What Does Med Spa Compliance Require? The 9-Component 2026 Checklist
"Med spa compliance" is not one form you file — it's a nine-part program. Here is exactly what each component requires, who enforces it, and the document that proves you have it.
In short
Med spa compliance requires nine connected components: legal ownership structure, an active medical director, a documented scope of practice by role, written SOPs for every service, informed consent, HIPAA and records management, OSHA and emergency preparedness, FTC-compliant advertising, and inspection readiness. No single agency checks all nine — state boards, health departments, OSHA, HHS, and the FTC each police a slice. A gap in any one is what regulators, malpractice carriers, and buyers find first. This is the assembly checklist that ties them together.
Ask ten med spa owners what "compliance" means and you'll get ten different answers — a business license, a medical director on paper, a consent form someone downloaded years ago. Each of those is real, but none of them is the whole thing. Med spa compliance is a program made of nine components, and a practice can nail eight of them and still get shut down over the ninth.
That's because no single regulator signs off on a med spa. Oversight is split across your state medical board, a state health agency, the nursing and cosmetology boards, OSHA, the HHS Office for Civil Rights, and the Federal Trade Commission. Each one polices a different slice, and each one can act independently. The American Medical Association has pointed out that 36 states lack dedicated med spa oversight — which doesn't mean less enforcement, it means enforcement comes from these overlapping bodies instead of one clean checklist.
This post is that clean checklist. For each of the nine components you'll see three things: what it requires, who enforces it, and the document that proves you have it — plus a link to the deep-dive guide when you need the full detail. Think of this page as the assembly diagram; the linked guides are the parts. If you want the parts pre-built, our med spa compliance SOP library covers every component below.
- 1. Legal ownership structure — passes your state's corporate practice of medicine rules
- 2. Medical director & real supervision — signed agreement, standing orders, active oversight
- 3. Scope of practice by role — who may perform and delegate what
- 4. Written SOPs — one protocol per service offered
- 5. Consent & patient documentation — including the Good Faith Exam
- 6. HIPAA & records management — privacy policies, BAAs, retention
- 7. OSHA, infection control & emergencies — exposure plan and crash-kit protocols
- 8. Advertising & FTC compliance — honest claims, real photos, disclosed endorsements
- 9. Inspection readiness — everything above, produced on demand
What "med spa compliance" actually means (and who enforces it)
Compliance is the ongoing state of being able to prove, on demand, that every medical service you deliver is authorized, supervised, documented, and safe. The operative word is prove. A med spa isn't judged on whether its treatments went fine last Tuesday — it's judged on whether it can produce the paperwork showing the standard of care was defined and followed. That's a different bar than "we're careful," and it's the bar that trips up practices run by excellent clinicians who never built the documentation layer.
Who actually enforces med spa compliance
Because a med spa is a business that delivers medicine, it sits at the intersection of two regulatory worlds. Here's who can knock on your door:
- State medical board — supervision, delegation, the corporate practice of medicine, and the Good Faith Exam.
- State health agency — facility standards and inspections (Florida's AHCA is the best-known; many states have an equivalent department of health).
- Nursing & cosmetology boards — what their own licensees may and may not do.
- OSHA — workplace safety and the Bloodborne Pathogens Standard.
- HHS Office for Civil Rights — HIPAA privacy and security.
- FTC — advertising, testimonials, and before-and-after claims.
- Malpractice carrier — not a regulator, but a de facto one: it can decline coverage or deny a claim over the same gaps.
Recent enforcement shows how real this is. In late 2025, a joint New York City Council and state investigation into medical spas found widespread violations, and the state's Department of State announced in January 2026 that its task force had inspected 223 med spa businesses in its first phase. The most-cited problems weren't exotic — they were missing written protocols, "ghost" medical directors, and unqualified staff performing delegated procedures. Those map directly onto components 4, 2, and 3 below. For more on how these failures play out, see our breakdown of why med spas get shut down.
Compliance is a program, not a document
The single most useful mental shift is to stop thinking of compliance as a binder you buy once and start thinking of it as a program you maintain. The nine components interlock: your scope-of-practice matrix (component 3) only means something if a medical director (component 2) authorized it; your SOPs (component 4) only protect you if they're signed and current; your inspection readiness (component 9) is just the other eight, filed where you can find them. Miss the systems view and you'll patch one hole while three others stay open.
