July 5, 2026 16 min read

What Does Med Spa Compliance Require? The 9-Component 2026 Checklist

"Med spa compliance" is not one form you file — it's a nine-part program. Here is exactly what each component requires, who enforces it, and the document that proves you have it.

In short

Med spa compliance requires nine connected components: legal ownership structure, an active medical director, a documented scope of practice by role, written SOPs for every service, informed consent, HIPAA and records management, OSHA and emergency preparedness, FTC-compliant advertising, and inspection readiness. No single agency checks all nine — state boards, health departments, OSHA, HHS, and the FTC each police a slice. A gap in any one is what regulators, malpractice carriers, and buyers find first. This is the assembly checklist that ties them together.

Ask ten med spa owners what "compliance" means and you'll get ten different answers — a business license, a medical director on paper, a consent form someone downloaded years ago. Each of those is real, but none of them is the whole thing. Med spa compliance is a program made of nine components, and a practice can nail eight of them and still get shut down over the ninth.

That's because no single regulator signs off on a med spa. Oversight is split across your state medical board, a state health agency, the nursing and cosmetology boards, OSHA, the HHS Office for Civil Rights, and the Federal Trade Commission. Each one polices a different slice, and each one can act independently. The American Medical Association has pointed out that 36 states lack dedicated med spa oversight — which doesn't mean less enforcement, it means enforcement comes from these overlapping bodies instead of one clean checklist.

This post is that clean checklist. For each of the nine components you'll see three things: what it requires, who enforces it, and the document that proves you have it — plus a link to the deep-dive guide when you need the full detail. Think of this page as the assembly diagram; the linked guides are the parts. If you want the parts pre-built, our med spa compliance SOP library covers every component below.

Quick Answer: The 9 Components of Med Spa Compliance
  • 1. Legal ownership structure — passes your state's corporate practice of medicine rules
  • 2. Medical director & real supervision — signed agreement, standing orders, active oversight
  • 3. Scope of practice by role — who may perform and delegate what
  • 4. Written SOPs — one protocol per service offered
  • 5. Consent & patient documentation — including the Good Faith Exam
  • 6. HIPAA & records management — privacy policies, BAAs, retention
  • 7. OSHA, infection control & emergencies — exposure plan and crash-kit protocols
  • 8. Advertising & FTC compliance — honest claims, real photos, disclosed endorsements
  • 9. Inspection readiness — everything above, produced on demand

What "med spa compliance" actually means (and who enforces it)

Compliance is the ongoing state of being able to prove, on demand, that every medical service you deliver is authorized, supervised, documented, and safe. The operative word is prove. A med spa isn't judged on whether its treatments went fine last Tuesday — it's judged on whether it can produce the paperwork showing the standard of care was defined and followed. That's a different bar than "we're careful," and it's the bar that trips up practices run by excellent clinicians who never built the documentation layer.

Who actually enforces med spa compliance

Because a med spa is a business that delivers medicine, it sits at the intersection of two regulatory worlds. Here's who can knock on your door:

  • State medical board — supervision, delegation, the corporate practice of medicine, and the Good Faith Exam.
  • State health agency — facility standards and inspections (Florida's AHCA is the best-known; many states have an equivalent department of health).
  • Nursing & cosmetology boards — what their own licensees may and may not do.
  • OSHA — workplace safety and the Bloodborne Pathogens Standard.
  • HHS Office for Civil Rights — HIPAA privacy and security.
  • FTC — advertising, testimonials, and before-and-after claims.
  • Malpractice carrier — not a regulator, but a de facto one: it can decline coverage or deny a claim over the same gaps.

Recent enforcement shows how real this is. In late 2025, a joint New York City Council and state investigation into medical spas found widespread violations, and the state's Department of State announced in January 2026 that its task force had inspected 223 med spa businesses in its first phase. The most-cited problems weren't exotic — they were missing written protocols, "ghost" medical directors, and unqualified staff performing delegated procedures. Those map directly onto components 4, 2, and 3 below. For more on how these failures play out, see our breakdown of why med spas get shut down.

Compliance is a program, not a document

The single most useful mental shift is to stop thinking of compliance as a binder you buy once and start thinking of it as a program you maintain. The nine components interlock: your scope-of-practice matrix (component 3) only means something if a medical director (component 2) authorized it; your SOPs (component 4) only protect you if they're signed and current; your inspection readiness (component 9) is just the other eight, filed where you can find them. Miss the systems view and you'll patch one hole while three others stay open.

