New York Med Spa Compliance Checklist 2026 — Complete Guide

New York is one of the strictest med spa regulatory environments in the country. The state does not have a single dedicated "med spa" statute — instead, every layer of NY law applies: corporate practice rules under NYSED Education Law §6500–§6532, Department of Health oversight through OPMC, Article 28 facility rules where surgery or anesthesia is involved, HIPAA paired with NY Public Health Law §18, OSHA with NY-specific RMW rules, and tax / employment overlays from the Department of State.

This is the working checklist. If you are opening, buying, or auditing a New York med spa in 2026, every item below has to be in place — or in a documented plan to be in place — before you treat your first patient.

1. Business Structure — PC or PLLC, Not Plain LLC

New York's Corporate Practice of Medicine doctrine prohibits ordinary business corporations and standard LLCs from practicing medicine. A med spa offering medical procedures must be organized as one of the following:

• Professional Corporation (PC) under Business Corporation Law Article 15
• Professional Limited Liability Company (PLLC) under Limited Liability Company Law Article 12
• Professional Service Limited Liability Partnership (less common for solo or small practices)

Owners (shareholders of a PC, members of a PLLC) must be licensed in the profession the entity practices. For a med spa offering medicine, that means a New York–licensed physician. A registered nurse, esthetician, MBA owner, or out-of-state physician cannot directly own the entity.

For the deep dive on ownership, see who can own a med spa in New York.

NYSED Authority to Incorporate

Before filing with the New York Department of State, the proposed PC or PLLC must obtain an Authority to Incorporate (sometimes called a Certificate of Authority or Consent) from NYSED's Office of the Professions. This is a screen on:

• Whether every owner holds an active New York license in the profession
• Whether the proposed entity name complies with naming rules (no "medical group" without all licensed members; required suffix "P.C.", "PLLC", etc.)
• Whether the stated purpose limits the entity to its licensed scope

Skipping NYSED and going straight to the Department of State is one of the most common compliance failures for new NY operators. The Department of State will accept the filing — but the entity is not legally authorized to practice medicine until NYSED issues its consent.

Department of State Filing & Biennial Statement

After NYSED authorization, file the Certificate of Incorporation (PC) or Articles of Organization (PLLC) with the NY Department of State. Then track:

• Biennial Statement — Every 2 years on the anniversary month, file a $9 biennial statement with the Department of State. Missing this puts the entity into "past due" status and can complicate banking, insurance, and merger transactions.
• Publication requirement (PLLCs only) — A PLLC must publish notice of formation in two newspapers designated by the county clerk for 6 consecutive weeks within 120 days of formation, then file a Certificate of Publication. PCs do not have this requirement.
• Registered agent / process address — Keep current. Service of process is one of the few ways an OPMC investigation actually reaches you on schedule.

2. Medical Director & Physician Oversight

Every NY med spa offering medical procedures must operate under a New York–licensed physician (MD or DO). Even where an NP can practice independently under New York's "Modernization Act" pathway, the practice setting and delegation rules still require physician-grade oversight for medical-spa procedures.

The medical director's role is not ceremonial. They must:

• Approve every written protocol for every procedure offered
• Establish delegation parameters for RNs, NPs, and PAs
• Be reachable during operating hours for clinical questions and emergencies
• Conduct documented chart reviews on a defined cadence
• Visit the facility on a routine, documented schedule

For the full breakdown of what NY expects from the medical director relationship — including what a compliant agreement must contain — see New York med spa medical director requirements.

Delegation & Scope

Who can do what at a New York med spa is a chronic source of confusion. Botox, fillers, lasers, and most aesthetic procedures are the practice of medicine. Delegation to RNs, NPs, and PAs is allowed only where:

• A written protocol approved by the supervising physician exists for the procedure
• The provider is acting within the scope of their NY license
• A "good faith" prior physician examination has occurred (this is an OPMC enforcement focus)

For provider-by-provider details, see who can inject Botox in New York.

3. Staff Licensing & NYSED Verification

Every clinical staff member performing medical procedures at your facility must hold an active, in-good-standing New York license in their profession. Out-of-state licenses do not transfer — period. This is the single fastest way for a new NY operator to get into trouble.