Component 1: The legal ownership structure
What it requires: Your practice must be owned in a way your state permits for an entity that delivers medical services. This is governed by the corporate practice of medicine (CPOM) doctrine, which in strict states bars non-physicians from owning the medical side of the business or controlling clinical decisions. Where a non-physician (say, an RN, esthetician, or investor) wants to run the business, the compliant path is usually a two-entity structure: a physician-owned professional entity delivers the medicine, and a separate management company handles the non-clinical operations under a management services agreement (MSA).
Which states enforce CPOM strictly
Every state has some version of CPOM, but strictness varies widely. New York and California are the strictest — California, for example, requires a physician to hold majority ownership of the professional entity, and New York's recent task force has actively cited ownership violations. Texas and Florida are moderate but enforce real consequences when a complaint triggers a look. Arizona is comparatively light. Because the rules turn on your specific state, confirm yours before you sign a lease; our med spa regulations by state reference and the American Med Spa Association's legal summaries are the two places to start.
Who enforces it: the state medical board (and, in ownership disputes, the courts and your malpractice carrier). What proves it: your entity formation documents, the physician's ownership records, and a signed management services agreement that keeps clinical control with the physician.
Component 2: Medical director and real supervision
What it requires: A licensed physician (or, in some states, a qualified advanced-practice provider) must serve as medical director and provide genuine oversight of the clinical operation. That means a signed agreement, written standing orders authorizing specific treatments, a defined availability standard, a chart-review cadence, and responsibility for the protocols the practice runs on. The medical director is the legal anchor for every prescription treatment you offer.
The "ghost medical director" problem
The fastest way to fail this component is to treat the medical director as a signature for hire — a name on a contract who never reviews a chart, never signs a protocol, and couldn't tell you what devices you run. Enforcement agencies have a term for this ("ghost" or "rent-a-doc" medical directors) and it's one of the top violations in recent sweeps. A medical director who has signed current protocols and documented chart reviews is in a fundamentally stronger legal position than one who has not — and so is the practice. For the state-by-state duties and the documentation your MD must maintain, read our guide to med spa medical director requirements.
Who enforces it: the state medical board (the MD's personal license is on the line), plus your malpractice carrier. What proves it: the signed medical director agreement, standing orders, protocol signatures with dates, and a chart-review log.
Component 3: Scope of practice — who can do what
What it requires: Every clinical task must be performed by someone legally allowed to perform it, and delegated tasks must be delegated properly. This is where credential meets state law: which treatments an RN may perform, whether an esthetician can touch a laser, what a medical assistant may and may not do, and what the physician or NP must do personally. The answer changes by state and by treatment, so the compliant practice keeps a scope-of-practice and delegation matrix mapping each role to each authorized service.
Delegation by role
The recurring failure here is a well-meaning staffer doing a job that's just over their line — an esthetician performing microneedling below the stratum corneum, a medical assistant "helping" with injections, a laser fired by someone the state considers unqualified. In New York's enforcement report, unlawful practice of medicine — non-medically-licensed staff performing procedures that require a license — was the most-cited category. A written matrix, checked against current state rules and signed by the medical director, is what turns "we think that's allowed" into a defensible position. When roles are unclear, that ambiguity is exactly the gap that turns into a citation — see the most common shutdown triggers.
Who enforces it: the medical, nursing, and cosmetology boards jointly. What proves it: the delegation matrix, license verifications for every clinical employee, and training records.
Component 4: Written protocols and SOPs for every service
What it requires: A written standard operating procedure for every clinical service on your menu. Each SOP defines indications and contraindications, the step-by-step protocol, dosing or device parameters, pre-treatment assessment (including the Good Faith Exam), adverse-event management, documentation requirements, and a medical director signature with a review date. If you offer it, there should be a protocol for it — Botox, each filler, laser hair removal, RF microneedling, chemical peels, GLP-1 injections, PRP, IV therapy, and so on.