Component 1: The legal ownership structure

What it requires: Your practice must be owned in a way your state permits for an entity that delivers medical services. This is governed by the corporate practice of medicine (CPOM) doctrine, which in strict states bars non-physicians from owning the medical side of the business or controlling clinical decisions. Where a non-physician (say, an RN, esthetician, or investor) wants to run the business, the compliant path is usually a two-entity structure: a physician-owned professional entity delivers the medicine, and a separate management company handles the non-clinical operations under a management services agreement (MSA).

Which states enforce CPOM strictly

Every state has some version of CPOM, but strictness varies widely. New York and California are the strictest — California, for example, requires a physician to hold majority ownership of the professional entity, and New York's recent task force has actively cited ownership violations. Texas and Florida are moderate but enforce real consequences when a complaint triggers a look. Arizona is comparatively light. Because the rules turn on your specific state, confirm yours before you sign a lease; our med spa regulations by state reference and the American Med Spa Association's legal summaries are the two places to start.

Who enforces it: the state medical board (and, in ownership disputes, the courts and your malpractice carrier). What proves it: your entity formation documents, the physician's ownership records, and a signed management services agreement that keeps clinical control with the physician.

Component 2: Medical director and real supervision

What it requires: A licensed physician (or, in some states, a qualified advanced-practice provider) must serve as medical director and provide genuine oversight of the clinical operation. That means a signed agreement, written standing orders authorizing specific treatments, a defined availability standard, a chart-review cadence, and responsibility for the protocols the practice runs on. The medical director is the legal anchor for every prescription treatment you offer.

The "ghost medical director" problem

The fastest way to fail this component is to treat the medical director as a signature for hire — a name on a contract who never reviews a chart, never signs a protocol, and couldn't tell you what devices you run. Enforcement agencies have a term for this ("ghost" or "rent-a-doc" medical directors) and it's one of the top violations in recent sweeps. A medical director who has signed current protocols and documented chart reviews is in a fundamentally stronger legal position than one who has not — and so is the practice. For the state-by-state duties and the documentation your MD must maintain, read our guide to med spa medical director requirements.

Who enforces it: the state medical board (the MD's personal license is on the line), plus your malpractice carrier. What proves it: the signed medical director agreement, standing orders, protocol signatures with dates, and a chart-review log.

Component 3: Scope of practice — who can do what

What it requires: Every clinical task must be performed by someone legally allowed to perform it, and delegated tasks must be delegated properly. This is where credential meets state law: which treatments an RN may perform, whether an esthetician can touch a laser, what a medical assistant may and may not do, and what the physician or NP must do personally. The answer changes by state and by treatment, so the compliant practice keeps a scope-of-practice and delegation matrix mapping each role to each authorized service.

Delegation by role

The recurring failure here is a well-meaning staffer doing a job that's just over their line — an esthetician performing microneedling below the stratum corneum, a medical assistant "helping" with injections, a laser fired by someone the state considers unqualified. In New York's enforcement report, unlawful practice of medicine — non-medically-licensed staff performing procedures that require a license — was the most-cited category. A written matrix, checked against current state rules and signed by the medical director, is what turns "we think that's allowed" into a defensible position. When roles are unclear, that ambiguity is exactly the gap that turns into a citation — see the most common shutdown triggers.

Who enforces it: the medical, nursing, and cosmetology boards jointly. What proves it: the delegation matrix, license verifications for every clinical employee, and training records.

Component 4: Written protocols and SOPs for every service

What it requires: A written standard operating procedure for every clinical service on your menu. Each SOP defines indications and contraindications, the step-by-step protocol, dosing or device parameters, pre-treatment assessment (including the Good Faith Exam), adverse-event management, documentation requirements, and a medical director signature with a review date. If you offer it, there should be a protocol for it — Botox, each filler, laser hair removal, RF microneedling, chemical peels, GLP-1 injections, PRP, IV therapy, and so on.