Verification routine:

1. At hire, look up every clinician on the NYSED license verification portal
2. Save a screenshot or PDF of the verification page in the personnel file
3. Re-verify on the registration cycle for each profession (typically every 2 or 3 years)
4. Verify CPR / BLS / ACLS certifications separately and re-verify at renewal
5. For estheticians and cosmetologists, license is issued by the Department of State, not NYSED — check the appropriate registry

If your facility offers laser treatments, also confirm the operator's training meets the standards covered in New York laser safety for med spas.

4. OPMC Awareness & Adverse Event Handling

The Office of Professional Medical Conduct is the DOH unit that investigates physician misconduct. For a med spa, OPMC is the agency most likely to actually walk through your door. Triggers include:

• Patient complaints (filed online or via phone)
• Adverse events — burns, vascular occlusions, hospital transfers
• Mandatory reporting from emergency departments or other clinicians
• Anonymous reports, including from former employees
• Cross-referrals from NYSED or the Attorney General

Every NY med spa needs a documented adverse-event response plan and a complaint log. The medical director must be notified of every event, and significant events must be documented contemporaneously. OPMC investigators will ask for the log and look for gaps.

5. DEA Registration & Controlled Substances

If your practice handles, stocks, prescribes, or administers controlled substances — or any compounded medication that includes a scheduled drug — the prescribing clinician needs an active DEA registration tied to the practice address and a separate NY State Bureau of Narcotic Enforcement (BNE) registration.

For most med spas, the practical implications are:

• If you stock lidocaine with epinephrine in compounded form, ensure compounding source is a 503A or 503B pharmacy and follow record-keeping rules
• If your practice offers GLP-1 weight loss programs and uses any compounded preparations or controlled adjuncts, see New York GLP-1 weight loss compliance
• I-STOP / PMP (Prescription Monitoring Program) checks must be documented for each controlled-substance prescription
• Drug log reconciliation should occur at a defined cadence — weekly is the safe standard

6. Article 28 Licensing — Only If You Need It

Most office-based med spas do not need NY Article 28 facility licensing. Article 28 licensing kicks in primarily for:

• Office-based surgery using sedation deeper than minimal (moderate, deep, or general anesthesia)
• Surgical centers, diagnostic and treatment centers, or hospital-licensed facilities

Standard injectables, lasers, microneedling, and IV vitamin therapy generally fall outside Article 28. But if you bring in a CRNA for sedation cases, run a tumescent liposuction line, or share space with an Article 28 facility, the licensing analysis changes — get a NY healthcare attorney's written opinion before opening.

7. HIPAA + NY Public Health Law §18 (Records Access)

HIPAA is the federal floor. New York layers additional rights on top via Public Health Law §18, which governs patient access to their own medical records. Compliant practices need:

• Written Notice of Privacy Practices, signed by every patient at intake
• A designated Privacy Officer (the medical director or a named staff member)
• Records-access workflow that responds to written patient requests within the §18 statutory window
• A reasonable per-page copying fee schedule consistent with §18
• Business Associate Agreements with every vendor that touches PHI — EMR, billing, marketing automation, scheduling
• Annual HIPAA training, documented per employee
• Documented breach response plan with NY State Attorney General notification path

8. OSHA + NY DEC Regulated Medical Waste

The OSHA bloodborne pathogens standard (29 CFR 1910.1030) applies to any practice that uses needles. New York adds a second layer through the NY DEC Regulated Medical Waste (RMW) rules. Required elements:

• Written Exposure Control Plan, reviewed annually
• Sharps containers at point of use, replaced before fill line
• Contract with a NY DEC-permitted RMW transporter
• Manifest tracking — keep transporter receipts for 3 years minimum
• Hepatitis B vaccination offer, declination forms on file for staff who decline
• Annual bloodborne pathogens training, documented per employee
• Post-exposure protocol with named occupational health provider

9. Workers' Comp, Disability & Paid Family Leave

New York requires three coverages that out-of-state operators frequently miss:

• Workers' Compensation — required for virtually every employee, enforced by the NY Workers' Compensation Board. No coverage = up to $2,000 per 10-day period in penalties, plus personal liability for the owner.
• Disability Benefits Law (DBL) — statutory short-term disability coverage for off-the-job illness or injury
• Paid Family Leave (PFL) — typically bundled with the DBL policy, employee-funded but employer-administered

Maintain certificates of coverage (Forms C-105.2 and DB-120.1) at the facility — inspectors can ask for them on the spot.

