Georgia Med Spa Compliance Checklist 2026 — Complete Guide

Georgia is one of the South's fastest-growing med spa markets — and the regulatory environment has tightened in lockstep. There is no single "med spa statute" in Georgia. Instead, multiple layers stack: corporate practice limits inside the Georgia Code, physician licensing through the Georgia Composite Medical Board (GCMB), controlled-substance oversight through the Georgia Drugs and Narcotics Agency (GDNA), federal HIPAA paired with O.C.G.A. §31-33, OSHA paired with Georgia biomedical waste rules, and entity filings handled by the Georgia Secretary of State Corporations Division.

This is the working checklist. If you are opening, buying, or auditing a Georgia med spa in 2026, every item below has to be in place — or in a documented plan to be in place — before you treat your first patient.

1. Business Structure — PC or Qualifying PLLC

Georgia follows a Corporate Practice of Medicine (CPOM) doctrine. A standard for-profit corporation or general LLC cannot practice medicine. A med spa offering medical procedures must be organized as one of the following:

• Professional Corporation (PC) under O.C.G.A. Title 14 Chapter 7 (the Georgia Professional Corporation Act)
• Professional Limited Liability Company (PLLC) under O.C.G.A. Title 14 Chapter 11, where qualifying licensed members hold the membership interests

For a medical PC, every shareholder must be a Georgia-licensed physician (MD or DO). A registered nurse, esthetician, MBA partner, or out-of-state physician cannot directly own the medical entity. A PLLC structure has slightly more flexibility for combined-license practices, but the medical practice arm must still be physician-owned.

For the deep dive on ownership, see who can own a med spa in Georgia.

Georgia Secretary of State Filing

Once the entity type is chosen, file the Articles of Incorporation (PC) or Articles of Organization (PLLC) with the Georgia Secretary of State Corporations Division. Tracking items:

• Annual Registration — Due between January 1 and April 1 each year. Missing the window puts the entity into administrative dissolution within months. Banks, payors, and malpractice carriers will all see this status before you do.
• Registered agent — Keep current. GCMB complaints and civil process land here first.
• Trade name (DBA) registration — If the entity operates under a name different from its corporate name, file a trade name registration at the county Superior Court Clerk.
• Local business license / occupational tax certificate — Required by virtually every Georgia city and county where the practice operates.

For the full open-a-spa walkthrough including timeline and capital, see how to open a med spa in Georgia.

2. Medical Director & GCMB Rule 360-32

Every Georgia med spa offering medical procedures must operate under a Georgia-licensed physician (MD or DO). The medical director's role is structured by GCMB Rule 360-32, which governs delegation of medical acts and supervision of nurse practitioners, physician assistants, and other clinical staff.

The medical director's duties are not symbolic. They must:

• Approve a written protocol for every procedure offered, signed and dated
• Establish delegation parameters compliant with GCMB Rule 360-32 (and Rule 360-5 for PA delegation, where applicable)
• Be available during operating hours for clinical questions and emergencies
• Conduct documented chart reviews on a defined cadence
• Visit the facility on a routine, documented schedule

For the full breakdown of what GCMB expects from the medical director relationship — including what a compliant agreement must contain — see Georgia med spa medical director requirements.

Delegation & Scope Under Rule 360-32

Who can do what at a Georgia med spa is the most common compliance question. Botox, fillers, lasers, and most aesthetic procedures are the practice of medicine. Delegation to RNs, NPs, and PAs is permitted only where:

• A written protocol approved by the supervising physician exists for the procedure
• The provider is acting within the scope of their Georgia license
• A good-faith prior physician examination has occurred (GCMB enforcement focus)
• Required nurse-protocol agreements (for RN-administered medications) are signed and on file

For provider-by-provider details, see who can inject Botox in Georgia.

3. Staff Licensing — GCMB & Georgia Board of Nursing

Every clinical staff member performing medical procedures at your facility must hold an active, in-good-standing Georgia license in their profession. Out-of-state licenses do not transfer — period. Verify through the issuing board:

• Physicians (MD/DO) — Georgia Composite Medical Board
• Physician Assistants — GCMB
• Nurse Practitioners and Registered Nurses — Georgia Board of Nursing
• Estheticians and Cosmetologists — Georgia State Board of Cosmetology and Barbering

Verification routine:

1. At hire, look up every clinician on the relevant Georgia license verification portal
2. Save a screenshot or PDF of the verification page in the personnel file
3. Re-verify on the renewal cycle for each profession
4. Verify CPR / BLS / ACLS certifications separately and re-verify at expiration
5. For PA and NP staff, also confirm the protocol agreement on file matches the actual delegated acts

If your facility offers laser treatments, also confirm operator training meets the standards in Georgia laser safety for med spas.