One SOP per service

This is the component regulators cite most, because it's the easiest to skip and the easiest to check. An inspector doesn't need clinical expertise to notice you offer six services and have three protocols. Malpractice carriers increasingly ask for sample protocols at underwriting, and in litigation the absence of a signed SOP for the treatment involved is presented to the jury as evidence you fell below the standard of care. Writing them from scratch runs 100–200+ hours of clinical and regulatory work, which is why most practices start from a professionally written library and adapt. Our full walkthrough lives in the med spa standard operating procedures guide.

Who enforces it: the state medical board and health agency, plus your malpractice carrier. What proves it: the signed, dated SOP library itself.

THE PAPERWORK LAYER, DONE

The operations backbone of a compliant med spa.

The Operations & Compliance Kit covers the policy manual, documentation standards, staff training, and inspection-readiness SOPs — the paperwork layer of every component above.

View Operations Kit — $197
30-Day Money-Back Guarantee · Instant Download

Component 5: Consent forms and patient documentation

What it requires: Every treatment needs treatment-specific informed consent, and every patient encounter needs a chart that documents the medical decision-making behind it. Consent isn't a generic waiver — it must disclose the specific risks, benefits, and alternatives of the actual procedure, and the patient must acknowledge them before treatment. Supporting documentation includes medical history and contraindication screening, photography consent, and policies for minors.

The Good Faith Exam

Sitting underneath consent is the Good Faith Exam (GFE) — the requirement that a qualified provider evaluate the patient and establish a treatment plan before any prescription treatment (including Botox and filler) is administered. Who may perform the GFE, and whether it can be done via telehealth, varies by state, but the exam must be real and documented. A missing or rubber-stamped GFE is a favorite finding in enforcement actions because it's the moment the "practice of medicine" legally begins. Our med spa consent forms guide covers the forms and the GFE workflow in depth.

Who enforces it: the state medical board, and plaintiff's attorneys in any malpractice claim. What proves it: signed treatment-specific consents, a documented GFE policy, and complete patient charts.

Free Download

Get the Free Med Spa Compliance Checklist

All 9 components on one page — the same list regulators, carriers, and buyers work from. Enter your email and we'll send it straight over.

No credit card. Unsubscribe anytime.

Component 6: HIPAA and records management

What it requires: Any med spa that creates, stores, or transmits protected health information is a HIPAA covered entity — which means yours is. You need a Notice of Privacy Practices posted and provided to patients, minimum-necessary access controls, EHR security policies, Business Associate Agreements with every vendor that touches PHI (your EHR, billing service, and email marketing platform included), a breach-notification procedure, and documented annual staff training. Records management also means a defined retention schedule for charts and consents.

Records retention

Retention periods are set by state law and typically run several years past the last visit (longer for minors). The compliant practice writes the retention rule down, applies it consistently, and stores records securely enough to satisfy both HIPAA and a subpoena. The HHS Office for Civil Rights publishes the federal requirements directly at its HIPAA for Professionals portal, and our HIPAA compliance guide translates them into a med spa workflow.

Who enforces it: the HHS Office for Civil Rights. What proves it: your written HIPAA policies, signed BAAs, training logs, and Notice of Privacy Practices.

Component 7: OSHA, infection control, and emergencies

What it requires: As an employer handling needles and blood, you fall under OSHA's Bloodborne Pathogens Standard, which mandates a written exposure control plan, sharps handling and disposal procedures, hepatitis B vaccination offers, and annual training. Layered on top is clinical infection control — hand hygiene, single-use item discipline, surface and instrument disinfection — and emergency preparedness for the events aesthetic medicine actually produces.

Emergency preparedness

Emergency protocols are the highest-stakes paperwork in the building. Every med spa needs written, physician-signed procedures for anaphylaxis (with epinephrine dosing), vascular occlusion from filler (with a hyaluronidase protocol), vasovagal syncope, and cardiac arrest with AED use — plus a defined crash kit kept on site and checked. These protocols protect the patient first and your license second. The infection-control side is detailed in our med spa infection control protocol guide.

Who enforces it: OSHA, the state health agency, and — after any adverse event — the medical board. What proves it: the exposure control plan, infection-control SOPs, emergency protocols, and crash-kit logs.

Component 8: Advertising and FTC compliance

What it requires: Everything you say to sell a treatment must be truthful and substantiated, and that's federal law, not a courtesy. The FTC's Rule on the Use of Consumer Reviews and Testimonials took effect October 21, 2024, authorizing civil penalties for fake or deceptive reviews. For med spas the practical rules are concrete: before-and-after photos must show your actual patients (not stock images or another provider's results), dramatic results need a "results not typical" disclosure, and any material connection — a free or discounted treatment given in exchange for a testimonial — must be disclosed.

Before-and-after photos and testimonials

This component is easy to overlook because it lives on Instagram rather than in a binder, but it's enforceable and increasingly enforced. Cherry-picking your most dramatic result without a disclaimer, reposting a manufacturer's photos as your own, or running undisclosed "influencer" testimonials all invite FTC scrutiny — and often state medical board scrutiny too, since many boards regulate deceptive medical advertising. The FTC's own Consumer Reviews and Testimonials Rule Q&A lays out the standard, and our FTC before-and-after photo rules for med spas guide turns it into a posting checklist.

Who enforces it: the FTC, and often the state medical board. What proves it: an advertising and social-media policy, signed photo-consent forms, and disclosure records for testimonials.

Component 9: Inspection readiness

What it requires: Inspection readiness isn't a tenth pile of paperwork — it's the discipline of keeping the previous eight components current, organized, and producible on demand. Inspections are frequently unannounced and most often triggered by a patient complaint, so "we'll pull it together if they come" is not a plan. The ready practice keeps a single, current binder (physical or digital) containing the ownership documents, medical director agreement, scope matrix, SOP library, consents and GFE policy, HIPAA policies, OSHA and emergency protocols, advertising policy, and staff credential file.

The inspection-day binder

When an inspector or investigator arrives, they're checking whether the components above exist and are current — signed, dated, and matching the services you actually offer. The practices that pass are rarely the ones that scrambled; they're the ones whose binder was already assembled and reviewed on a schedule. Our med spa inspection guide walks through exactly what state boards check and how to run a mock inspection before the real one.

Who enforces it: whichever agency shows up — health department, medical board, or OSHA. What proves it: the assembled, current compliance binder itself.

The complete med spa compliance checklist (summary table)

Here is the full program on one screen — the nine components, who enforces each, and the document that proves it. This is the checklist to walk into any audit, underwriting review, or acquisition with.

Component Who Enforces It Document That Proves It
1. Legal ownership structure State medical board Entity docs + management services agreement
2. Medical director & supervision State medical board Signed MD agreement + standing orders
3. Scope of practice by role Medical, nursing & cosmetology boards Delegation matrix + license verifications
4. Written SOPs per service Medical board + malpractice carrier Signed, dated SOP library
5. Consent & documentation Medical board + plaintiff's attorneys Consent forms + GFE policy + charts
6. HIPAA & records HHS Office for Civil Rights HIPAA policies + BAAs + training logs
7. OSHA, infection & emergencies OSHA + state health agency Exposure plan + emergency protocols
8. Advertising & FTC FTC + state medical board Ad policy + photo consents + disclosures
9. Inspection readiness Whichever agency arrives The assembled, current compliance binder

Where most med spas start

Nine components is a lot to stand up at once, so sequence matters. The practices that get compliant fastest work in this order: structure first, supervision second, documentation third. Confirm your ownership model is legal in your state, sign a real medical director agreement with standing orders and a Good Faith Exam policy, and then build the paperwork layer — SOPs, consents, HIPAA, OSHA, and the scope matrix.

Almost no one drafts that paperwork layer from a blank page. Writing a full SOP library from scratch runs well over 100 hours and demands clinical and regulatory expertise most operators don't have in-house. The common path is to start from a complete set of written protocols, have your medical director review and sign each one, and adapt them to your state and equipment. That turns a six-month project into a few weeks — and it's how most compliant practices actually assemble the program described above.

Whichever route you take, the goal is the same: be able to open any one of these nine drawers and hand an inspector, an underwriter, or a buyer exactly what they ask for. That's what med spa compliance requires.

EVERY COMPONENT, WRITTEN & READY

Build the whole program in one step.

All 62 SOPs across every service line and every compliance component in this checklist — written, formatted, and ready to adapt to your state.

View Complete Suite — $997
30-Day Money-Back Guarantee · Instant Download · Medical Director Ready
Last reviewed July 2026. This guide is general information for licensed med spa operators and medical directors, not legal advice — confirm every requirement against your specific state's current regulations. Content is reviewed whenever federal or state regulations change.

Frequently Asked Questions

Common questions about what med spa compliance requires.

What does med spa compliance require? +
Med spa compliance requires nine connected components: a legal ownership structure that satisfies your state's corporate practice of medicine rules, a medical director providing real supervision, a documented scope of practice for every role, written protocols and SOPs for every service, informed consent and patient documentation, HIPAA and records management, OSHA and infection-control and emergency preparedness, advertising that follows FTC rules, and ongoing inspection readiness. Compliance is a program, not a single document. Each component has its own enforcer and its own proof document, and a gap in any one of them is what state boards, malpractice carriers, and buyers look for first.
Who regulates med spas? +
No single agency regulates med spas. Oversight is layered: your state medical board governs supervision, delegation, and the corporate practice of medicine; a state health agency (such as Florida's AHCA or a state department of health) may inspect the facility; the nursing and cosmetology boards govern their own licensees; OSHA covers workplace and bloodborne-pathogen safety; the HHS Office for Civil Rights enforces HIPAA; and the FTC enforces advertising rules. Because the authority is split, a practice can be fully licensed as a business and still be non-compliant with one of these regulators. The American Medical Association notes that 36 states lack dedicated med spa oversight, which pushes enforcement onto these overlapping bodies.
What documents does a med spa need to be compliant? +
At minimum, a compliant med spa keeps: the entity and ownership documents (and any management services agreement); a signed medical director agreement with standing orders and supervision terms; a scope-of-practice and delegation matrix by role; a written SOP for every service offered; treatment-specific informed consent forms; a Good Faith Exam policy; HIPAA policies including a Notice of Privacy Practices and Business Associate Agreements; an OSHA exposure control plan and emergency protocols; advertising and photo-consent policies; and license verification and training records for every clinical staff member. These are the exact records regulators, malpractice underwriters, and acquirers request during an audit, inspection, or due-diligence review.
Does every med spa need a medical director? +
In practical terms, yes. Because med spa treatments such as injectables, lasers, and weight-loss prescribing are the practice of medicine, virtually every state requires a licensed physician (or, in some states, a qualified advanced-practice provider) to own or supervise the medical services. The medical director signs the clinical protocols, issues standing orders, performs or oversees the Good Faith Exam framework, and reviews charts. A 'ghost medical director' who is paid but never involved is one of the most-cited violations in recent enforcement sweeps. The title alone is not compliance; documented, active supervision is what regulators and malpractice carriers actually require.
What happens if a med spa is not compliant? +
Consequences escalate quickly. State boards can issue cease-and-desist orders, fines, and — in serious cases involving unlicensed practice or patient harm — immediate suspension of operations. Your medical director's personal license is exposed alongside the business. Malpractice carriers can deny a claim or void coverage if no written protocol existed for the treatment involved. In litigation, the absence of signed SOPs is presented to a jury as evidence you fell below the standard of care. Recent state task forces have inspected hundreds of med spas and cited them for missing protocols, ghost medical directors, and unqualified staff performing delegated procedures. Non-compliance is not a paperwork risk; it is an existential one.
How often should med spa SOPs be updated? +
Review every clinical SOP at least once a year, and immediately whenever something material changes: a new service or device is added, a drug's labeling or a compounding rule changes, a staff member's scope changes, your state amends its regulations, or an adverse event exposes a gap. Each SOP should carry a version number, a revision date, and a current medical director signature so an inspector can see reviews actually happened. An out-of-date protocol can be worse than none at all, because it documents that your practice knew the standard and then failed to follow the current one. Put a recurring annual review on the calendar with your medical director.
Where should a new med spa start with compliance? +
Start with structure, then supervision, then documentation. First, confirm your ownership model is legal in your state under the corporate practice of medicine doctrine. Second, sign a real medical director agreement with standing orders and a Good Faith Exam policy. Third, build the paperwork layer: a written SOP for every service, consent forms, HIPAA policies, an OSHA exposure control plan, and a scope-of-practice matrix. Most operators do not draft all of this from scratch — they start from a professionally written SOP library, have their medical director review and sign each protocol, and adapt it to their state and equipment. That sequence gets a new practice compliant in weeks instead of months.

Every SOP in this checklist, ready to sign.

The Complete Suite gives you all 62 physician-ready protocols across every compliance component — from ownership documentation to emergency response.

View Complete Suite — $997
30-Day Money-Back Guarantee · Instant Download · Medical Director Ready