Key Takeaways Med spa compliance covers licensing, staffing, patient safety, HIPAA, and marketing regulations. Physician ownership is required in most states; non-physicians must follow specific rules. Accurate documentation and consent forms reduce risk and protect patients. Med spa software like Pabau simplifies compliance, staff management, and multi-location operations. Compliance is crucial for med spa owners because it protects their business, staff, and clients. And as the standards are evolving constantly, staying up to date with med spa compliance can feel like juggling a dozen moving parts at once. So let’s simplify it. In this guide, we’ll break down: Who can legally own a med spa Key state regulations Critical compliance areas Best practices to keep your business safe and thriving Disclaimer: This blog post is for informational purposes only and does not constitute legal advice. Please consult with your state medical and nursing boards and a healthcare attorney before opening a med spa. What is med spa compliance? Med spa compliance means following all the legal, ethical, and safety rules that govern your medical spa. It covers everything from: Licensing and certification for your staff Ownership and business structure rules Patient safety protocols and privacy laws Marketing, advertising, and ethical promotions Insurance and liability requirements Compliance ensures your med spa operates legally, protects patients, and avoids costly penalties. Key compliance areas every med spa must cover Being med spa compliant means keeping your med spa clean, safe, and legit by: Having the right licenses Protecting patient information Keeping your workplace safe Avoiding promises that aren’t medically realistic So let’s break down the key compliance areas you should focus on. Licensing and staffing License / Permit Who Issues It Medical Practice License State Medical Board Business / Corporate License State or Local Business Authority Medical Director License State Medical Board NP / PA / RN License State Nursing Board / Medical Board Laser / Energy-Based Device Registration State Health Department or Board of Medicine Cosmetology / Esthetician License State Cosmetology Board Tanning Facility License State Health Department Controlled Substances Registration DEA & State Pharmacy Board OSHA / Workplace Safety Compliance OSHA / State Health & Safety Agencies HIPAA Compliance Federal & State HIPAA Regulations Every med spa must follow the licensing rules set by state medical boards or health departments. This ensures that the facility and its staff are legally authorized to perform medical procedures. Physician supervision and medical direction Almost every state requires a licensed Medical Director (typically an MD or DO) to oversee all medical procedures. Good to know: In some states, independent Nurse Practitioners (NPs) and Advanced Practice Registered Nurses (APRNs) can act as the medical director. This includes having formal, written protocols, ensuring the Medical Director is actively involved, regularly reviewing patient charts, and being available for emergencies, as required by state law. HIPAA and patient privacy HIPAA compliance requires following a clear checklist: Secure storage of medical records Limiting access to authorized personnel Safeguarding both electronic and physical data Regularly monitoring systems and updating security policies This also means that any software you use to store patient information or communications must be HIPAA-compliant. Not sure how to stay HIPAA-compliant? Our all-in-one med spa management software Pabau is HIPAA compliant. It maintains detailed audit trails and logs all user activity within the platform, which will help you keep your patient data secure. OSHA and facility safety standards Your med spa needs to follow health and safety standards. This includes: Proper sanitation Good ventilation Regular equipment maintenance OSHA guidelines usually apply to chemical peels, lasers, and other risky procedures for staff or clients. However, clear signage, proper disposal of medical waste, and labeled treatment areas keep the facility professional and compliant. Informed consent and good faith exam (GFE) Before starting any medical treatment, a qualified practitioner must: Perform a good faith exam (GFE) — check the patient’s medical history and perform a physical assessment to see if the treatment is right for them. The patient must sign an informed consent form—confirming they understand the risks, benefits, and alternatives of the procedure. If you don’t ask them for a signed consent, they may have grounds for a malpractice lawsuit. Advertising and marketing regulations If you are in charge of marketing your med spa, you need to know that you can’t: Promise results that aren’t medically realistic Advertise procedures that aren’t FDA-approved Mislead clients about who and how treatments are performed Also, any promotions, social media posts, and testimonials must be accurate and truthful. Staff should not exaggerate treatment outcomes. Many states also require the licensed medical professionals who provided the service to be mentioned. Here’s an example from Chin Up! Aesthetics. The client’s photo was taken in steady lighting, showing the changes clearly. The injector who did the treatment is also clearly noted. They also explain the procedure without exaggerating the treatment outcomes: “Our patient received facial balancing with dermal fillers to enhance harmony in her chin, midface, and lips, creating a naturally refreshed, beautifully proportioned look.” In contrast, if the social media post promises “wrinkle-free results in just one visit!” with a dramatic before-and-after photo without disclaimers about individual results or documented patient consent, this type of ad would likely be considered misleading and could violate advertising regulations. Who can legally own a med spa? This depends heavily on state laws. Role Can open and own? Independent practice? Physician (MD/DO) Yes Yes Nurse Practitioner (NP) Some states allow ownership, others require a physician partner Autonomy depends on state law and collaborative agreements Registered Nurse (RN) Ownership usually requires a partnership with a physician No, must work under physician supervision Physician Assistant (PA) Generally can’t independently own No, must operate under physician supervision at all times Dentist or Chiropractor May be permitted within their scope of practice Limited to procedures within their professional license and training Most U.S. states require physicians to own a med spa. However, some let non-physicians, like nurse practitioners or business owners, have ownership—but there’s a catch. They must either team up with a licensed physician who will partly own and handle the medical side of the practice or partner with a Management Services Organization (MSO). This makes understanding ownership rules a key part of staying compliant, so let’s dive into the details. Licensed physicians (MDs/DOs) In all 50 states, a licensed physician (MD or DO) can fully own and operate a med spa, supervise medical procedures, and oversee clinical staff. This is the most straightforward path to compliance. Statistics: According to the American Medical Association, as of 2022, just 37% of med spas had a physician owner. This shows that more non-physicians are starting medical spas. Nurse practitioners (NPs) and physician assistants (PAs) In some states, NPs and PAs can own a med spa, either fully or partially. They must stay within their license scope and work with or be supervised by a physician. This is common in states with less restrictive Corporate Practice of Medicine laws (CPOM). Important: In states like California, NPs and PAs are prohibited from owning the medical practice entity. Non-medical professionals In states that don’t enforce the CPOM doctrine, such as Florida and Delaware, non-medical professionals can own the business’s administrative and non-medical parts. This includes business owners, RNs, and estheticians. However, they must always hire licensed medical professionals to oversee all procedures. In states with strict CPOM laws, working with a Management Services Organization (MSO) is the usual way to gain de facto med spa ownership. What is MSO? Learn more about it by reading this detailed MSO guide. Med spa compliance by state in the US State Ownership Licenses/Permits New York Physicians or groups; NPs via PC/PLLC State professional license Massachusetts Physicians and certain NPs; non-physicians partner with physician DPH med spa license Florida Anyone (non-medical can’t control services) State med spa license Georgia Only physicians; others co-own admin only Board of Health license Illinois Only physicians IDFPR license Ohio Only physicians; others can partner Health Department permit California Physicians ≥51%; NPs/PAs ≤49%; MSO for non-physicians California Medical Board registration Washington Physicians and NPs; MSO for non-physicians State Board of Health license Texas Physicians ≥51%; non-physicians minority State Board of Health license Arizona Licensed and non-licensed individuals Arizona Department of Health Services license Even though a trip to the med spa is more about pampering than treating a medical condition, these businesses are still considered medical providers. So, if you plan to own a med spa, you need to follow strict rules, including: Complying with state-specific ownership requirements Ensuring all medical procedures are performed by licensed professionals Having a medical director supervise most treatments Conducting pre-service consultations for patients Following HIPAA and OSHA regulations to protect patient safety and privacy Below, we’ve broken down the key med spa regulations for 10 different states. Important: Laws vary across states and can change quickly. So for the most accurate and up-to-date information, it’s always best to consult the American Med Spa Association (AMSPA) and your state’s regulating board, even if your state is listed below. Northeastern United States New York Ownership: In New York, only licensed physicians or physician groups can legally own a medical spa. Certified Nurse Practitioners (NPs) may also own a medical spa, but they must form a Professional Corporation (PC) or Professional Limited Liability Company (PLLC) to do so. Tip: Foreign business owners who want to open a med spa in New York have to partner with a physician who’s licensed in the state. Licensing and other requirements: A professional entity must be licensed through the New York State Education Department. All practitioners performing medical procedures must hold an active state license. A licensed physician must be appointed as the medical director. Who can perform treatments: Physicians Board-certified dermatologists and plastic surgeons (for procedures like strong chemical peels or photofacial treatments) PAs, NPs, RNs with appropriate physician supervision Important: In New York, there are still no regulations on who can provide laser hair removal treatments. This means that anyone can perform the procedure without