An essential guide to medspa compliance

    An Essential Guide to Medspa Compliance

    Let’s be real: med spa compliance regulations can be overwhelming. 

    They’re confusing, get updated regularly, differ from state to state… keeping up is enough to make your head spin. But miss a step, and you could face hefty fines, lawsuits, and even lose your business. 

    This guide is for anyone in the medical spa industry who feels lost in the paperwork, stressed about making a mistake, or just plain overwhelmed by the sheer volume of compliance requirements.

    We’ll break down the key compliance rules for med spas across the United States, giving you a clearer understanding of what’s required in your region. 

    Then, we’ll cover licenses, safety standards, ethical marketing, and insurance requirements — all the things you need to have on your radar. 

    Let’s get started!

    Understanding med spa regulations

    Handling med spa business regulations needs a multifaceted approach.

    For starters, you’ll need to understand three types of regulations you’ll face: 

    • Standard business regulations
    • Regulations for medical facilities
    • Practitioner-related regulations

    Business regulations cover things like your business license, the legal structure of your company, and how you handle taxes and payroll. 

    On the other hand, medical regulations dictate things like OSHA safety standards, sanitation, infection control procedures, and patient record-keeping requirements. 

    Finally, practitioner regulations determine who is qualified to perform different medical procedures and the level of supervision needed based on their licenses.

    Things get even more complex because of federal and state-level regulations. 

    The federal government sets broad standards – the Food and Drug Administration (FDA) is responsible for oversight of devices and injectables, the Health Insurance Portability and Accountability Act (HIPAA) ensures compliance for patient privacy, and the Federal Trade Commission (FTC) enforces truthful advertising.

    However, the day-to-day operations of your med spa are largely governed by your state. Here are some of the key areas where state regulations are applied:

    • Med spa ownership and supervision
    • The scope of practice and licensing
    • Financial regulations around tax and commissions 

    We’ll start by unpacking these different aspects of state regulations, and then switch to more general compliance issues.

    Med spa compliance by region in the US

    In the next sections, we’ll take a look at some regional differences within U.S. med spa regulations. 

    Due to the scope of this article, it’s important to note that we won’t discuss each state.

    For reference, here are the different categories of procedures that will be mentioned in the following sections:

    Light-based procedures: intense pulsed light (IPL) therapy, laser hair removal, laser skin resurfacing, and photodynamic therapy (PDT).

    Heat-based procedures: radiofrequency (RF) treatments, ultrasound therapy, infrared light therapy, external lipolysis.

    Fillers & injectables: hyaluronic acid fillers (e.g., Juvederm®, Restylane®), neuromodulators (e.g., Botox®, Dysport®), calcium hydroxylapatite (e.g., Radiesse®), poly-l-lactic acid (e.g., Sculptra®).

    Other: chemical peels, microdermabrasion, photo pneumatic therapy.

    For the most accurate and up-to-date information, it’s always best to consult the American Med Spa Association (AMSPA) and your state’s regulating board (usually the medical board) — even if your state is listed below. 

    State laws can change, so it’s also important to stay updated to ensure your med spa practice remains compliant. You can subscribe to AMSPA’s newsletter to stay on top of med spa news and regularly check for updates.

    Northeastern United States

    New York

    Ownership: Only licensed physicians, physician group practices, and nurse practitioners with the required certification and training can own a med spa in New York. 

    Owners must form a professional corporation (PC) or professional limited liability company (PLLC) to perform medical spa services.

    Practitioner Requirements: All individuals must have an active state license to perform the following procedures:

    • Facial fillers and Botox® injections
    • Use radiofrequency, infrared, and other light-based devices
    • External lipolysis (heat/ultrasound)
    • Photo pneumatic therapy

    Independent Practice: Advanced practice nurse practitioners (ARNPs) can practice independently if they meet state law requirements.

    Other Considerations: Foreign business owners who want to open a med spa in New York have to partner with a physician who’s licensed in the state.


    Ownership: Both physicians and non-physicians can operate a med spa practice in Massachusetts, provided they obtain a clinic license from the state’s Department of Public Health.

    Procedure Restrictions: The state requires light and heat based treatments, injectables, chemical peels, scrubs, and microdermabrasion must be performed by licensed professionals.

    Practitioner Requirements: Electrologists must complete an 1100-hour accredited course and earn continuing education credits every two years. Aestheticians performing laser hair removal require 30 hours of IPL device training.

    Other Considerations: Non-physicians can share profits from a med spa.

