Med Spa Fines and Closures: The Real Violations Regulators Look For

Q: What are the most common med spa compliance violations?

The most common med spa compliance violations include: operating without a valid Medical Director agreement, staff performing procedures outside their licensed scope, missing or unsigned written SOPs, absence of emergency protocols and equipment, inadequate Medical Director supervision and oversight, failure to maintain proper patient consent documentation, and HIPAA/infection control policy gaps. These violations appear repeatedly in state regulatory actions and enforcement cases.

Q: How much can a med spa be fined for compliance violations?

Fines for med spa compliance violations vary widely by state and violation severity. Individual violation fines commonly range from $1,000 to $10,000 per violation. Medical directors can be personally fined — such as the Iowa case where Dr. Kollmorgen was fined $10,000 for inadequate supervision. In cases involving unlicensed practice or patient harm, fines can reach $50,000 or more, and license revocation may follow.

The Enforcement Landscape Has Changed

For years, the med spa industry operated in a regulatory gray zone — growing rapidly while enforcement lagged behind. That era is over. From New York to Iowa to Texas, state medical boards, health departments, and attorney general offices have dramatically increased their focus on med spa compliance violations. The businesses that haven't built proper compliance infrastructure are now facing the consequences.

What follows is a look at real, documented cases from 2023–2026 — the specific violations that triggered regulatory action and what you need to learn from them.

Case #1: New York's Statewide Crackdown — 223 Med Spas Investigated

In late 2025 and early 2026, a joint enforcement operation involving the New York City Council, the New York State Department of Health, the State Education Department, and the Department of State investigated 223 medical spas across New York. The findings were alarming: unlicensed operators performing injections and laser treatments, causing serious burns, infections, and permanent scarring in patients. Multiple business licenses were suspended or revoked.

The violations documented included:

Injections administered by individuals with no medical, nursing, or physician assistant license
Laser treatments performed without required operator credentials
No liability insurance on file
Mislabeled and potentially counterfeit injectable products
No written protocols or emergency procedures

The New York Department of State issued a public consumer warning in January 2026, specifically flagging the pattern of harm caused by unlicensed practice. Businesses with revoked licenses were placed in a public enforcement database.

The lesson: Regulators aren't just looking for paperwork gaps. They're looking at who is actually performing procedures and whether those people are legally authorized to do so. Scope-of-practice violations are the fastest path to license revocation.

Case #2: Iowa Medical Director Fined $10,000 for Inadequate Supervision

In December 2025, the Iowa Board of Medicine levied a $10,000 fine against Dr. Daniel Kollmorgen, medical director of 4Ever Young Med Spa in Waukee, Iowa, for failing to adequately supervise the spa's clinical operations.

When investigators visited in June 2025, they found that Kollmorgen was largely working remotely and was physically on-site only approximately two to three hours per month. Iowa standards for medical directors at medical spas require the physician to be physically located within 60 miles of the spa at all times, and to provide at least four hours per week of in-person staff supervision.

Kollmorgen's actual presence — roughly 2 to 3 hours per month — fell drastically short of the 16+ hours per month required by state law.

The lesson: The "ghost medical director" arrangement — where a physician signs an agreement but rarely or never appears — is now a primary enforcement target. Boards know this arrangement exists and are actively investigating it. If your medical director relationship looks good on paper but hollow in practice, you are at risk.

Case #3: Texas — A Patient Dies, A Medical Director Loses His License

In July 2023, Jenifer Cleveland died after receiving an IV therapy treatment at Luxe Med Spa in Wortham, Texas. The treatment was administered by Amber Johnson, the spa's owner — who held no medical or healthcare license. No licensed healthcare professional was present on-site.

The Texas Medical Board's investigation found that medical director Dr. Michael Gallagher, based 106 miles away in Frisco, had visited the spa only three times. There were no SOPs or protocols for IV services. The medical director agreement was unsigned. Prescription-only TPN electrolytes had been purchased using the medical director's credentials without his meaningful oversight.

In October 2023, the Texas Medical Board issued an emergency order temporarily suspending Gallagher's medical license pending formal hearing. The suspension was later amended but Gallagher remained restricted from supervising or delegating to others in all practice settings.

The lesson: Absent medical director oversight + no written protocols + unlicensed staff = the worst possible outcome. This case illustrates every major compliance category failing at once. Every one of those failures was preventable with basic documentation and operational standards.

What Regulators Are Actually Looking For

Based on these cases and the patterns in state enforcement actions, here are the specific areas that trigger regulatory scrutiny:

1. Scope of Practice — Who Is Performing What

This is the number-one issue in regulatory enforcement. Procedures being performed by unlicensed individuals — or by licensed individuals without proper delegation authority — generate immediate action. Regulators will look at treatment records and compare the performing provider's license type against what they did.

2. Medical Director Oversight — In Practice, Not Just on Paper

As the Iowa case demonstrates, a signed agreement is the beginning — not the end. State boards increasingly look for documented evidence of real supervision: visit logs, signed protocol reviews, delegation documentation, and evidence the medical director knows what's happening at the spa.

3. Written SOPs — For Every Procedure Performed

The absence of written, physician-signed SOPs was a cited factor in the Texas death case and is one of the most consistently cited deficiencies in state inspections. "We train our staff" is not a substitute for written protocols. Inspectors can't verify training. They can verify documentation.

4. Emergency Protocols and Safety Equipment

Every med spa must have written emergency protocols for anaphylaxis, vascular occlusion, syncope, and other foreseeable adverse events. These protocols must be accessible in treatment areas — not just filed away — and must be backed up by the appropriate emergency supplies.

5. HIPAA and Infection Control Documentation

State agencies increasingly review HIPAA compliance documentation and infection control records during inspections. A posted Notice of Privacy Practices and a written Bloodborne Pathogens Exposure Control Plan are basic requirements that many spas still lack.

What to Do Instead

Every one of the violations documented above was preventable. Here's what a compliant med spa has in place:

A current, signed Medical Director Agreement that specifies supervision frequency, delegation authority, and on-site visit requirements — and is actually followed
Written, physician-signed SOPs for every procedure on the service menu, reviewed and updated whenever procedures or products change
A scope-of-practice matrix for every staff member, documenting what each is legally authorized to perform under their license type
Emergency protocols posted in treatment areas with current emergency supplies (EpiPen, hyaluronidase for vascular occlusion)
Staff credential files with current licenses, CPR certifications, and training documentation for every procedure performed
Medical Director visit logs signed and dated, demonstrating actual on-site supervision frequency

Don't let a documentation gap become a regulatory action

The MedSpa Standards Complete Compliance Suite includes all the SOPs, protocols, consent forms, and operational documents your med spa needs — written professionally and ready for your Medical Director to review and sign.

Get the Complete Suite

30-day money-back guarantee

The Stakes Are Higher Than They Used to Be

The med spa industry's rapid growth has put it squarely in the crosshairs of state and federal regulators. The days of building a business on informal arrangements and good intentions — without documented protocols — are over. The cases above are not outliers. They are the predictable outcome of running a medical practice without medical-grade compliance infrastructure.

The good news: compliance is achievable. The documentation required isn't complex — but it does need to be written down, current, signed, and accessible. Owners who build that infrastructure now are protecting their license, their patients, and the business they've worked hard to build.

Disclaimer: This article is for educational purposes only and does not constitute legal or regulatory advice. Regulations vary by state and change frequently. Consult with a licensed healthcare attorney for guidance specific to your practice.

Frequently Asked Questions

What are the most common med spa compliance violations? + −

The most common violations include: operating without a valid Medical Director agreement, staff performing procedures outside their licensed scope, missing or unsigned written SOPs, absence of emergency protocols and equipment, inadequate Medical Director supervision, failure to maintain proper patient consent documentation, and HIPAA/infection control policy gaps.

How much can a med spa be fined for compliance violations? + −

Fines vary by state and violation severity. Individual violation fines commonly range from $1,000 to $10,000 per violation. Medical directors can be personally fined — as in the Iowa case where Dr. Kollmorgen was fined $10,000 for inadequate supervision. In cases involving unlicensed practice or patient harm, fines can reach $50,000 or more, and license revocation may follow.

Can a med spa be closed for compliance violations? + −

Yes. State regulators have authority to issue emergency cease-and-desist orders, suspend healthcare clinic licenses, and revoke operating permits for serious violations. New York's 2025–2026 investigation of 223 med spas resulted in multiple license revocations. In Texas, a med spa's medical director had his license suspended following a patient death tied to absent protocols and no licensed staff on-site.

What documentation do regulators look for in a med spa inspection? + −

Regulators primarily look for: a current Medical Director agreement with proof of active licensure, written SOPs for every procedure performed, staff credential files, emergency protocols posted in treatment areas, HIPAA compliance documentation, infection control policies, patient consent forms, and evidence of actual Medical Director supervision (visit logs, signed protocol reviews).