supervision. However, medical supervision is recommended when non-licensed individuals provide the service. Massachusetts Ownership: In Massachusetts, medical spas can be owned by licensed physicians and certain Nurse Practitioners (NPs). Tip: Nurse Practitioners in Massachusetts who have completed over two years of supervised practice can qualify for full practice authority. However, non-physician entrepreneurs who want to open a med spa in Massachusetts must partner with a Massachusetts-licensed physician or qualified medical professional, who will oversee all medical aspects and own the clinical side of the practice. Licensing and other requirements: The medical spa must be licensed through the Massachusetts Department of Public Health (DPH). All practitioners performing medical procedures must hold active licenses for their respective professions. A licensed physician or independent nurse practitioner must serve as the supervising medical director and oversee all clinical protocols, delegation, and patient safety standards. Who can perform treatments: Physicians and independent NPs All Board-certified dermatologists, plastic surgeons, dentists Services within their specialty NPs, PAs, RNs Under physician supervision Licensed estheticians and cosmetologists Photofacial treatments, TCA peels (under supervision) Licensed electrologists Laser hair removal license Southeastern United States Florida Ownership: Florida offers a unique model—anyone can own a medical spa as long as non-medical personnel have no input into what services are provided, how they are offered, or which clients receive what treatments. This, though, creates opportunities for those without medical backgrounds to enter the industry. Important: While ownership is open to all, non-physicians can’t receive compensation or profits directly connected to the use of equipment or services performed by licensed medical professionals. This aims to prevent undue influence over medical decisions. Licensing and other requirements: All practitioners performing medical procedures must hold active licenses The medical spa must appoint a medical director who is a licensed physician to oversee all clinical operations. Important: In Florida, the medical director must have hands-on experience in aesthetic and non-surgical procedures, such as injectables and laser treatments. Who can perform treatments: Physicians ARNPs, NPs, PAs, and RNs under physician supervision Georgia Ownership: In Georgia, only a physician can be the sole owner of a medical spa. Other licensed professionals or non-medical entrepreneurs may own the business, but all medical decision-making and ultimate clinical responsibility must remain with a physician. Licensing and other requirements: The medical spa must be licensed through the state Board of Health All practitioners must be qualified professionals Must have a designated medical director who is a licensed physician Who can perform treatments: Physcians RNs, PAs, NPs, and ARNPs under physician supervision Senior laser practitioner and assistant laser practitioners (under supervision) for laser treatments Midwestern United States Illinois Ownership: In Illinois, medical spas must be owned by a licensed physician. So, if you are looking to open a med spa in Illinois, you must ensure that the business is structured under a physician-owned entity and that all medical services are performed by properly licensed professionals. Licensing and other requirements: All med spas must be licensed under the Illinois Department of Financial and Professional Regulation (IDFPR)Practitioners must have appropriate licensesA medical director who is a licensed physician or APRN with full practice authority is required.Who can perform treatments:Physicians APRN-FPAPAs, NPs, RNs, and certified laser technicians under supervision Important: Although Advanced Practice Registered Nurses (APRNs) can obtain full practice authority to work independently without a physician’s collaborative agreement, this does not allow them to legally own a med spa. Ohio Ownership: In Ohio, only licensed physicians may own or operate a medical spa. Other licensed professionals and entrepreneurs cannot directly own the medical practice side of a med spa, but may partner with a licensed physician who assumes responsibility for all medical decisions and clinical oversight. Licensing and other requirements: Health Department Permit Practitioners must hold the appropriate professional licenses Who can perform treatments: Physicians PAs, NPs, and RNs require physician supervision Western United States California Ownership: In California, only licensed physicians can own a medical spa. If the med spa is set up as a medical corporation, the physician has to hold the controlling share, usually at least 51%. Other licensed health professionals, like NPs and PAs, can own a med spa in California, but only a minority share of up to 49%. Non-physicians can’t own one directly, but they can still be involved by partnering through an MSO. Important: California law doesn’t allow regular corporations or LLCs to provide medical services because of the state’s corporate practice of medicine (CPOM) rules. This means med spas must be owned by licensed physicians or set up in a way that keeps medical control in the hands of a physician. Licensing and other requirements: The med spa should be registered with the California Medical Board All staff, including non-medical, who perform services must hold an appropriate license A licensed physician should be appointed as a medical director