One SOP per service
This is the component regulators cite most, because it's the easiest to skip and the easiest to check. An inspector doesn't need clinical expertise to notice you offer six services and have three protocols. Malpractice carriers increasingly ask for sample protocols at underwriting, and in litigation the absence of a signed SOP for the treatment involved is presented to the jury as evidence you fell below the standard of care. Writing them from scratch runs 100–200+ hours of clinical and regulatory work, which is why most practices start from a professionally written library and adapt. Our full walkthrough lives in the med spa standard operating procedures guide.
Who enforces it: the state medical board and health agency, plus your malpractice carrier. What proves it: the signed, dated SOP library itself.
The operations backbone of a compliant med spa.
The Operations & Compliance Kit covers the policy manual, documentation standards, staff training, and inspection-readiness SOPs — the paperwork layer of every component above.
View Operations Kit — $197Component 5: Consent forms and patient documentation
What it requires: Every treatment needs treatment-specific informed consent, and every patient encounter needs a chart that documents the medical decision-making behind it. Consent isn't a generic waiver — it must disclose the specific risks, benefits, and alternatives of the actual procedure, and the patient must acknowledge them before treatment. Supporting documentation includes medical history and contraindication screening, photography consent, and policies for minors.
The Good Faith Exam
Sitting underneath consent is the Good Faith Exam (GFE) — the requirement that a qualified provider evaluate the patient and establish a treatment plan before any prescription treatment (including Botox and filler) is administered. Who may perform the GFE, and whether it can be done via telehealth, varies by state, but the exam must be real and documented. A missing or rubber-stamped GFE is a favorite finding in enforcement actions because it's the moment the "practice of medicine" legally begins. Our med spa consent forms guide covers the forms and the GFE workflow in depth.
Who enforces it: the state medical board, and plaintiff's attorneys in any malpractice claim. What proves it: signed treatment-specific consents, a documented GFE policy, and complete patient charts.
Get the Free Med Spa Compliance Checklist
All 9 components on one page — the same list regulators, carriers, and buyers work from. Enter your email and we'll send it straight over.
It usually lands in your Promotions tab (or spam) — move it to your inbox so you don't miss it.
No credit card. Unsubscribe anytime.
Component 6: HIPAA and records management
What it requires: Any med spa that creates, stores, or transmits protected health information is a HIPAA covered entity — which means yours is. You need a Notice of Privacy Practices posted and provided to patients, minimum-necessary access controls, EHR security policies, Business Associate Agreements with every vendor that touches PHI (your EHR, billing service, and email marketing platform included), a breach-notification procedure, and documented annual staff training. Records management also means a defined retention schedule for charts and consents.
Records retention
Retention periods are set by state law and typically run several years past the last visit (longer for minors). The compliant practice writes the retention rule down, applies it consistently, and stores records securely enough to satisfy both HIPAA and a subpoena. The HHS Office for Civil Rights publishes the federal requirements directly at its HIPAA for Professionals portal, and our HIPAA compliance guide translates them into a med spa workflow.
Who enforces it: the HHS Office for Civil Rights. What proves it: your written HIPAA policies, signed BAAs, training logs, and Notice of Privacy Practices.
Component 7: OSHA, infection control, and emergencies
What it requires: As an employer handling needles and blood, you fall under OSHA's Bloodborne Pathogens Standard, which mandates a written exposure control plan, sharps handling and disposal procedures, hepatitis B vaccination offers, and annual training. Layered on top is clinical infection control — hand hygiene, single-use item discipline, surface and instrument disinfection — and emergency preparedness for the events aesthetic medicine actually produces.
Emergency preparedness
Emergency protocols are the highest-stakes paperwork in the building. Every med spa needs written, physician-signed procedures for anaphylaxis (with epinephrine dosing), vascular occlusion from filler (with a hyaluronidase protocol), vasovagal syncope, and cardiac arrest with AED use — plus a defined crash kit kept on site and checked. These protocols protect the patient first and your license second. The infection-control side is detailed in our med spa infection control protocol guide.
Who enforces it: OSHA, the state health agency, and — after any adverse event — the medical board. What proves it: the exposure control plan, infection-control SOPs, emergency protocols, and crash-kit logs.