4. GDNA & DEA — Controlled Substance Compliance

Controlled substances are the area where Georgia diverges most sharply from other states. GDNA — the Georgia Drugs and Narcotics Agency — operates parallel to the federal DEA and has its own inspection authority. Practical implications:

• Any prescriber stocking, ordering, or administering controlled substances must hold an active DEA registration tied to the practice address and the GDNA-required state authorization
• GDNA inspectors can audit drug storage, inventory logs, biennial inventories, and disposal records on demand — keep them inspection-ready
• Compounded preparations (including any with controlled-substance components) must come from licensed 503A or 503B sources, with invoices and lot numbers retained
• PDMP (Prescription Drug Monitoring Program) checks must be documented for each controlled-substance prescription per Georgia law
• Drug log reconciliation should occur at a defined cadence — weekly is the safe standard
• Adverse drug events should flow into the same complaint and adverse-event log used for clinical events

If your practice runs a GLP-1 weight loss program — even with non-scheduled medications — see Georgia GLP-1 weight loss compliance for prescribing, compounding-source, and telehealth rules.

5. HIPAA + O.C.G.A. §31-33 (Records Access)

HIPAA is the federal floor. Georgia layers additional rights on top via O.C.G.A. §31-33, which governs patient access to their own medical records. Compliant practices need:

• Written Notice of Privacy Practices, signed by every patient at intake
• A designated Privacy Officer (typically the medical director or a named staff member)
• Records-access workflow that responds to written patient requests within the §31-33 statutory window (generally 30 days)
• A reasonable per-page copying fee schedule consistent with §31-33-3 fee caps
• Business Associate Agreements with every vendor that touches PHI — EMR, billing, marketing automation, scheduling, photo storage
• Annual HIPAA training, documented per employee
• Documented breach response plan with notification path under HIPAA and Georgia's Personal Identity Protection Act

6. OSHA + Georgia Biomedical Waste Rules

The OSHA bloodborne pathogens standard (29 CFR 1910.1030) applies to any practice that uses needles. Georgia adds a second layer through Department of Natural Resources biomedical waste rules (Chapter 391-3-4) and Department of Public Health guidance. Required elements:

• Written Exposure Control Plan, reviewed annually
• Sharps containers at point of use, replaced before fill line
• Contract with a Georgia-permitted biomedical waste transporter
• Manifest tracking — keep transporter receipts for 3 years minimum
• Hepatitis B vaccination offer, declination forms on file for staff who decline
• Annual bloodborne pathogens training, documented per employee
• Post-exposure protocol with named occupational health provider

7. Workers' Compensation & Employment Coverage

Georgia requires workers' compensation coverage for any employer with three or more employees, including part-time staff. Most med spas hit that threshold quickly once front-desk, clinical, and ownership employment are counted. Coverage is enforced by the State Board of Workers' Compensation, and operating uninsured exposes the practice to per-day fines, stop-work orders, and personal liability for the owner.

Other employment items to verify:

• Federal EIN and Georgia Department of Revenue withholding registration
• Georgia Department of Labor unemployment insurance account
• I-9 verification on every employee, retained per federal rules
• Independent-contractor classification reviewed against Georgia and federal tests — misclassifying clinical staff is a frequent audit trigger
• Written employment policies, anti-harassment training, and posted Georgia and federal labor notices

8. Advertising & Marketing — GCMB Rule 360-3

Georgia advertising rules for medical practices are enforced by both GCMB (under Rule 360-3 on advertising and unprofessional conduct) and the Georgia Attorney General's consumer protection unit. Common compliance failures:

• Before/after photos without proper patient consent or with unrealistic expectations disclaimers
• "Specials" or package deals that look like fee splitting or patient brokering
• Failure to identify the supervising physician on advertising materials
• Influencer or affiliate arrangements that pay per-patient referrals
• Use of the word "specialist," "expert," or "board certified" without the underlying credential
• Telehealth or out-of-state pricing claims that imply Georgia care without a Georgia license

For the full rulebook, see Georgia med spa advertising rules.

9. Patient Records Retention — O.C.G.A. §31-33-2

Georgia requires medical records to be retained for at least 10 years from the date of the last patient encounter for adult patients under O.C.G.A. §31-33-2. For minor patients, records must be retained for at least 10 years past the patient's age of majority. This is one of the longest retention windows in the country, and routine destruction policies built for shorter-retention states will fail an audit.

