Med Spa Inspection Guide 2026: What State Boards Actually Check (and How to Pass)
A practical, document-by-document breakdown of how state medical boards, nursing boards, pharmacy boards, OSHA, and DEA actually inspect medical spas — and the binder-ready checklist that turns an inspection from a crisis into a routine afternoon.
In short
State boards inspect med spas through medical boards, nursing boards, pharmacy boards, state DOH/AHCA, OSHA, and the DEA — most often triggered by a patient complaint, an adverse event, or a competitor tip. Inspectors uniformly ask for the same documents first: medical director agreement, license verifications, signed protocols, a sample of patient charts, and your advertising. Operators who win pre-build a binder, run a 30-day self-audit against the seven first-look documents, brief staff on inspector etiquette, and have a healthcare regulatory attorney on retainer before the first knock.
Most med spa operators learn how state boards inspect their facility the wrong way — by getting inspected. By that point, the documents either exist or they do not, the medical director either has a real chart-review record or only a signed agreement, and the staff either know what to say or accidentally turn a routine site visit into a board investigation. The cost of preparing in advance is a few quiet weekends. The cost of preparing after the fact is, frequently, the practice itself.
This guide is the operator-facing field manual to a state board inspection. It covers what triggers an inspection, who actually shows up, the documents inspectors ask for first, how charts get reviewed, the twelve violations that account for most citations, and the 30-day, 7-day, and 24-hour preparation checklist. It is the national companion to our state-by-state regulations reference, our medical director requirements pillar, and our state hubs for California, Florida, Texas, New York, Georgia, and Arizona.
Important: This guide is national. Specific procedures, response windows, and authorities vary by state. Confirm with your healthcare regulatory attorney and the state board in your jurisdiction before relying on any specific timeline or document description below.
What Triggers a Med Spa Inspection
Inspections rarely come out of nowhere. The vast majority of med spa enforcement actions begin with one of six triggers, and understanding which trigger applies to a given inspection tells you a great deal about the inspector's scope, mindset, and what they are likely to focus on. The same Statement of Deficiencies looks different in the rearview mirror once you know whether the inspector showed up because of a routine cycle or because a patient called the medical board.
Patient Complaint to the State Medical Board
Patient complaints are the single largest source of med spa investigations across every state we cover. Most state medical boards — the California Medical Board, the Florida Board of Medicine, the Texas Medical Board, the New York Office of Professional Medical Conduct, the Georgia Composite Medical Board, and the Arizona Medical Board — accept patient complaints through public-facing online portals. A complaint does not require an attorney, a deposition, or any threshold evidence. A patient who is unhappy with an outcome, suspects deceptive advertising, or believes the wrong person performed their treatment can file a complaint in less than ten minutes.
The board then triages. Many complaints close with no action, but a meaningful share trigger at least a request for medical records, and a smaller share escalate into a formal investigation. The pattern that turns a routine refund dispute into a disciplinary matter is almost always the same: the board pulls the chart, finds gaps in the good-faith exam, the consent, or the standing-order alignment, and the investigation expands beyond the original complaint. For the operator, the lesson is that the chart you create today is the chart that will be reviewed when a complaint arrives eighteen months from now.
Adverse Event Reporting (Anaphylaxis, Vascular Occlusion, Hospitalization)
Adverse events that result in emergency department transfers, hospitalizations, or serious harm are typically reportable to the state board, the manufacturer (for FDA MedWatch reporting), and, if applicable, the facility-licensing agency. The reporting pathway differs by state, but vascular occlusions, anaphylactic reactions, ocular complications from filler, and any procedure-related hospitalization frequently trigger an inspection — sometimes within days of the event.
Inspectors arriving on the heels of an adverse event are looking for two things: whether the procedure that caused the event was within scope and properly authorized, and whether the practice's emergency response was adequate. This is why every med spa offering injectable or energy-based procedures needs documented emergency protocols, hyaluronidase on-site for filler practices, and an emergency response SOP that staff have actually trained on.
Advertising Complaints (Deceptive Claims, Ghost-Written Testimonials, Before/After Misuse)
Advertising complaints are an underrated trigger. The Federal Trade Commission, state attorneys general, and state medical boards all accept complaints about deceptive medical advertising, and competitors file these complaints far more often than operators realize. A complaint citing a "board-certified" claim that does not match the practitioner's actual certification, a before/after photo posted without patient consent, a paid Instagram testimonial without an FTC-required disclosure, or a guaranteed-outcome claim can pull both the FTC and the state medical board into the same investigation. See our compliance violations guide for the full taxonomy of advertising-related citations.
Anonymous Tip from a Competitor or Former Staff Member
Anonymous tips are real, common, and almost always specific. A former injector who was fired, a former front-desk employee who saw what was happening behind the scenes, or a competitor who knows exactly which medical assistants are injecting can file a tip with the state board through a confidential complaint mechanism. These tips are unusually high-quality from the board's perspective because the tipster knows the practice from the inside — they can name the medical assistant, the day of the week injections happen, and where the controlled-substance log is (or is not) kept.
The defense against anonymous tips is the same defense against every other trigger: do not run an operation that creates the source material for a credible tip. Document everything. Treat every staff exit as a potential future complaint and audit the documentation accordingly.