Component 8: Advertising and FTC compliance
What it requires: Everything you say to sell a treatment must be truthful and substantiated, and that's federal law, not a courtesy. The FTC's Rule on the Use of Consumer Reviews and Testimonials took effect October 21, 2024, authorizing civil penalties for fake or deceptive reviews. For med spas the practical rules are concrete: before-and-after photos must show your actual patients (not stock images or another provider's results), dramatic results need a "results not typical" disclosure, and any material connection — a free or discounted treatment given in exchange for a testimonial — must be disclosed.
Before-and-after photos and testimonials
This component is easy to overlook because it lives on Instagram rather than in a binder, but it's enforceable and increasingly enforced. Cherry-picking your most dramatic result without a disclaimer, reposting a manufacturer's photos as your own, or running undisclosed "influencer" testimonials all invite FTC scrutiny — and often state medical board scrutiny too, since many boards regulate deceptive medical advertising. The FTC's own Consumer Reviews and Testimonials Rule Q&A lays out the standard, and our FTC before-and-after photo rules for med spas guide turns it into a posting checklist.
Who enforces it: the FTC, and often the state medical board. What proves it: an advertising and social-media policy, signed photo-consent forms, and disclosure records for testimonials.
Component 9: Inspection readiness
What it requires: Inspection readiness isn't a tenth pile of paperwork — it's the discipline of keeping the previous eight components current, organized, and producible on demand. Inspections are frequently unannounced and most often triggered by a patient complaint, so "we'll pull it together if they come" is not a plan. The ready practice keeps a single, current binder (physical or digital) containing the ownership documents, medical director agreement, scope matrix, SOP library, consents and GFE policy, HIPAA policies, OSHA and emergency protocols, advertising policy, and staff credential file.
The inspection-day binder
When an inspector or investigator arrives, they're checking whether the components above exist and are current — signed, dated, and matching the services you actually offer. The practices that pass are rarely the ones that scrambled; they're the ones whose binder was already assembled and reviewed on a schedule. Our med spa inspection guide walks through exactly what state boards check and how to run a mock inspection before the real one.
Who enforces it: whichever agency shows up — health department, medical board, or OSHA. What proves it: the assembled, current compliance binder itself.
The complete med spa compliance checklist (summary table)
Here is the full program on one screen — the nine components, who enforces each, and the document that proves it. This is the checklist to walk into any audit, underwriting review, or acquisition with.
| Component | Who Enforces It | Document That Proves It |
|---|---|---|
| 1. Legal ownership structure | State medical board | Entity docs + management services agreement |
| 2. Medical director & supervision | State medical board | Signed MD agreement + standing orders |
| 3. Scope of practice by role | Medical, nursing & cosmetology boards | Delegation matrix + license verifications |
| 4. Written SOPs per service | Medical board + malpractice carrier | Signed, dated SOP library |
| 5. Consent & documentation | Medical board + plaintiff's attorneys | Consent forms + GFE policy + charts |
| 6. HIPAA & records | HHS Office for Civil Rights | HIPAA policies + BAAs + training logs |
| 7. OSHA, infection & emergencies | OSHA + state health agency | Exposure plan + emergency protocols |
| 8. Advertising & FTC | FTC + state medical board | Ad policy + photo consents + disclosures |
| 9. Inspection readiness | Whichever agency arrives | The assembled, current compliance binder |
Where most med spas start
Nine components is a lot to stand up at once, so sequence matters. The practices that get compliant fastest work in this order: structure first, supervision second, documentation third. Confirm your ownership model is legal in your state, sign a real medical director agreement with standing orders and a Good Faith Exam policy, and then build the paperwork layer — SOPs, consents, HIPAA, OSHA, and the scope matrix.
Almost no one drafts that paperwork layer from a blank page. Writing a full SOP library from scratch runs well over 100 hours and demands clinical and regulatory expertise most operators don't have in-house. The common path is to start from a complete set of written protocols, have your medical director review and sign each one, and adapt them to your state and equipment. That turns a six-month project into a few weeks — and it's how most compliant practices actually assemble the program described above.
Whichever route you take, the goal is the same: be able to open any one of these nine drawers and hand an inspector, an underwriter, or a buyer exactly what they ask for. That's what med spa compliance requires.
Build the whole program in one step.
All 62 SOPs across every service line and every compliance component in this checklist — written, formatted, and ready to adapt to your state.
View Complete Suite — $997