Who can perform treatments: Physicians All procedures within their scope of practice Nurse Practitioners (NPs) Some procedures independently (depending on scope) or under physician supervision PAs and RNs Under physician supervision Licensed aestheticians Non-medical procedures Washington Ownership: Washington is a “full practice authority” state, which means that aside from physicians, Nurse Practitioners can also own and operate independent practices, including med spas. Important: For a nurse practitioner to independently own a med spa, they should hold a master’s degree in a relevant specialty and complete additional advanced training in aesthetic or medical spa procedures. Non-physicians can own or co-own a med spa through an MSO. Licensing and other requirements: License from the Washington state board of health Staff must possess the appropriate professional licenses and certifications A designated medical director is mandatory Who can perform treatments: Physicians and NPs with a master’s degree PAs, NPs, and RNs under supervision Southwestern United States Texas Ownership: In Texas, the majority ownership of the medical spa (at least 51%) must be held by a licensed physician due to the state’s corporate practice of medicine rules. Non-physicians, such as physician assistants or nurse practitioners, may have a minority ownership stake, but they cannot control the business. Licensing and other requirements: The med spa will need a license from the Texas Department of State Health Services Licensed physicians as a medical director The med spa facility must comply with health and safety standards and obtain the necessary licenses or permits for specific services, such as laser hair removal or tanning Who can perform treatments: Physicians and Physician Assistants (PAs) Other licensed providers under supervision Arizona Ownership: Both licensed and non-licensed individuals can own a med spa in Arizona. However, non-physicians, such as NPs and PAs, must appoint a licensed medical director. Important: If you are a non-licensed healthcare provider planning to open a med spa in Arizona, you must obtain the proper license from the Arizona Department of Health Services to legally operate. Additionally, the facility must have a licensed medical director who oversees all medical procedures and ensures compliance with state regulations. Licensing and other requirements: All practitioners must be licensed Appoint a medical director who is either a licensed physician or an independent nurse practitioner Who can perform treatments: Physicians and NPs PAs and RNs (with completed specific training) under supervision Best practices to create a compliance-ready med spa Creating a compliance-ready med spa should be more about building systems that prevent problems before they happen, rather than reacting to issues as they arise. In other words, always be prepared for inspection so your business stays safe, professional, and fully compliant. Train staff on regulations and protocols Conduct regular mandatory training workshop sessions for your med spa staff on: The state’s scope of practice Internal medical protocols HIPAA/data privacy rules This will ensure your team fully understands the laws, safety procedures, and company policies. Be sure to document every session, including attendance and the material covered, so nothing is overlooked and you have a clear compliance record. Document every treatment and delegation Every patient interaction should be documented, including: The good-faith exam Signed informed consent forms Treatment specifics Used products (batch numbers) The supervising physician’s involvement (where required) This is important not only for future visits but for provider and patient protection in case of a potential lawsuit. All these details should be properly stored in one place and easily accessible. And in this case, a med spa practice management software can be of huge help. “Pabau [the all-in-one practice management software] is storing your patient information and saving that for future visits, lawsuits, patient and provider protection.” Conduct regular internal audits Conduct monthly or quarterly internal audits of: Patient charts Consent forms Staff licenses Treatment protocols These audits will give you a chance to catch small errors before they turn into major liabilities (or a regulatory inspection to detect them.) Use a centralized management system like Pabau A centralized management system is essential for managing the complexity of med spa compliance. Even better if the system is all-in-one, just like Pabau. With Pabau, for example, you’ll get centralized scheduling, charting, communication, and documentation, so nothing goes unmissed. This will help you keep every part of your med spa organized, compliant, and protected with features like: Two-factor authentication (2FA) for an extra layer of login security Automatic daily data backups to prevent data loss Regular security updates to keep the system protected against emerging threats Disaster-recovery procedures to ensure your clinic can quickly restore operations Digitalize and automate consent forms and documentation Digital consent forms can be tailored to specific procedures and automatically sent when someone schedules a treatment. This way, patients can sign them electronically before their visit. “Whatever treatment clients book, Pabau automatically sends them that specific online consent form and that specific pre-care, things they need to do ahead of time before their appointments. I wasn’t able to do