10. Advertising & Marketing Compliance

New York advertising rules for medical practices are enforced by both NYSED (under unprofessional conduct rules) and the Attorney General (under consumer protection statutes). Common compliance failures:

• Before/after photos without proper patient consent or with unrealistic expectations
• "Specials" that look like fee splitting or kickbacks
• Failure to identify the supervising physician on advertising materials
• Influencer or affiliate arrangements that look like patient brokering
• Use of the word "specialist" or "expert" without board certification in the area

For the full rulebook, see New York med spa advertising rules.

11. Patient Records Retention

New York requires medical records to be retained for at least 6 years from the date of the last entry. For minors, records must be retained for at least 6 years and until 1 year after the patient reaches the age of majority — practically, until the patient turns 19.

Best-practice retention checklist:

• Clinical chart — 6 years (minors: until age 19)
• Informed consent forms — same as chart
• Photographs and imaging — same as chart
• Controlled substance logs — minimum 5 years federal, 6 years to align with NY medical record rule
• Adverse event and complaint logs — indefinite, or until applicable statute of limitations expires
• Employment files — 6 years post-termination is the safe practice in NY

12. Inspection-Ready Documentation Binder

If OPMC, NYSED, or the Department of Labor walks in, you should be able to put your hands on every document below within 5 minutes. Build the binder once, maintain it monthly.

1. NYSED Authority to Incorporate
2. Department of State filing receipt + most recent biennial statement
3. PLLC Certificate of Publication (if applicable)
4. Medical Director Agreement (current, signed)
5. Medical director's NY MD/DO license verification
6. Written protocols for every procedure offered, signed and dated
7. NY license verification PDFs for every clinical staff member
8. Chart review log — date, charts reviewed, findings
9. Adverse event and complaint log
10. HIPAA Notice of Privacy Practices + §18 records-access policy
11. OSHA Exposure Control Plan + RMW manifests
12. Workers' comp / DBL / PFL certificates of coverage
13. DEA registration + I-STOP attestation (if applicable)
14. Lease + zoning / certificate of occupancy
15. Malpractice certificates for the practice and the medical director

Putting It Together — A First-90-Days Sequence

For a new New York med spa, the order of operations matters as much as the items themselves. A workable 90-day sequence:

1. Week 1–2: Engage NY healthcare attorney + accountant. Confirm PC vs. PLLC. Apply to NYSED for Authority to Incorporate.
2. Week 3–4: File with Department of State. Begin PLLC publication if applicable. Open business banking. Apply for EIN.
3. Week 5–6: Sign Medical Director Agreement. Commission protocols. Apply for malpractice. Bind workers' comp / DBL / PFL.
4. Week 7–8: Onboard clinical staff with NY license verification. Train on protocols, HIPAA, OSHA bloodborne pathogens, OPMC reporting.
5. Week 9–10: Stand up EMR with BAA. Build adverse-event and complaint logs. Finalize advertising review with attorney.
6. Week 11–12: Internal mock inspection — pull every document on the binder list. Fix gaps. Then open the doors.

For the broader blueprint including buildout, financing, and staffing, see how to open a med spa in New York.

Summary

1. NY med spas must operate as a physician-owned PC or PLLC with NYSED Authority to Incorporate before filing with the Department of State
2. Biennial statement filings, registered agent, and PLLC publication (where applicable) must stay current
3. A New York–licensed medical director with written protocols, documented chart reviews, and on-site visits is mandatory — not ceremonial
4. Every clinical staff member needs an active NY license, verified at hire and at each renewal cycle
5. OPMC investigates med spa complaints aggressively; an adverse-event and complaint log is non-negotiable
6. HIPAA + NY Public Health Law §18 govern records access; OSHA + NY DEC RMW govern sharps and biohazard handling
7. Workers' comp, DBL, and Paid Family Leave coverage are statutorily required for nearly every employee
8. Medical records must be retained 6 years (until age 19 for minors)
9. Build the inspection binder once, maintain it monthly, and you can open the door to any inspector with confidence

Disclaimer: This article is for educational purposes only and does not constitute legal advice. New York med spa compliance involves overlapping statutes, regulations, and agency interpretations specific to your facility. Consult a qualified New York healthcare attorney before forming an entity, signing a medical director agreement, or opening for patients.