    Southeastern United States


    Ownership: Florida offers a unique model: anyone can own a medical spa. This creates opportunities for those without medical backgrounds to enter the industry.

    Practitioner Requirements: Individuals performing procedures must hold the appropriate active state licenses. Florida law mandates specific certifications for procedures like laser hair removal, injectables, etc.

    Restrictions: While ownership is open to all, non-physicians can’t receive compensation or profits directly connected to the use of equipment or services performed by licensed medical professionals. This aims to prevent undue influence over medical decisions.


    Ownership: Only physicians can own a medical spa in Georgia. However, other facilities can still offer cosmetic services like laser and IPL hair removal, provided they have the necessary equipment and licenses.

    Practitioner Requirements: Individuals performing procedures must hold the appropriate active state licenses. Continuing education or advanced training is required to perform cosmetic procedures. Specialized training and certifications are required for those offering light-based procedures.

    Independent Practice: Physician assistants (PAs) cannot practice independently. They must be supervised by at least one licensed physician, who can supervise up to four PAs at a time.

    Midwestern United States


    Ownership: Illinois law requires that a medical spa be owned by a licensed physician.  While nursing practitioners (NPs) can obtain a full practice authority license, this allows them to practice without a collaborative agreement but does not permit them to own a med spa.

    Practitioner Requirements: PAs cannot practice independently and cannot receive direct payment for their services. Estheticians and cosmetologists must work under physician supervision and cannot perform procedures affecting the living layers of the skin.

    Additional Requirements: The state imposes sales tax on prescription and non-prescription medicines, including Botox® injections. 

    Other Considerations: Non-physicians cannot share in the ownership or profits generated by a med spa. NPs cannot market their practice as a “medical spa”


    Ownership: Ohio’s laws make it relatively easy to open a med spa. Unlike many states, Ohio allows physicians to be employed by corporations or other businesses. This means that a med spa can be owned by:

    • Licensed physicians
    • Groups of physicians (physician practices)
    • Corporations or businesses, provided they employ a licensed physician

    Practitioner Requirements: Injectables can be given by PAs, registered nurses (RNs), and nursing practitioners (NPs), while laser hair removal should be performed by a practitioner with at least 50 hours of training. Physicians must supervise laser procedures by being physically present during the procedure.

    Additional Notes: Non-physicians cannot receive profits from a med spa.

    Western United States


    Ownership: California requires that a med spa be owned by a state-licensed physician or practice group. Physicians must hold at least 51% of the clinic’s shares. 

    The remaining 49% may be held by other professional entities such as licensed RNs, PAs, physical therapists, and medical corporations.

    Practitioner Requirements:

    All staff members, including PAs, NPs, and RNs, must be licensed and actively practicing.

    They must also have obtained relevant higher education or specialized training related to the cosmetic procedures they offer.

    Independent Practice: PAs cannot practice independently.


    Ownership: Only licensed physicians and NPs can own a medical spa in Washington.

    Practitioner Requirements: Individuals performing procedures must hold the appropriate active state licenses. Practitioners providing laser treatments must have advanced training and certification.

    Electrologists must have a general license, completed a 750-hour instruction course, and have an additional 450 hours for a master’s license.

    Other Considerations: Non-physicians cannot receive profits from a med spa. A med spa employee cannot receive a bonus or a percentage of the revenue generated specifically from a laser treatment or injectable they administer. 

    Southwestern United States


    Ownership: Texas restricts medical spa ownership to licensed physicians only. However, estheticians or licensed laser technicians can own a med spa if they limit their services to laser hair removal.

    Practitioner Requirements: Individuals performing procedures must hold the appropriate active state licenses. All laser hair removal devices require a physician’s order or prescription and must be registered following specific regulations.

    Other Considerations: While commissions based on the use of equipment by licensed professionals are not permitted, PAs and other practitioners can receive commissions for laser hair removal services.


    Ownership: Medical spas in Arizona must be licensed by the Arizona State Board of Nursing. All practitioners must be licensed RNs or APRNs with prescriptive authority, with a licensed physician as a medical director.

    Practitioner Requirements: Medical spas in Arizona are limited to providing non-surgical cosmetic procedures that are within the scope of practice of licensed RNs or APRNs with prescriptive authority.

    Other Considerations: PAs and NPs may only be paid a reasonable salary for their duties and cannot accept commissions in exchange for referrals following the anti-kickback law.