that on other platforms.” Also, digital forms, unlike paper ones, are immediately logged, dated, and stored securely in the system, which makes them instantly auditable. How a compliance software can simplify managing your med spa With compliance software, all of your documentation lives in one secure place. You have access to everything exactly when you need it. No more wondering which binder holds your esthetician’s license or where the health department permit ended up—everything is organized, searchable, and stored digitally. Pabau falls under the category of robust med spa compliance software, and those who use it benefit from: HIPAA-secure electronic medical records (EMR): All client health records, treatment notes, and personal information will be encrypted and fully compliant with HIPAA regulations. Automated consent forms: Pre- and post-treatment forms can be sent and signed electronically, ensuring clients are informed, and your documentation is always complete. Detailed audit logs: Every action in the system is tracked, which is critical for accountability and inspections. Role-based access controls: Staff can only see the information relevant to their role, reducing errors and safeguarding privacy. Secure before-and-after photo storage: Photos are automatically linked to the patient’s chart, eliminating lost images and providing a clear, organized visual history of treatments. A patient portal: A place for clients to securely access their forms, treatment history, invoices, and messages, reducing administrative workload and improving transparency. Common compliance mistakes med spas make Mistakes often happen when protocols are overlooked, documentation is inconsistent, or systems aren’t updated as the business grows. Let’s find out which are common compliance mistakes and how you can avoid them: Inadequate charting and documentation Missing consent forms, unclear treatment notes, or scattered patient records can lead to misunderstandings, mistakes in patient care, and regulatory penalties. For example, if a patient has a reaction to a treatment and there’s no documented consent or treatment history, your liability increases significantly. Pro Tip Implement a digital system like Pabau to store all patient charts, treatment notes, and consent forms in a HIPAA-secure software. Automated reminders and structured documentation templates make it easier to record every step accurately, reducing errors and audit risks. Improper delegation of medical tasks Delegating procedures to staff outside their licensed scope or failing to provide proper supervision can lead to serious legal consequences, including: Lawsuits Medical board disciplinary action Potential criminal charges Pro Tip Use Pabau to define role-based permissions and create clear delegation protocols. Link treatments only to qualified staff so that when clients book an appointment, it will be with the practitioner that is licensed for that specific service. HIPAA violations and poor data security Using unsecured devices, storing before-and-after photos on personal phones, or allowing broad access to patient charts can all lead to HIPAA violations. Additionally, data breaches can harm patients and result in fines or lawsuits. Pro Tip Keep all patient data, including photos, communications, and records, in a secure, HIPAA-compliant system. Features like encrypted storage, audit trails, and secure patient portals ensure sensitive information is safe and accessible only to authorized staff. Failing to adjust compliance as you scale As your business grows and you add new services, staff, or even open additional locations, your med spa compliance requirements need to be updated. For example, franchising your med spa into a new state means you’ll need to follow that state’s regulations, and a system that doesn’t have multi-location management features won’t meet your needs. Pro Tip Pabau supports multi-location management, allowing you to customize everything from services to pricing at each location while coordinating all your operations from a single, centralized platform. Keep your med spa compliant with Pabau and more Pabau will help your med spa stay compliant by securely managing patient records, tracking staff licenses, storing consent forms, and maintaining detailed audit logs. But the good thing about Pabau is that it’s an all-in-one med spa management software, and not only a compliance tool. It also helps you streamline day-to-day operations with features like: Online booking and automated appointment reminders Payment processing and invoicing Marketing tools and automated campaigns Staff scheduling and task management Still worried about compliance? Check out this ultimate med spa compliance checklist and see if you’ve missed anything.
Compliance and security 2026 Med Spa Compliance for Owners: Importance, Advice & More Key Takeaways Med spa compliance covers licensing, staffing, patient safety, HIP... Ivana Karafiloska December 1, 2025
Compliance and security How practice management software reduces claims in aesthetics It doesn’t take a major mistake to trigger a claim in aesthetics. Often, it’... Maja Muzhdeka November 14, 2025
Compliance and security How to navigate CQC registration: A step-by-step approach If you’ve ever tried to find your way out of a maze, you’ll know how complex... Ivana Karafiloska November 12, 2025
Compliance and security The modern UK GDPR compliance checklist for business success There’s probably a form on your desktop right now that you meant to update thr... Maja Muzhdeka October 22, 2025