Best-practice retention checklist:

• Clinical chart — 10 years (minors: 10 years past age of majority)
• Informed consent forms — same as chart
• Photographs and imaging — same as chart
• Controlled substance logs — minimum 2 years federal, but align with Georgia's 10-year medical record window for safety
• Adverse event and complaint logs — indefinite, or until the applicable statute of limitations expires
• Employment files — at least 4 years post-termination, longer for clinical staff to align with malpractice tail

10. Required SOPs & Written Protocols

Even though Georgia does not run a state-wide med spa facility license, GCMB inspections (typically triggered by complaint or adverse event) will look for a complete written protocol library. Expect to need at minimum:

• Procedure-specific protocols for every service offered (Botox, fillers, laser, microneedling, IV therapy, weight management, chemical peels, sclerotherapy, etc.)
• Nurse protocol agreements for any RN-administered medication, where required by GCMB Rule 360-32
• Emergency protocols — hyaluronidase reversal, anaphylaxis, vasovagal, vascular occlusion
• Infection control and sterilization SOP
• Drug-handling, ordering, and disposal SOP aligned with GDNA
• Telehealth and remote-evaluation SOP if any visits are virtual
• Adverse-event response and reporting SOP
• Records request, copying-fee, and amendment SOP under §31-33

11. GCMB Inspection Patterns

GCMB does not run announced "med spa surveys" the way some states inspect surgical centers. Inspections typically arrive through one of three channels:

1. Patient complaint — filed online with GCMB, often after a billing dispute or aesthetic outcome the patient considers unsafe
2. Adverse event report — emergency department transfers, hospital admissions, vascular events, or reportable harm
3. Cross-referral from GDNA, the Board of Nursing, or the Attorney General — typically tied to controlled-substance, advertising, or scope-of-practice issues

Whatever the trigger, the document set requested looks similar. Build it once — and keep it living — and a GCMB inquiry becomes a 30-day paperwork project rather than a practice-ending crisis.

12. Inspection-Ready Documentation Binder

If GCMB, GDNA, or the Department of Labor walks in, you should be able to put your hands on every document below within five minutes. Build the binder once, maintain it monthly.

1. Secretary of State entity filing receipt + most recent annual registration
2. Trade name registration and local occupational tax certificate
3. Medical Director Agreement (current, signed)
4. Medical director's GA MD/DO license verification
5. Written protocols for every procedure offered, signed and dated
6. Nurse protocol agreements (where applicable) under GCMB Rule 360-32
7. Georgia license verification PDFs for every clinical staff member
8. Chart review log — date, charts reviewed, findings
9. Adverse event and complaint log
10. HIPAA Notice of Privacy Practices + §31-33 records-access policy
11. OSHA Exposure Control Plan + biomedical waste manifests
12. Workers' compensation certificate of coverage
13. DEA registration + GDNA records, biennial inventory, drug logs
14. Lease + zoning / certificate of occupancy
15. Malpractice certificates for the practice and the medical director

Putting It Together — A First-90-Days Sequence

For a new Georgia med spa, the order of operations matters as much as the items themselves. A workable 90-day sequence:

1. Week 1–2: Engage Georgia healthcare attorney + accountant. Confirm PC vs. PLLC. Reserve the entity name with the Secretary of State.
2. Week 3–4: File Articles with the Secretary of State. Apply for EIN and Georgia withholding. Open business banking. Acquire local occupational tax certificate.
3. Week 5–6: Sign Medical Director Agreement. Commission Rule 360-32 protocols. Apply for malpractice. Bind workers' compensation.
4. Week 7–8: Onboard clinical staff with GCMB / Board of Nursing license verification. Train on protocols, HIPAA, OSHA bloodborne pathogens, GDNA drug handling.
5. Week 9–10: Stand up EMR with BAA. Build adverse-event and complaint logs. Finalize advertising review with attorney against Rule 360-3.
6. Week 11–12: Internal mock inspection — pull every document on the binder list. Fix gaps. Then open the doors.

Summary

1. Georgia med spas must operate as a physician-owned PC under O.C.G.A. Title 14 Chapter 7 (or qualifying PLLC under Chapter 11), filed with the Secretary of State and kept current with annual registrations
2. A Georgia-licensed medical director with written protocols meeting GCMB Rule 360-32, documented chart reviews, and on-site visits is mandatory — not ceremonial
3. Every clinical staff member needs an active Georgia license, verified at hire and at each renewal cycle
4. GDNA operates alongside the federal DEA — controlled-substance handling, drug logs, and inventories must be inspection-ready at all times
5. HIPAA + O.C.G.A. §31-33 govern records access; OSHA + Georgia biomedical waste rules govern sharps and biohazard handling
6. Workers' compensation coverage is required for any employer with three or more employees
7. Medical records must be retained 10 years (10 years past age of majority for minors) under §31-33-2
8. Advertising must comply with GCMB Rule 360-3 — supervising physician identification, honest before/after, and no fee-splitting structures
9. Build the inspection binder once, maintain it monthly, and you can open the door to any inspector with confidence

Disclaimer: This article is for educational purposes only and does not constitute legal advice. Georgia med spa compliance involves overlapping statutes, regulations, and agency interpretations specific to your facility. Consult a qualified Georgia healthcare attorney before forming an entity, signing a medical director agreement, or opening for patients.