    Required licenses and certifications for owning a med spa

    Let’s now switch from state regulations to more broad categories of compliance, starting with licensure and certifications.

    As you noticed in the state-by-state breakdown, many states allow med spa ownership to licensed physicians only. But if you aren’t one, there’s another alternative.

    Med spa owners usually form management services organizations (MSOs) and partner with a physician, allowing them to run the business side of the med spa while ensuring compliance.

    But even in states with more relaxed rules where non-physicians can own a med spa practice, you still need a licensed physician to act as a Medical Director — delegating and supervising any of the medical procedures performed on-site. 

    With ownership out of the way, you’ll also need to obtain some licenses, permits, and certifications. Here’s the breakdown:

    • Get a general business license
    • Register with the state medical board
    • Get a federal employer identification number (EIN)
    • Register the name of your med spa that you’ll be “doing business as” (DBA) if it’s different from your business name
    • Get a seller permit and sales tax certificate
    • If necessary, get a building permit and certificate of occupancy
    • Get HIPAA certified (more on that later)

    Of course, ensuring any healthcare professionals working at the clinic have the proper licenses is crucial. Individual practitioner licenses for RNs, NPs, PAs, aestheticians, etc., are needed for them to legally do their jobs.

    Staying on top of these requirements is a key responsibility for any med spa owner — but they’re not the only considerations.

    Patient safety and care requirements

    Next up is patient safety and care. 

    With rising patient safety concerns in the med spa industry, prioritizing patient well-being is crucial for both ethical reasons and staying compliant.

    A key part of patient safety involves how information is collected and stored. 

    Key patient info must be kept organized and secure to ensure quality care and avoid medical mistakes. Caregivers should tailor treatments based on all available information — when something is missing, say an important allergy note, it can have serious consequences.

    That’s why it’s essential to restrict access to patient data.

    Only authorized personnel should have access to medical records. And practice management software with robust staff and patient permissions features makes this easy to enforce.

    With everything set up properly in these systems, it should be impossible for say, front-of-house staff to accidentally access or delete a crucial treatment note or lab test. 

    A closely related aspect is patient privacy. 

    Medical practices are required to adhere to the strict rules outlined by HIPAA. This legislation concerns protected health information (PHI) — any health-related info that can identify patients — and governs how other health info is handled and protected. 

    To be HIPAA compliant, you can check out our comprehensive HIPAA compliance checklist for more details. It includes key practices like:

    • Appointing a HIPAA compliance officer
    • Developing security policies and standards
    • Protecting patient information with safeguards
    • Regularly performing risk assessments

    (Pro tip: HIPAA extends to social media as well.)

    Overall, protecting your patients’ safety and privacy is an essential part of med spa compliance.

    Medical aesthetics procedures compliance

    Med spas offer a diverse range of treatments, and ensuring compliance around these procedures is vital. 

    Many states require that any med spa procedures must be performed by licensed physicians. Even where NPs or PAs can perform certain med spa services, supervision by a physician is often mandated, with the level of oversight varying by state. 

    In any case, it’s crucial for med spas to provide appropriate training to ensure any mid-level providers who perform any procedures are qualified and competent to perform them safely.

    Meticulous documentation is another key aspect of procedure compliance. 

    This includes taking date-stamped before-and-after photos, maintaining detailed client records, and even noting details like batch numbers for injectables in case of a product recall. 

    This thorough record-keeping allows you to have a history of treatments and track what each patient received. And that’s important for both patient safety and in case of any legal disputes.

    On a final note, specific compliance requirements also exist for common med spa treatments like Botox®, facials, and fillers. You might need:

    • Laser Safety Certifications
    • Injectable Administration Certifications
    • Certifications for specific advanced aesthetic treatments

    Just like with overall licensing, these certification requirements vary greatly by state. For example, Florida has relatively relaxed regulations for procedures like Botox®, while states like Delaware require specialized training and an electrologist license for laser hair removal.

    Health and safety standards

    While med spa treatments focus on wellness and aesthetic procedures, it’s important to remember that they are still considered medical services. 

    As such, spa owners must comply with standards set by the Occupational Safety and Health Administration (OSHA). These guidelines protect both your staff and your patients by ensuring a safe and hygienic working environment.

    To stay OSHA compliant, your med spa needs to have clear, written policies in place. These policies should cover areas like biohazards, hygiene practices, safe equipment operation, medication handling and storage, infection control, and incident reporting.

