Med Spa Policy and Procedure Manual: Complete Requirements Guide (2026)

A med spa policy and procedure manual (also called a P&P manual or SOP library) is the complete written system that governs how your practice operates clinically, safely, and legally. It includes a standard operating procedure (SOP) for every treatment you perform, plus policies covering emergencies, patient consent, HIPAA, staff training, medical director oversight, and more. Without one, you cannot safely open — and in most states, you cannot legally operate.

This guide covers exactly what goes in a med spa P&P manual, what the real regulatory requirements are (with specific references to AHCA, OSHA, HIPAA, and state medical boards), and how to build a compliant documentation system without spending 200 hours writing from scratch.

Why Does Every Med Spa Need a Written P&P Manual?

Med spas operate in a unique regulatory space: you're running a business that provides medical procedures. That means the standards applied to physician offices and outpatient medical clinics apply to you — even if your treatments feel more like luxury wellness than medicine.

Here's what's actually at stake:

Liability and Malpractice

When a patient sues following an adverse event — a burn from a laser, a vascular occlusion from filler, an allergic reaction to a topical — one of the first things their attorney requests in discovery is your policy and procedure manual. If you don't have one, or if it's incomplete, that absence becomes evidence of negligence. Plaintiff attorneys use the lack of written protocols to establish that your practice did not meet the standard of care. The existence of a comprehensive, physician-signed P&P manual is one of the strongest defenses your practice has.

Regulatory Inspections and Licensing

In Florida, the Agency for Health Care Administration (AHCA) has authority to inspect medical facilities — including med spas operating as medical clinics. Written protocols are explicitly required for specific procedures under Florida Administrative Code. Inspectors can cite practices for operating without documentation, resulting in fines, corrective action plans, or suspension of the facility's ability to practice. Other states have equivalent agencies with similar authority.

Malpractice Insurance Underwriting

More malpractice carriers are now asking prospective clients — particularly aesthetics practices — to submit sample protocols during the underwriting process. Practices without written SOPs may be declined, rated higher, or have exclusions added to their policy. The absence of written protocols can also void coverage after an incident if the insurer can demonstrate no standards were in place at the time of the claim.

Staff Consistency and Training

A P&P manual is not just a compliance document — it's an operational system. It ensures that every provider in your practice performs each treatment the same way, using the same safety checkpoints, the same contraindication screening, and the same response to complications. Without it, your outcomes are inconsistent and your liability exposure is much higher.

If you're still in the planning phase, read our companion guide: How to Open a Med Spa: Complete Step-by-Step Guide (2026) — it covers licensing, medical directors, and the full compliance setup.

What Are the 7 Sections Every Med Spa P&P Manual Must Include?

A complete med spa policy and procedure manual contains two categories of documentation: clinical SOPs (specific to each treatment) and operational policies (governing how the practice runs). Every compliant med spa needs all seven of the following sections.

1. Clinical Treatment SOPs (Per Procedure)

This is the largest and most complex section of your P&P manual. You need a separate, written SOP for every clinical service you offer. Each treatment SOP should include:

1. Purpose and scope — what the procedure is and who may perform it
2. Indications and contraindications — which patients qualify and who should not receive the treatment
3. Required equipment, supplies, and medications
4. Pre-treatment patient assessment — including Good Faith Exam requirements
5. Step-by-step treatment protocol — the exact procedure, including parameters for energy-based devices
6. Dosing guidelines and product specifications (for injectables and pharmacological treatments)
7. Post-treatment care instructions
8. Adverse event recognition and management — what to watch for and what to do
9. Documentation requirements — what must be recorded in the chart
10. Medical Director review date and signature

Examples of treatments that require their own SOP: neuromodulators (Botox, Dysport, Xeomin), hyaluronic acid fillers (lip, cheek, jawline, under-eye), biostimulators (Sculptra, Radiesse), laser hair removal, RF microneedling, body contouring, chemical peels, GLP-1 weight loss injections, testosterone therapy, PRP treatments, IV therapy, and more.

2. Emergency Response Protocols

Emergency protocols are the most high-stakes section of your P&P manual — and the one most likely to save a patient's life and protect your license. These are not generic first-aid guidelines; they are specific, step-by-step response procedures tailored to the adverse events that occur in aesthetic medicine.

Required emergency protocols for every med spa include:

• Anaphylaxis and severe allergic reactions — epinephrine administration, 911 activation criteria, post-treatment monitoring requirements
• Vascular occlusion from dermal filler — recognition, immediate hyaluronidase injection protocol, specialist referral pathway. This is the most legally sensitive emergency in aesthetic medicine — see our in-depth vascular occlusion guide for clinical details.
• Vasovagal syncope (fainting) — Trendelenburg positioning, monitoring, recovery criteria
• Cardiac arrest — CPR protocol, AED use, 911 activation
• Seizure management
• Laser adverse events — burn management, ocular injury protocol
• Required emergency supplies — what must be on-site at all times, including epinephrine auto-injectors, hyaluronidase, AED, and crash kit contents

3. Patient Intake and Informed Consent

Your intake and consent procedures form the legal and ethical foundation of every patient encounter. This section must cover:

• Good Faith Exam (GFE) policy — who conducts it, when, and what it must include. In most states, a GFE must occur before any prescription treatment is administered, including Botox and fillers.
• Medical history intake — required questions, contraindication screening, medication review
• Informed consent procedures — who obtains consent, what must be disclosed, how to handle refusals
• Consent form requirements — treatment-specific risks, benefits, alternatives, and patient acknowledgment
• Photography consent and clinical photo policy
• Minor patient policies — treatment restrictions, parental consent requirements
• Patient rights notification — as required by state law and HIPAA
• Documentation standards — what must be in the chart before treatment begins

4. HIPAA and Privacy Compliance

Every med spa that creates, receives, stores, or transmits Protected Health Information (PHI) is a HIPAA Covered Entity. That means you. The HIPAA section of your P&P manual must include:

• Notice of Privacy Practices — must be posted in the office and provided to every patient
• Minimum necessary standard — policies for limiting access to PHI to only what's necessary for treatment
• Staff access controls — who can access which patient records and under what circumstances
• EHR security policies — password requirements, auto-lock, remote access restrictions
• Business Associate Agreements (BAA) — required with any vendor who accesses PHI (your EHR, billing company, email marketing platform)
• Breach notification policy — internal reporting, federal notification timelines (60 days for breaches of 500+ records), patient notification requirements
• Social media and photography policy — before/after photos, patient tagging, staff use of personal devices in clinical areas
• Annual HIPAA training — documented training for all staff who handle PHI

HIPAA violations carry civil penalties from $100 to $50,000 per violation, with annual maximums up to $1.9 million per category. For willful neglect with no correction, the minimum fine is $10,000 per violation. Written HIPAA policies are your first line of defense in any Office for Civil Rights (OCR) investigation.

5. Staff Training and Scope of Practice

This section documents who can do what in your practice — and proves you verified it. It must include:

• Scope of practice matrix — a table or document mapping each staff credential (RN, NP, PA, esthetician) to the specific treatments they are authorized to perform at your practice, consistent with state law
• License verification policy — how you verify, document, and track license expiration for every clinical employee
• Initial training requirements — what new hires must complete before performing treatments independently, including device manufacturer training for laser operators
• Competency assessments — documented skills verification before a provider is cleared for unsupervised treatment
• Continuing education requirements — minimum CE hours, documentation standards, timelines
• Supervision policy — the level of physician oversight required for each treatment and credential type
• Delegation policy — what tasks can be delegated, to whom, and under what conditions

For a detailed breakdown of what medical directors must do in each state — and what your practice is legally obligated to document — read our guide on med spa medical director requirements.

6. Medical Director Supervision

Your medical director is legally responsible for the clinical activities in your practice. This section formalizes the oversight relationship and protects both your MD and your practice. It must document:

• Supervision model — direct, general, or collaborative practice, as defined by your state's medical practice act
• Standing orders — written physician orders authorizing nurses to perform specific treatments under defined conditions
• Availability requirements — how quickly the medical director must be reachable when the practice is open (varies by state; some require on-site presence; most require phone availability)
• Chart review policy — frequency of medical director chart reviews, documentation method, corrective action if issues are found
• Protocol review schedule — annual (minimum) review of all clinical SOPs with updated Medical Director signature
• Adverse event reporting — how incidents are escalated to the medical director and documented
• Prescribing and DEA compliance — procedures for prescription issuance, refills, and controlled substance management if applicable

7. Equipment and Supply Management

Laser and energy-based devices, injectables, and pharmaceutical supplies require specific management procedures that must be documented. This section covers:

• Device operation and safety — required training before operating each device, safety interlocks, personal protective equipment (especially laser safety eyewear)
• Equipment maintenance schedule — routine cleaning, calibration, and annual service by authorized technicians
• Malfunction and incident reporting — what to do when a device fails during treatment, how to report device-related adverse events to the FDA under MedWatch
• Medication storage — temperature requirements for Botox and other toxins, GLP-1 medications, emergency medications, and vaccines if applicable
• Controlled substance management — if your practice stores testosterone, ketamine, or other DEA-scheduled substances, DEA-compliant inventory logs are required
• Supply chain and vendor policy — purchasing from licensed, FDA-compliant suppliers only; documentation of product lot numbers for traceability
• Infection control and sterilization — single-use item disposal, instrument sterilization if any reusable tools are used, OSHA Bloodborne Pathogen Standard compliance

How Many SOPs Does a Med Spa Actually Need?

The number depends entirely on your service menu. Here's a realistic breakdown by practice type:

Every practice also needs the foundational operational SOPs — HIPAA, emergency protocols, patient intake, staff training, medical director supervision, and equipment management — regardless of specialty. That's typically 8–12 documents on top of your clinical protocols.

Do You Need to Write Your Own SOPs from Scratch?

No. Writing clinical SOPs from scratch is a demanding task that requires clinical expertise, regulatory knowledge, and significant time investment. Doing it properly — with accurate dosing guidelines, medically appropriate contraindications, and legally sound language — is not something most practice managers or even many clinicians can do on their own without help.

The typical time to write a complete med spa SOP library from scratch: 100–200+ hours, plus legal review, plus physician time for review and revision before signing.

The alternative is professionally written SOP kits — authored by clinical experts, formatted for immediate Medical Director review, and organized by treatment category. Your Medical Director still reviews and signs each protocol, customizing as needed for your specific practice — but you're starting from a clinically sound foundation instead of a blank page.

This is how most successfully compliant med spas actually build their P&P libraries.

What Are the Available SOP Kits and What Do They Cover?

MedSpa Standards offers individual specialty kits (ideal if you're adding a new service category) and a complete suite covering all 62 SOPs. Here's what's available:

What Happens If Your Med Spa Doesn't Have a P&P Manual?

The absence of a policy and procedure manual is not a theoretical risk — it has specific, documented consequences that affect med spas every year. Here's what actually happens:

Regulatory Fines and Corrective Action Plans

In Florida, AHCA has authority to inspect and cite medical facilities for operating without required documentation. Fines under Florida's Health Facility and Agency Programs range from $1,000 to $5,000 per violation per day, with repeat violations subject to escalating penalties. A single inspection revealing multiple missing protocols can result in five-figure fines before you've treated your 100th patient. States including Texas, California, Georgia, Illinois, and New York have similar regulatory frameworks with equivalent enforcement mechanisms.

Medical Board Action Against Your Medical Director

When your practice is cited or a complaint is filed, your medical director's license is at risk — not just yours. State medical boards can sanction physicians for providing inadequate supervision, including failing to ensure that written clinical protocols exist. A medical director who learns your practice has no P&P manual will (correctly) withdraw from the relationship immediately — leaving you without the oversight required to legally operate.

License Suspension or Revocation

Serious or repeated violations of clinical documentation standards can result in suspension of your facility's ability to operate, or revocation of your business license. For practices in states that require a facility registration (Florida, California, and others), operating without compliant documentation is grounds for license revocation under the applicable administrative code.

Malpractice Exposure

This is the most financially devastating consequence. When a patient suffers an adverse event — a filler vascular occlusion, laser burn, anaphylaxis — and you have no written protocol documenting the standard of care at your practice, plaintiff attorneys present this absence to juries as evidence that you were operating negligently. In many cases, it effectively eliminates the viability of a defense. Average settlements in med spa malpractice cases have risen sharply since 2020, with significant cases exceeding $1 million. Written, physician-signed SOPs are one of the most valuable assets your practice has in litigation.

Insurance Coverage Denial

Malpractice carriers increasingly include language in their policies excluding coverage for incidents that occur when no written clinical protocol was in place for the treatment involved. If your insurer can demonstrate you were performing a treatment without a documented SOP — and they will look — your claim can be denied or your indemnification substantially reduced.

How Do You Get a Med Spa P&P Manual Compliant Quickly?

The fastest compliant path is:

1. Start with professionally written SOP kits that match your service categories
2. Send the protocols to your Medical Director for review — they should review each SOP against your specific patient population, equipment, and state requirements
3. Customize any parameters specific to your devices (laser wavelengths, pulse durations, etc.) with your MD's guidance
4. Obtain Medical Director signature on each SOP along with the review date — this is mandatory
5. Implement a version control system — each SOP should have a version number and revision date
6. Train all clinical staff on the protocols before they perform those treatments — document the training with staff signatures
7. Schedule annual reviews — put a recurring calendar event with your MD for annual protocol review

From kit purchase to Medical Director sign-off, this process typically takes 1–2 weeks if your MD is actively engaged. Compare that to the 3–6 months it takes most practices to draft SOPs from scratch — assuming they have the clinical expertise to do so accurately.