Cross-Jurisdiction Referrals (DEA → State, FTC → State, AG Complaint Pipeline)
Investigations often start in one agency and migrate. A DEA diversion review of a controlled-substance ordering pattern can be referred to the state board of pharmacy, which can then refer to the state medical board if the prescriber's behavior is in question. An FTC advertising investigation into a chain of weight-loss telehealth shops can refer to state attorneys general, who can refer to state medical boards. The state AG complaint pipeline is increasingly active around GLP-1 telehealth, IV therapy chains, and influencer-driven advertising. Multiple agencies asking similar questions about the same practice is a worse problem than any single inspection — the documents either align across agencies or they do not.
Routine Inspection Cycles for Facility-Licensed Practices (Article 28 in NY, AHCA in FL)
Some practices operate as facility-licensed entities and are subject to routine inspection cycles regardless of complaints. New York's Article 28 facilities are inspected on regular cycles by the New York Department of Health. Florida's office surgery practices and certain ambulatory care facilities are inspected by the Agency for Health Care Administration (AHCA). Texas Class IV laser facilities register with the Texas Department of State Health Services and are subject to its inspection regime. For practices in this category, inspections are not triggered — they are scheduled. See our deeper guides on Florida AHCA inspection, the Florida AHCA inspection guide, Florida DOH inspection prep, and Texas DSHS inspection patterns.
Who Actually Inspects Med Spas
"State board inspection" is shorthand for what is actually a layered set of authorities, each with their own statutory scope, document requests, and enforcement priorities. The same med spa can plausibly be inspected by half a dozen different agencies in a given year. Knowing who does what — and what each one can and cannot legally request — is half of preparing.
State Medical Boards (TMB, MBC, OPMC, GCMB, AMB)
State medical boards are the primary regulator of physician practice and, by extension, the medical director arrangement that makes a med spa a med spa. The Texas Medical Board, California Medical Board, New York Office of Professional Medical Conduct, Georgia Composite Medical Board, and Arizona Medical Board all enforce against improper supervision arrangements, scope-of-practice violations by mid-level providers, ghost medical directors, and the unlicensed practice of medicine. Their inspectors examine the medical director agreement, supervision logs, signed standing orders, and patient charts for evidence of physician engagement. The Federation of State Medical Boards publishes member directories and policy comparisons that cover all 50 boards.
State Boards of Nursing — RN/NP Delegation
State boards of nursing have parallel authority over RNs, NPs, and LVNs/LPNs working at the practice. Their concerns center on whether the nurse's actions fall within scope, whether collaborative or supervisory agreements (where required) are current and properly executed, and whether RNs are being asked to perform tasks that should be performed by a prescriber. Nursing boards investigate nurses individually as well as the practices that direct their work — a single RN who injects without a physician's prior good-faith exam can find herself on the discipline list while the practice itself faces a separate medical board complaint.
State Boards of Pharmacy — Controlled Substances, Compounding, Drug Logs
The state board of pharmacy regulates controlled-substance handling, drug ordering, expired-drug logs, compounding, and the relationship between the practice and any compounding pharmacy supplying it. For med spas, pharmacy board scrutiny has intensified post-2024 around compounded GLP-1s, peptides, and IV-therapy ingredients. A controlled-substance audit can be triggered by an unusual ordering pattern — a sudden spike in semaglutide orders, for example — and is often coordinated between the state pharmacy board and the DEA.
State DOH and Facility-Licensure Agencies (FL AHCA, NY DOH, TX DSHS for Laser Facilities)
State health departments inspect facility-licensed practices. Florida AHCA inspects office surgery practices and certain ambulatory facilities. New York DOH inspects Article 28 facilities. Texas DSHS regulates and inspects Class IV laser facilities. These inspections tend to be more checklist-oriented — physical plant requirements, signage, sharps containers, sterilization logs, and emergency drug stocking — but the same inspector can refer findings to the medical board if scope-of-practice violations surface during the visit.
OSHA — Bloodborne Pathogens, Sharps, Laser Safety
OSHA jurisdiction over med spas is the most-overlooked inspection authority in the industry. OSHA's Bloodborne Pathogens Standard (29 CFR 1910.1030), Hazard Communication Standard, and laser safety guidelines all apply, and OSHA inspections are typically complaint-driven by current or former employees. Common OSHA findings at med spas include missing exposure control plans, undocumented bloodborne pathogen training, inadequate sharps containers, missing eyewash stations near chemical peels, and absent laser safety officer designations.
DEA — Controlled-Substance Audits
The DEA inspects practices that hold a DEA registration and store controlled substances. For med spas, this most often means lidocaine with epinephrine for procedures, ketamine for procedural sedation in some IV-therapy practices, and benzodiazepines or opioids for pain management. DEA inspectors examine the controlled-substance log, ordering records, biennial inventory, prescription pads (where applicable), and physical security. Diversion — a staff member taking controlled substances for personal use or resale — is a common finding and frequently triggers parallel state board action.
FTC — Advertising and Endorsement Enforcement
The Federal Trade Commission enforces against deceptive advertising, including unsupported medical claims, missing endorsement disclosures, and misuse of testimonials. The FTC does not "inspect" med spas in the on-site sense, but it issues civil investigative demands, consent orders, and substantial monetary penalties. FTC enforcement against influencer-disclosure violations, unsupported weight-loss claims (especially around GLP-1 telehealth shops), and the misuse of patient before/after photos has accelerated through 2024 and 2025.
State Attorney General — Consumer-Protection Actions
State attorneys general bring consumer-protection actions under state Unfair and Deceptive Acts and Practices (UDAP) statutes. A growing share of med spa enforcement, especially against multi-state telehealth chains, comes from coordinated AG actions rather than from medical boards. AG settlements typically include monetary penalties, injunctive relief, and sometimes a referral back to the state medical board for licensure consequences against the named physicians.
State-by-State Inspection Authorities
The table below maps the eight highest-volume states to their primary inspection bodies, the trigger thresholds typical of each, and the in-state hub where you can find the deeper compliance picture. Use it as a reference, not as a replacement for confirming current authorities with your state board.
| State | Primary Inspection Body | Trigger Threshold | Typical Scope | Hub Link |
|---|---|---|---|---|
| California | California Medical Board (MBC); Cal/OSHA; Board of Registered Nursing | Complaint-driven; active enforcement against ghost medical directors and improper compensation | Medical director agreement, supervision logs, RN standardized procedures, advertising | California hub |
| Florida | FL Department of Health; AHCA for facility-licensed offices; Board of Medicine | Routine cycles for AHCA-licensed; complaint-driven for Board of Medicine | Office surgery levels, GLP-1 prescribing, ARNP collaborative agreements, sharps and emergency drug stocking | Florida hub |
| Texas | Texas Medical Board (TMB) plus DSHS for Class IV laser facilities | Complaint-driven plus mandatory DSHS registration cycles for laser facilities | Physician delegation, Laser Safety Officer, facility registration, supervision documentation | Texas hub |
| New York | NY Office of Professional Medical Conduct (OPMC); NY DOH for Article 28 facilities | OPMC complaint-driven; DOH routine cycles for Article 28 | CPOM ownership structure, NP 3,600-hour status, fee-splitting, advertising | New York hub |
| Georgia | Georgia Composite Medical Board (GCMB); GA Drugs and Narcotics Agency (GDNA) | Complaint-driven; GDNA active around controlled-substance handling | NP protocol agreements, delegation orders, controlled-substance logs, advertising | Georgia hub |
| Arizona | Arizona Medical Board (AMB); AZ Board of Nursing for NPs in independent practice | Complaint-driven; lighter-touch but real around adverse events | Independent NP scope, laser safety, advertising, GLP-1 prescribing | Arizona hub |
| Illinois | Illinois Department of Financial and Professional Regulation (IDFPR) | Complaint-driven; coordinated investigations across Medical Disciplinary Board and Nursing Board | Physician supervision, delegation protocols, advertising, controlled substances | IDFPR |
| Colorado | Colorado Department of Regulatory Agencies (DORA); Division of Professions and Occupations (DPO) | Complaint-driven; NP independent practice creates direct nurse-board accountability | NP independent practice scope, prescribing, advertising, laser safety | CO DPO |
For the deeper regulatory picture beneath each row, our state-by-state regulations reference covers CPOM, medical director rules, scope of practice, GLP-1, laser, and advertising for each of the eight states above.
The 7 Documents Inspectors Ask for First
Inspectors are remarkably consistent about what they ask for in the first ten minutes. The exact phrasing varies, but the seven documents below are the universal opening request across nearly every state and inspector type. Pre-build a binder (or a labeled digital folder) that puts each one within arm's reach. The single largest difference between an inspection that ends in a clean bill of health and one that ends in a Statement of Deficiencies is whether the operator can hand over these seven documents in fifteen minutes or has to dig.
1. Medical Director Agreement (Signed, Current, Fair-Market-Value Compensation, Supervision Schedule)
The medical director agreement is the foundational document of the entire practice. Inspectors look for a written, signed, dated agreement currently in force; defined supervision activities (chart review cadence, on-site visits, signed protocols); compensation that is fair-market-value and not tied to revenue or volume; and a clear scope of clinical authority. What raises follow-up scrutiny: an agreement with no defined supervision activities, compensation that suggests fee-splitting, or a medical director licensed only out-of-state. See our medical director requirements pillar and the state-specific deep dives for California, New York, Georgia, and Arizona.
2. Facility License / State Registration (Where Applicable — Article 28 NY, AHCA FL, etc.)
Practices that require a facility license or state registration must produce the current certificate. New York Article 28 facilities, Florida AHCA-licensed offices, Texas Class IV laser facility registrations, and any state-level office-surgery registrations should be posted in the practice and immediately producible on request. An expired facility license is its own discrete violation regardless of what else the inspector finds.
3. Staff License Verification (Current, In-State, Scope-Appropriate)
Every clinical staff member's license should be verified as current, in-state, and appropriate to the role they perform. The verification packet usually includes a print of the state board's online license lookup, a copy of the wallet card, and a copy of any required certifications (CPR/BLS, laser safety training, etc.). Common failure modes: an out-of-state RN who moved without obtaining the in-state license, a CME-lapsed physician, or a medical assistant whose role at the practice exceeds the scope of an unlicensed assistive person under state law.
4. Treatment Protocols and Standing Orders (Signed by Medical Director, Date-Stamped)
Treatment protocols and standing orders must be signed by the medical director, dated, and current to the procedures the practice actually performs. A standing order for "neuromodulator injection" that does not mention the specific procedure being performed, or a Botox protocol from 2021 that has not been re-signed in three years, will both draw follow-up questions. Inspectors look for alignment between the procedures performed and the procedures authorized — a practice that started offering microneedling-with-PRP last year but never updated the protocols has a problem.
5. Patient Chart Sample (Random Pull — They'll Usually Request 5–10 Charts)
Inspectors typically request a random sample of five to ten patient charts. Sometimes they ask by date range ("show me all GLP-1 starts from the last six weeks"), sometimes by procedure ("pull me five filler charts"), and sometimes by patient name from a specific complaint. The next section covers what the inspector actually examines inside the chart, but the first-look question is always whether the charts can be produced quickly and contain a recognizable structure.
6. Advertising Materials (Website, Instagram, Paid Ads, Before/After Photos with Consent)
Inspectors increasingly look at the practice's public-facing advertising. Bring a printout of the website's homepage, services page, and provider bios; a recent month of Instagram and TikTok posts; any paid Google or Meta ad creative; and the patient consent forms covering the use of before/after photos. Common findings: provider bios overstating credentials, before/after photos used without HIPAA-compliant consent, paid testimonials missing FTC disclosure, and unsupported guaranteed-outcome claims.
7. DEA Registration + State Controlled-Substance Registrations (GDNA in GA, Others)
If the practice stores controlled substances or has prescribers with DEA registrations, the DEA registration certificate, any state-level controlled-substance registrations (Georgia's GDNA registration is a frequent example), the controlled-substance log, the biennial inventory, and the storage area itself are all subject to inspection. State pharmacy boards and the DEA frequently inspect this category jointly.
Our Operations & Compliance Kit includes a Medical Director Agreement template, supervision protocols, chart-review logs, and the inspection-ready binder checklist — written for state board review and ready to customize.
View Operations KitWhat Inspectors Actually Examine in a Chart Review
The chart review is where most disciplinary findings actually originate. The first-look documents either exist or they do not, but the chart is where the inspector can see whether the documents describe what is actually happening in the treatment room. Across nearly every state board, the chart review concentrates on the same seven elements.
Initial Assessment Quality and Completeness
The initial patient assessment should include relevant medical history, medication list, allergies, contraindications, prior aesthetic history, and a documented treatment plan. Templated assessments that do not differ patient-to-patient suggest the assessment was not actually performed. Good charts include patient-specific narrative — what the patient asked for, what was discussed, what was contraindicated, and why.
Good-Faith Examination Documentation (the Universal Must-Have)
The good-faith examination is the universal pivot point of med spa chart review. Every state requires a prescriber-level evaluation before treatment, even when the actual injection or procedure is performed by an RN under standing orders. Inspectors look for: who performed the GFE, when (before treatment, not after), how (in-person or — where permitted — synchronous telehealth), and whether the documentation reflects an actual clinical evaluation or a checkbox. Missing or perfunctory good-faith exams are the single most common citation in chart-driven enforcement actions.
Informed Consent Depth (Procedure-Specific, Signed, Dated)
Informed consent should be procedure-specific (a generic "aesthetic services" consent is not adequate for an injectable procedure), signed by the patient, dated, and matched to the actual procedure performed. Consent forms should describe the procedure, the alternatives, the material risks, and the expected outcomes. For GLP-1 prescribing, IV therapy, and laser procedures, expect inspectors to look for procedure-specific risk language tied to the specific drug or device used.
Standing-Order Alignment (Procedure Performed Matches What's Authorized)
The standing order or protocol must actually authorize the procedure performed. An RN injecting a filler product not named in the standing order, a practice performing microneedling-with-PRP under a microneedling-only protocol, or a GLP-1 dose escalation that exceeds the protocol's authorized range all create chart findings. Inspectors compare what the chart says was done with what the standing order authorizes — and the gap, when there is one, is the citation.
Adverse Event Documentation and Follow-Up
Any adverse event — bruising, vascular event, allergic reaction, infection, paresthesia, asymmetry — should be documented in the chart, with the response, the follow-up plan, and any required reporting. Inspectors look for a pattern: is the practice documenting events at the rate the literature would predict? Charts that show zero adverse events across hundreds of injections are themselves a flag, because they suggest documentation is being suppressed rather than that the practice is performing miraculously.
Refill Criteria and Follow-Up Cadence (Especially GLP-1)
For ongoing therapies — GLP-1 prescribing, hormone therapy, IV therapy maintenance — the chart should show refill criteria, follow-up cadence, and ongoing assessment. A patient on a GLP-1 for nine months whose chart contains one initial assessment and eight refills is the kind of finding that pulls the medical board, the pharmacy board, and the DEA into the same investigation. See our GLP-1 compliance guide for the documentation standard inspectors increasingly expect.
Photo Documentation and HIPAA Compliance for Media Use
Patient photos in the chart should be properly stored (HIPAA-compliant systems, not personal phones), and any photo used for marketing should be backed by a separate, signed media-release consent. Inspectors look for both halves: clinical photos in the chart, and media-release consents in the marketing file. A before/after on Instagram with no corresponding consent in the patient file is its own discrete finding.
The 12 Most-Cited Violations Across States
Across the state boards we track most closely, twelve violations recur with notable consistency. The penalty range below is illustrative, not predictive; actual penalties vary widely by state, prior history, and the specific facts of the case.
1. Ghost Medical Director (Paper-Only, No Actual Oversight)
The single most common violation. The medical director agreement exists, the compensation is paid, but no chart review, no signed protocols current to actual practice, and no documented availability — sometimes the medical director has not visited the facility in years. Most aggressive enforcement: California MBC, New York OPMC, Texas TMB. Penalty range: $5,000–$50,000+ per violation, license suspension for the named physician, and practice closure orders are not unusual.
2. Unlicensed Practice of Medicine (Medical Assistants Injecting)
Medical assistants performing injections is the violation that most often triggers a criminal referral in addition to civil and administrative penalties. Most aggressive enforcement: Texas TMB, California MBC. Penalty range: substantial civil penalties plus potential criminal prosecution for unlicensed practice of medicine. See our national who-can-inject pillar and the state-specific guides for California, New York, Georgia, and Arizona.
3. Inadequate Good-Faith Exam Before Treatment
Treatment performed without a documented prescriber-level good-faith examination, or with a perfunctory exam that does not reflect actual clinical evaluation. Most aggressive enforcement: every state board examines this on chart review. Penalty range: $1,000–$10,000 per violation, often multiplied across the chart sample.
4. RN Injecting Without Prescriber's Prior Assessment
An RN administering an injectable without a documented prior assessment by a prescriber. Distinct from but often paired with violation #3. Most aggressive enforcement: California MBC, Florida Board of Medicine, Texas TMB. Penalty range: $1,000–$10,000 per chart, with separate findings against the RN through the nursing board.
5. Fee-Splitting / Kickback Arrangements with Referral Sources
Compensation arrangements that pay non-physicians for medical referrals or that tie medical director compensation to revenue. Most aggressive enforcement: New York OPMC, California MBC, Texas TMB. Penalty range: highly variable, but enforcement actions have included permanent license revocation in egregious cases.
6. Unsupervised Laser Operation by Unqualified Staff
Class IV laser procedures performed without required physician oversight, by staff who have not completed required training, or in facilities that have not registered where registration is required (Texas DSHS in particular). Most aggressive enforcement: Texas DSHS and TMB. Penalty range: facility-level fines plus individual provider discipline.
7. Deceptive Advertising (False Credentials, Before/After Misuse, Ghost Testimonials)
"Board-certified" claims that do not match actual board certification, before/after photos used without consent, paid testimonials missing FTC-required disclosures, and unsupported outcome claims. Most aggressive enforcement: FTC at the federal level; New York and California state boards have layered on top of the FTC floor. Penalty range: FTC consent orders can include seven-figure monetary penalties.
8. GLP-1 Overprescribing Without Good-Faith Exam
The 2024–2026 enforcement wave around telehealth GLP-1 prescribing has produced a steady stream of disciplinary actions. The pattern is consistent: minimal initial assessment, no follow-up, refills that exceed protocol, and prescribing volumes inconsistent with a defensible patient population. Most aggressive enforcement: Texas TMB, Florida Board of Medicine, multiple state attorneys general. Penalty range: license suspension and revocation in serious cases.
9. Compounded Peptide Stocking Outside FDA Shortage / Patient-Specific Rx Rules
Stocking compounded semaglutide or tirzepatide post-delisting, or stocking other peptides outside the patient-specific prescription framework. The FDA delisted compounded semaglutide in February 2025 and tirzepatide in October 2024; state pharmacy boards have followed with active enforcement. Most aggressive enforcement: state boards of pharmacy in coordination with the DEA.
10. Inadequate Physician Availability ("Immediately Reachable" Violations)
Many states require the medical director or supervising physician to be "immediately available" or "reachable" during operating hours. Practices where the medical director is in a different time zone, on a long flight, or unreachable for routine clinical questions during open hours fall short of this standard. Most aggressive enforcement: New York OPMC, California MBC. Penalty range: practice-level findings plus individual physician discipline.
11. Out-of-State Physician Serving as Medical Director
The medical director must hold an active license in the state where the practice operates. Out-of-state physicians cannot serve, even temporarily, even with a Compact license unless the Compact license has been activated for the specific state. Most aggressive enforcement: Texas TMB, New York OPMC. Penalty range: practice closure, retroactive findings against every chart performed under the improper arrangement.
12. Standing Orders Too Broad to Authorize the Actual Treatment Performed
Standing orders that authorize "injectables" generically rather than specifying the products, the doses, the contraindications, and the patient population. Most aggressive enforcement: California MBC, New York OPMC. Penalty range: chart-by-chart citation across the sample. Also see our why med spas get shut down for the closure-level case patterns.
Announced vs Unannounced Inspections — What to Expect
Whether an inspection is announced or unannounced shapes everything from staff demeanor to the specific document the inspector will ask for first. Both happen. A med spa with a meaningful operational footprint should be prepared for both.
Announced (Typical for Facility-Licensed Practices, Scheduled Cycles)
Routine inspections of facility-licensed practices are typically scheduled. New York DOH inspections of Article 28 facilities, Florida AHCA inspections of office surgery practices, and Texas DSHS inspections of registered laser facilities all come with advance notice — sometimes a date range, sometimes a specific date. The notice creates a prep window. Use it: walk the binder, run a mock chart review, brief staff, and confirm the medical director's availability for any inspector questions.
Unannounced (Complaint-Driven): They Show Up, You Must Allow Access
Complaint-driven inspections by the medical board, board of nursing, board of pharmacy, OSHA, or DEA can arrive without notice. The inspector presents credentials at the front desk, identifies the agency they represent, and begins the inspection. Refusing access is itself a violation — and an uncooperative reception turns a routine inquiry into an enforcement matter before the inspector has seen a single chart. Train front-desk staff on the verification protocol: ask for credentials, note the badge number and agency, and immediately notify the practice owner and the medical director.
What NOT to Do During an Unannounced Inspection
- Do not refuse access. The inspector is acting under statutory authority. Refusing turns a documents review into a refusal-to-cooperate finding.
- Do not destroy or alter records. This is its own criminal exposure in many states, and inspectors are trained to detect alteration. The chart you have is the chart you have.
- Do not answer substantive questions without counsel. Logistical questions ("where is the chart room?") are fine. Substantive questions about the medical director arrangement, the supervision pattern, or specific patients should wait for legal guidance.
- Do not make admissions on the record. Anything said to the inspector becomes part of the record. "We've been meaning to update those protocols" is, in writing, an admission that the protocols are out of date.
The 30-Day, 7-Day, and 24-Hour Preparation Checklist
Operators who pass inspections cleanly do not prepare in the 24 hours before the visit — they prepare in the 30 days before, the 7 days before, and then again on the morning of. The checklist below is a condensed version of the preparation rhythm we recommend. The detailed in-state versions live in the state-specific compliance checklists below.
30 Days Out — Full Self-Audit
- Run a self-audit against the seven first-look documents. Each one should be producible in under fifteen minutes.
- Verify every staff member's license through the state board's online lookup. Print and file the verification page.
- Pull a random sample of ten patient charts and walk them through the seven chart-review elements yourself. Document gaps and remediate them.
- Confirm the medical director agreement is current, signed, dated, and that supervision activity (chart review log, signed protocols) is documented in the past 90 days.
- Walk every public-facing surface — website, Instagram, paid ads, provider bios. Verify credentials are stated correctly and before/after photos have corresponding consents.
- Run a mock chart review using the state-specific compliance checklist for your jurisdiction: California, New York, Georgia, Arizona, and Florida.
7 Days Out — Final Binder Check
- Final check of the binder. Tab the seven first-look documents in order. Confirm digital backups are accessible.
- Brief clinical and front-desk staff on inspector etiquette: how to verify credentials, who to notify, what not to volunteer.
- Confirm the medical director will be available by phone or in person during inspection windows.
- Verify required postings: license certificates, OSHA poster, patient rights, complaint contact information.
- Confirm the controlled-substance log is current to the day, and the biennial inventory is filed.
- Walk the physical plant with the lens of an OSHA inspector: sharps containers below fill line, eyewash stations functional, MSDS sheets accessible.
24 Hours / Morning Of — Physical Walkthrough
- Check sharps containers — none above the fill line.
- MSDS / Safety Data Sheets accessible in a labeled binder.
- Computers logged off when stations are unattended.
- Fridge temperatures logged for the day; thermometer present and functional.
- Crash cart / emergency kit current; epinephrine, hyaluronidase (filler practices), and any state-required emergency drugs in date.
- Required signage posted and legible.
- Treatment rooms clean, draped, with no expired products on counters or in drawers.
What Happens During the Inspection Day Itself
The choreography of an inspection is more predictable than most operators expect. Walking through the typical sequence in advance turns a stressful unknown into a procedural exercise.
Arrival. The inspector arrives at the front desk and presents credentials. Front-desk staff verify identity, note the agency and badge number, and notify the practice owner and medical director. The inspector is offered a meeting space.
ID check and opening conference. The inspector states the purpose of the visit, the authorizing statute, and any complaint or warrant if applicable. The owner or designated representative meets the inspector, confirms the scope, and asks any clarifying questions. This is the moment to call your healthcare regulatory attorney if the visit is complaint-driven or unannounced.
Records request. The inspector requests the seven first-look documents and any additional materials specific to the inspection scope. A pre-built binder makes this step uneventful; a scramble for documents creates a tone the inspector will remember.
Facility tour. The inspector walks the practice — treatment rooms, drug storage, sharps disposal, sterilization area, waiting room, signage. Tours are typically narrated; staff should answer factual questions truthfully and avoid speculation.
Staff interviews. Inspectors frequently interview clinical staff individually. Staff should answer truthfully, stick to factual answers, decline to speculate, and refer policy questions to the medical director or counsel.
Exit conference. Most inspections close with an exit conference summarizing observations and any preliminary findings. The exit conference is the operator's first preview of what will appear in the written report. Take notes; do not argue. Agreement and disagreement can both be documented in the formal response.
Written notice / Statement of Deficiencies. The formal written findings typically arrive days or weeks after the on-site visit. The response window — usually 20 to 30 days — runs from the date of the written notice, not the date of the on-site inspection.
What Happens After — and Your Response Window
The on-site visit is the visible part of the inspection. The actual stakes — and the bulk of the work — are in what follows.
Statement of Deficiencies / Cease-and-Desist Letters (Typical 20–30 Day Response Window)
A Statement of Deficiencies enumerates findings, cites the regulatory basis for each, and demands a written plan of correction within a defined window — typically 20 to 30 days. Cease-and-desist letters are similar in form but more aggressive in tone, often requiring the practice to halt specific activities pending further review. Treat the deadline as fixed; missing it converts the matter from a corrective action into an enforcement action.
Consent Orders and Stipulated Agreements
Many cases resolve through consent orders or stipulated agreements: the practice or named individual agrees to specific corrective actions, monetary penalties, and sometimes monitoring or probation, in exchange for closing the matter without a contested hearing. Consent orders are public record in most states and appear on the named physician's public discipline file for years.
Disciplinary Action — Public Discipline, License Suspension, License Revocation
Formal disciplinary action ranges from public reprimand through license suspension to license revocation. Discipline against the named physician is typically published on the state board's public discipline page; the practice itself may be ordered to cease operations, restructure ownership, or operate under monitoring.
Civil Penalties and Fines (Typical Ranges $1K–$50K+ per Violation, Varies by State)
Monetary penalties are common and accumulate quickly. A single chart review that finds inadequate good-faith exams across five charts can produce five separate findings, each carrying its own penalty. Cumulative penalties in the six figures are not unusual in serious cases; multi-state telehealth enforcement has produced settlements in the seven and eight figures.
Criminal Referral (Unlicensed Practice of Medicine — This Happens for MA-Injection Cases)
Cases involving unlicensed practice of medicine — most often medical assistants performing injections — are increasingly referred for criminal prosecution. Conviction can result in incarceration in addition to civil and administrative penalties. The HHS Office of Inspector General tracks federal-level fraud actions, and state attorneys general handle most criminal referrals in this category.
When to Retain Healthcare Regulatory Counsel
The threshold is simple: any complaint that becomes a board investigation should be handled with healthcare regulatory counsel from the first written request. Counsel costs less than the disciplinary record that results from unguarded responses, and the marginal protection of a single phone call before substantive questioning is the highest-leverage moment in the entire process. A med spa generating meaningful revenue should have a healthcare regulatory attorney on retainer before the first inspection, not the day of.
2026 Enforcement Trends to Watch
The enforcement landscape in 2026 reflects three years of accelerating activity around the categories that boomed during 2022–2024. Operators who understand the trend lines can prioritize the documentation that matters most.
GLP-1 Overprescribing Crackdowns (Telehealth Shops in Particular)
The state board response to the GLP-1 telehealth boom is now in full swing. Texas TMB, Florida Board of Medicine, and multiple state attorneys general have brought enforcement actions against telehealth shops with minimal patient assessments and refill-driven prescribing patterns. Expect this to intensify through 2026.
Compounded Peptide Enforcement Post-FDA Shortage Delisting
The FDA delisted compounded semaglutide in February 2025 and tirzepatide in October 2024. State pharmacy boards and the DEA are actively enforcing against practices still stocking compounded GLP-1s outside the narrow patient-specific prescription pathway. The GLP-1 compliance pillar covers the current rules in detail.
FTC Ad Enforcement (Influencer Disclosure, Testimonials, Weight-Loss Claims)
FTC ad enforcement has expanded around influencer disclosure violations and weight-loss claims that the practice cannot substantiate. Expect more consent orders against named providers and named practices, and parallel state-level actions against the same advertising.
State AG Actions Targeting Telehealth Med Spa Chains
State attorneys general have emerged as a coordinated enforcement layer against multi-state telehealth operations. Multi-state AG actions can produce monetary settlements, injunctive relief, and referrals to state medical boards in every state of operation simultaneously.
NP Scope-of-Practice Expansions Altering Inspection Focus State-by-State
NP scope-of-practice continues to expand in some states (Colorado and Arizona have full practice authority; California's AB-890 created an independent NP pathway) while remaining restrictive in others (Florida, Texas, Georgia). Inspection focus follows: in independent-practice states, nursing boards take a larger share of enforcement; in collaborative-agreement states, the medical board remains the dominant inspector. The regulations-by-state reference tracks the current map.
How to Pass — The Operator's Pre-Inspection Self-Audit
Every operator we have worked with who passes inspections cleanly does the same thing: they self-audit on a recurring schedule, against a checklist that mirrors the inspector's checklist. The checklist does not need to be elaborate; it needs to be honest. The 35-Point Practice Readiness Audit we publish for free covers the same ground an inspector covers — the seven first-look documents, the chart review elements, OSHA and DEA postings, and the advertising surface — and produces a binder that maps directly to what an inspector will request.
The audit is available free as part of our email signup; if you have not run it in the last six months, run it this quarter. The cost is a quiet afternoon. The cost of skipping it is, eventually, the inspection you do not pass. For the operator-level cost picture of running a compliant practice, our cost-to-open guide includes the compliance line items most operators undercount.
How to Use This Guide
This guide is the national pillar. It pairs with — and links into — the deeper, in-state material we maintain across our six state hubs and four sister pillars.
- State hubs: California, Florida, Texas, New York, Georgia, and Arizona.
- National pillars: the regulations-by-state reference, who can inject Botox, cost to open a med spa, and the GLP-1 compliance pillar.
- Topic-level posts: compliance violations, why med spas get shut down, and medical director requirements.
Summary — 8 Actionable Takeaways
- Build the binder before the knock. The seven first-look documents — medical director agreement, facility license, staff license verification, protocols, chart sample, advertising file, DEA registration — should be producible within fifteen minutes.
- Treat the medical director arrangement as the foundation. Ghost director findings are the most common citation across every state board. Document chart review, signed protocols, and availability monthly, not annually.
- Run a quarterly mock chart review. Pull ten random charts and walk them through the seven chart-review elements an inspector uses. Remediate gaps before the inspector finds them.
- Prepare for both announced and unannounced visits. Scheduled facility inspections give a prep window; complaint-driven medical board, OSHA, and DEA inspections do not.
- Train front-desk staff on inspector etiquette. Verify credentials, notify ownership, offer a workspace, and never refuse access to a properly identified inspector.
- Have a healthcare regulatory attorney on retainer. The first call you make on the day of an unannounced inspection should be to counsel — not after the inspector leaves.
- Treat the response window as fixed. 20 to 30 days from the written notice. Missing the deadline turns a corrective action into an enforcement action.
- Run a 35-point self-audit at least annually. The cheapest insurance against a state board investigation is a recurring honest audit that mirrors the inspector's checklist.
Frequently Asked Questions
Can a state medical board inspect my med spa without warning? + −
Yes. Most state medical boards have statutory authority to conduct unannounced inspections when an investigation is open or when a complaint has been filed. Routine inspections of facility-licensed practices (such as Article 28 facilities in New York or AHCA-licensed offices in Florida) are typically scheduled, but complaint-driven inspections by the medical board, board of nursing, board of pharmacy, or DEA can occur with no advance notice. Refusing access to a properly identified inspector with statutory authority is itself grounds for additional disciplinary action.
What records can state inspectors legally request? + −
Inspectors can typically request any record connected to medical practice or facility operation: the medical director agreement, staff license verification, treatment protocols, standing orders, patient charts (with PHI accommodations), advertising materials, drug logs, sharps and waste disposal records, fridge temperature logs, OSHA bloodborne pathogen training records, and DEA documentation if controlled substances are stored. The exact scope is set by the inspector's authorizing statute, but in practice the request is broad. Refusing to produce records the inspector is legally entitled to is its own violation.
Do I have to let an inspector into my facility? + −
If the inspector presents credentials and is acting under their statutory authority, yes — refusing access is itself grounds for disciplinary action and can convert a routine inspection into an enforcement matter. You should verify the inspector's identity and the agency they represent, ask for a copy of any complaint or warrant if applicable, and request a moment to call your healthcare regulatory counsel before substantive questioning begins. You do not, however, have a right to deny lawful entry.
What is the most common reason med spas get cited? + −
The most common citation across nearly every state board is inadequate physician oversight — sometimes called the ghost medical director problem. The agreement exists on paper, but the medical director cannot demonstrate active chart review, signed protocols, accessible availability, or any meaningful clinical engagement. Closely related citations include unlicensed practice of medicine (medical assistants injecting), missing or inadequate good-faith examinations, and improperly broad standing orders that do not actually authorize the procedures being performed.
Can patients trigger a state board investigation of my med spa? + −
Yes — patient complaints are the single largest source of state board investigations. Most state medical boards accept complaints through an online portal, and a complaint that alleges a poor outcome, deceptive advertising, or scope-of-practice concerns will generate at least a preliminary review. Many investigations begin with what looks like a routine refund dispute and escalate once the board pulls the chart and finds documentation gaps. Maintaining clean documentation and resolving patient concerns before they reach the board is the cheapest form of inspection insurance.
How long does a med spa inspection typically take? + −
A typical complaint-driven inspection runs three to six hours on-site, though complex investigations can extend across multiple days. Routine facility inspections of AHCA-licensed offices in Florida or Article 28 facilities in New York may take a full day, including a tour, interviews, records review, and an exit conference. Records review and follow-up correspondence often continues for weeks after the on-site visit. Plan staff coverage assuming the inspector will be on-site until at least mid-afternoon.
Should I have an attorney during a state board inspection? + −
For routine, scheduled facility inspections you usually do not need counsel on-site, though you should have a healthcare regulatory attorney on retainer who you can call. For complaint-driven or unannounced inspections — and especially anything involving the medical board, DEA, board of pharmacy, or the state attorney general — you should call counsel immediately. Even a few minutes of legal guidance before substantive questioning can prevent the kind of unguarded statements that create the bulk of the eventual disciplinary record.
What happens if my med spa fails an inspection? + −
Failure usually arrives as a Statement of Deficiencies or a cease-and-desist letter with a defined response window — typically 20 to 30 days. You will be required to submit a written plan of correction, and the board may impose civil penalties, require remedial training, place practitioners on probation, suspend or revoke licenses, or refer the matter for criminal prosecution if unlicensed practice of medicine is involved. Consent orders and stipulated agreements are common resolutions; outright license revocation is reserved for the most serious or repeat violations.
This guide is informational and not legal advice. Inspection authorities, response windows, and penalty ranges vary by state and change over time. Confirm current requirements with your state board and a licensed healthcare regulatory attorney in your jurisdiction before relying on any specific procedure described above.