    You’ll also need to implement thorough cleaning and disinfection protocols that are consistently followed and ensure your staff is trained in OSHA guidelines, infection control, and the safe use of any equipment.

    These strict regulations are designed to prevent the spread of infections, mitigate injuries, and ensure a safe environment for everyone in your med spa. 

    Failure to comply can have serious consequences for both patient safety and your clinic. 

    Unhygienic conditions or poorly maintained equipment can lead to serious health issues for your patients, while also putting you at risk for hefty fines and legal trouble.

    Word travels fast in the aesthetics industry. So even if you dodge legal issues, any safety lapses can lead to a permanently tarnished reputation.

    Ethical marketing advertising regulations

    Like any business, you want your med spa to gain visibility. But while eye-catching campaigns are important, you must ensure that your marketing doesn’t violate regulations designed to protect consumers.

    Med spas fall under two sets of advertising rules. 

    First, there are FTC’s consumer protection laws that prohibit false or misleading claims. In the med spa context, this means you can’t promise specific aesthetic results and exaggerate the safety of a service or product, among other things.

    Say you ran a social media ad campaign promising “wrinkle-free results in just one visit!” with a before-and-after photo highlighting dramatic changes. Without disclaimers about individual results and a consultation with a licensed practitioner, this ad would likely be considered misleading.

    On top of this, as a healthcare provider, your marketing is also subject to medical-specific regulations. 

    Before-and-after photos or patient testimonials, while powerful marketing tools, often require specific disclaimers and patient consent. It’s also important to understand any restrictions on advertising prescription medications, as incorrectly promoting these treatments can have serious legal consequences.

    Let’s use advertising Botox® as an example.

    This prescription medication has strict advertising rules on social media and Google:

    • You can’t target anyone under 18
    • Accurate safety information must be included
    • Physicians can’t offer it without a prescription in locations where they aren’t licensed
    • The name Botox® shouldn’t be used as it’s a brand name

    By understanding and adhering to these ethical marketing practices, you protect both your patients and your med spa’s reputation.

    Insurance and liability compliance

    To round out our compliance discussion, let’s focus on the importance of insurance and managing liability risks.  

    Med spas need comprehensive insurance coverage for both standard business risks and the specialized risks of providing medical procedures. Here’s some essential insurance to consider:

    • Business liability insurance: This protects your med spa against general risks like property damage or injuries on the premises.
    • Professional liability (malpractice) insurance: This is a crucial one to get, as it protects you against claims arising from patient injuries or unsatisfactory results. Some states even mandate that physicians and NPs carry malpractice insurance with specific minimum coverage amounts.
    • Workers’ compensation insurance: This coverage, often required by law, protects your staff if they are injured on the job.

    Beyond insurance, mitigating liability requires meticulous documentation. Remember, your patient records are not only vital for patient safety (as we discussed earlier), but they’re also your best defense in case of a dispute. 

    Among other things, to manage risk, your med spa should meticulously document:

    • Patient information and medical history
    • Informed consent documents
    • Detailed treatment notes
    • Insurance policies and coverage

    Finally, it’s also important to be aware of federal or state regulations that impact how med spa profits are shared. Laws like the Anti-Kickback Statute and physician self-referral laws are designed to prevent conflicts of interest and can cause serious legal trouble if not adhered to.

    Taking these precautions is like investing in proactive risk management, safeguarding your med spa against potential liability claims.

    Find out how Pabau helps your clinic with compliance changes

    Staying on top of med spa compliance isn’t always easy, but having the right tools can make your life much easier.

    That’s especially true when you consider practice management software like Pabau, built with the challenges med spas face in mind. 

    Our tool helps store all sensitive patient data — medical history, treatment records, before and after photos, you name it — safely and securely. Think of it as extra insurance against privacy breaches, meeting those strict HIPAA requirements.

    Pabau also makes dealing with documentation like consent forms and pre and post-care instructions a breeze, automating the collection and storage process so nothing important gets overlooked.

    While you still need to follow other regulations carefully, Pabau definitely takes some of the compliance headaches off your shoulders, freeing up time for the parts of your business you love.

    Ready to see how? Book a demo today!

    What you should do now

    1. Schedule a Demo to see how Pabau can help your team.
    2. Read more clinic management articles in our blog.
    3. If you know someone who’d enjoy this article, share it with them via Facebook, Twitter, LinkedIn, or email.

    See Pabau in action

    Schedule a free demo with one of our team today.

    Book a demo

    Related Articles: