctions
Written Medical Director Agreement — specifying scope, schedule, compensation, and termination terms
Fair market value compensation — flat fee only, never a percentage of revenue or procedure volume
Documented on-site visits — signed logs of when the MD visited and what was reviewed
Signed clinical protocols — MD has reviewed and signed all treatment-specific SOPs
Delegation agreements — written protocols for any tasks delegated to RNs, NPs, or PAs
Read our full guide on Florida Medical Director requirements for a deep-dive on compensation structures and agreement terms.
3. Staff Credentials & Scope of Practice
In Florida, who can perform what procedure is strictly regulated. Getting this wrong — even by mistake — can result in immediate license suspension for both the individual and the business.
✅ Staff Credentials Checklist
Active Florida licenses verified — all clinical staff licenses checked on DOH website and copies on file
Scope of practice matrix — written document listing who can perform each service
RNs NOT injecting — RNs cannot inject Botox or fillers in Florida without being under direct physician supervision per a delegation protocol
NP/PA supervision agreements — written protocols for all nurse practitioners and physician assistants
License renewal tracking — system in place to flag upcoming expirations (biennial for most FL licenses)
Staff training records — documented training on all procedures each staff member performs
4. Emergency Protocols & SOPs
Emergency protocols are the most frequently cited deficiency in Florida DOH inspections of med spas. You must have written, posted, and practiced protocols — not just a vague policy that exists somewhere in a binder.
✅ Emergency Protocol Checklist
Vascular occlusion protocol — step-by-step response for filler-related vascular compromise
Anaphylaxis protocol — with epinephrine auto-injector on-site and staff trained on administration
Syncope (fainting) protocol — patient positioning, monitoring, recovery steps
Infection response protocol — post-treatment infection identification and management
Laser/device burn protocol — for thermal injuries from laser, IPL, or RF treatments
Adverse reaction documentation — standardized incident report form and escalation pathway
Emergency supply checklist — verified inventory of required medications and equipment
911 escalation guidelines — clear criteria for when to call EMS, with posted address for staff
Protocols posted in treatment rooms — laminated, visible, not just in a binder
Staff drills completed — at least annual mock emergency drills, documented
All 8 emergency protocols — written, formatted, and ready to implement
Our 8-SOP Emergency Bundle covers every item in the checklist above. Professionally written, Florida-specific, and ready for your Medical Director to review.
Get the Bundle — $297
Charter Member rate · 30-day money-back guarantee
5. HIPAA Compliance
Med spas are covered entities under HIPAA if they transmit any health information electronically. Even cash-only practices that use electronic intake forms, email, or text messaging with patients are typically covered. HIPAA fines start at $100 per violation — per patient record affected.
✅ HIPAA Checklist
Notice of Privacy Practices — posted in waiting area and given to every new patient
Written HIPAA Privacy Policy — covering how PHI is collected, used, and protected
Written HIPAA Security Policy — covering electronic PHI (ePHI) technical safeguards
Business Associate Agreements (BAAs) — signed with all vendors who access PHI (EHR, billing, email platform)
Patient authorization forms — for any PHI uses beyond treatment, payment, and operations
Breach notification procedure — written plan for responding to and reporting HIPAA breaches
Staff HIPAA training — documented annual training for all staff with access to patient information
For a deep-dive, see our full HIPAA Compliance Guide for Med Spas.
6. OSHA Requirements
OSHA applies to any business with employees. Med spas handle needles, sharps, bloodborne pathogens, and chemicals — putting them squarely in OSHA's crosshairs. An OSHA inspection triggered by a workplace injury complaint can result in serious fines.
✅ OSHA Checklist
Bloodborne Pathogen Exposure Control Plan — written plan for handling needle sticks and blood exposures
Sharps disposal protocol — puncture-resistant sharps containers, proper disposal schedule
Hazard Communication (HazCom) — Safety Data Sheets for all chemical products on site
PPE protocol — gloves, masks, eye protection available and worn during procedures
OSHA poster — "Job Safety and Health — It's the Law" posted in employee area
OSHA 300 log — workplace injury and illness recordkeeping (required if 10+ employees)
7. Patient Documentation & Consents
Proper consent documentation is your first line of defense in any malpractice or licensing complaint. Every procedure should have a procedure-specific consent form — not a single generic consent for everything.
✅ Patient Documentation Checklist
Procedure-specific informed consent forms — covering risks, alternatives, and expected outcomes for each service
Medical history intake form — comprehensive health history, medications, allergies, contraindications
Pre/post-treatment instructions — written, dated, and signed by patient acknowledging receipt
Treatment records — documentation of what was done, by whom, product lot numbers, dosages
Record retention policy — Florida requires medical records kept for minimum 5 years (7 years for minors)
Photo consent — separate consent for before/after photos and any marketing use
Your Next Step
Running through this checklist takes time — but the bigger challenge is having the actual documentation ready when you need it. Writing emergency protocols from scratch, drafting a Medical Director agreement, and creating proper SOPs can take weeks if you're doing it alone.
That's exactly why we built the 8-SOP Emergency Bundle — professionally written, Florida-specific emergency protocols that cover the most critical (and most frequently cited) compliance gap. Ready to review with your Medical Director and implement the same day.
See also: Med Spa Emergency Protocol Checklist and 7 Compliance Mistakes That Get Florida Med Spas Shut Down.
Disclaimer: This checklist is for educational purposes only and does not constitute legal advice. Florida med spa regulations are subject to change. Consult with a licensed Florida healthcare attorney for guidance specific to your practice.
Frequently Asked Questions
What licenses does a Florida med spa need?
+
−
A Florida med spa needs a local business tax receipt, Certificate of Use, and an AHCA Healthcare Clinic license if billing insurance. Individual providers need active Florida professional licenses. The specific licenses depend on your business structure and services offered.
Is a medical director required for a Florida med spa?
+
−
Yes. Any Florida med spa performing medical procedures must have a licensed MD or DO as Medical Director with a written supervision agreement. The medical director must provide actual documented oversight — not just be listed on paper.
What emergency protocols must a Florida med spa have?
+
−
At minimum: vascular occlusion, anaphylaxis, syncope, infection response, laser burns, adverse reactions, emergency supply checklist, and 911 escalation guidelines. These must be written, posted in treatment rooms, and staff must be trained on them.
What HIPAA documents does a med spa need?
+
−
Notice of Privacy Practices, HIPAA Privacy Policy, HIPAA Security Policy, Business Associate Agreements with all PHI vendors, patient authorization forms, and a breach notification procedure. Annual staff HIPAA training must also be documented.
How do I know if my Florida med spa is compliant?
+
−
Work through a comprehensive checklist covering licensing, medical director agreement, staff credentials, written SOPs, HIPAA documentation, OSHA requirements, emergency protocols, and patient consent forms. An annual internal audit plus periodic review with a healthcare attorney is best practice.