MedSpa Compliance and Regulatory Requirements Guide
MedSpa compliance and regulatory requirements are the legal and operational rules that govern how a medical spa offers aesthetic and wellness services while protecting patients, staff, and the public. A medspa that gets these issues wrong can face licensing problems, patient complaints, privacy investigations, workplace safety issues, advertising scrutiny, and business disruption.
Key Takeaways
- MedSpa compliance sits at the intersection of healthcare regulation, consumer protection, employment law, privacy, advertising, and workplace safety.
- Federal rules may apply to patient privacy, health information, advertising, medical devices, and workplace safety.
- State law usually controls ownership, supervision, scope of practice, delegation, and who may perform specific procedures.
- If a medspa is subject to HIPAA, it must protect patient information and respond properly to privacy or security incidents.
- Marketing claims, before-and-after photos, patient records, and online tracking practices should be treated as compliance issues.
What MedSpa Compliance Covers
MedSpa compliance generally includes licensure, ownership structure, clinical supervision, scope of practice, patient safety, informed consent, recordkeeping, privacy, cybersecurity, advertising, and workplace safety.
At the federal level, several agencies may be relevant. HHS OCR enforces HIPAA privacy, security, and breach notification rules for covered entities and business associates. The FTC enforces rules against unfair or deceptive advertising and may also regulate certain consumer health information practices. OSHA regulates workplace safety issues, including bloodborne pathogen and sharps exposure risks. FDA may regulate certain aesthetic devices depending on the device and intended use.
State law is often the most important layer. It usually determines what counts as the practice of medicine, whether a non-physician may own or control a medspa, what supervision is required, and which licensed professionals may perform particular services.
Nine Legal Issues Every MedSpa Owner Must Get Right
1. Ownership Structures and the Corporate Practice of Medicine
Ownership and control are foundational compliance issues. Many states restrict who may practice medicine or control medical decision-making. A medspa should be structured so that business management does not interfere with clinical judgment, patient care, diagnosis, treatment planning, or provider supervision.
Because these rules are state-specific, medspa owners should obtain state-specific legal review before choosing an ownership model, management services arrangement, or medical director structure.
Related reading: What Are the Legal Requirements for Health and Wellness Businesses in Utah?
2. Medical Director Responsibility and Supervision
A medspa offering medical services typically needs real clinical oversight. The medical director role should not be treated as a title-only position. Supervision duties should match the services offered, the license types involved, and applicable state board requirements.
Medical director agreements should define responsibilities clearly, including supervision, protocols, delegation, chart review, incident response, patient safety, and staff training.
3. Scope of Practice and Who Can Perform Procedures
Scope-of-practice rules determine which licensed professionals may perform injections, laser services, microneedling, IV therapy, weight-loss services, and other procedures. These rules vary by state and license type.
Before adding a new service, a medspa should confirm who may perform it, whether a medical exam is required, whether standing orders are allowed, what supervision level applies, and whether the procedure involves a device or drug subject to additional regulation.
4. Informed Consent, Documentation, and Patient Safety
Informed consent and documentation are central risk-control tools. A medspa should document medical history, contraindications, treatment plans, informed consent, products or devices used, lot numbers when applicable, follow-up instructions, adverse events, and patient communications.
Consent forms should match the actual procedure. Generic forms copied from another practice may create risk if they fail to explain the specific service, risks, alternatives, expected results, and limits of treatment.
Related reading: Data Retention Compliance for Healthcare
5. HIPAA, Data Retention, and Cybersecurity
If a medspa is a HIPAA covered entity or business associate, it must protect protected health information under the HIPAA Privacy, Security, and Breach Notification Rules. HHS states that the HIPAA Privacy Rule protects medical records and other individually identifiable health information held by covered entities and their business associates. HHS HIPAA Privacy Rule
The FTC also warns that businesses collecting, using, or sharing consumer health information may need to consider the FTC Act and the Health Breach Notification Rule, even where HIPAA does not apply. FTC Health Breach Notification Rule
Related reading: Data Retention Compliance for Healthcare
6. Advertising, Social Media, and Before-and-After Photos
MedSpa advertising should be truthful, supportable, and not misleading. The FTC states that advertising claims must be truthful, cannot be deceptive or unfair, and must be evidence-based. FTC Advertising and Marketing Basics
Health-related claims require particular care. Claims about results, safety, benefits, permanence, “FDA approval,” “medical grade” treatments, or “guaranteed” outcomes should be reviewed before publication.
Before-and-after photos should be handled carefully because they may involve patient authorization, privacy issues, testimonial risk, editing concerns, and claim-substantiation issues.
7. OSHA, Workplace Safety, and Infection Control
MedSpa workplace safety issues may include sharps, bloodborne pathogens, biological materials, chemicals, equipment hazards, lasers, and sanitation practices. OSHA’s bloodborne pathogen materials explain that needlesticks and sharps injuries can expose workers to infectious microorganisms in human blood. OSHA Bloodborne Pathogens
Where contaminated sharps are used, OSHA rules may require specific handling practices, exposure controls, training, and recordkeeping. OSHA Bloodborne Pathogens Standard
8. Employment, I-9, and Worker Classification Issues
MedSpa operations often rely on employees, contractors, injectors, aestheticians, nurses, medical assistants, front desk staff, and outside vendors. Owners should classify workers correctly, document job duties, maintain required onboarding records, and avoid allowing unlicensed personnel to perform restricted clinical functions.
Related reading: HR Compliance Manuals
9. Financial Controls and Payment Data
MedSpas should maintain reliable financial controls for refunds, memberships, packages, gift cards, recurring payments, and patient financing. Payment workflows should protect customer information and avoid misleading billing practices.
Related reading: PCI Compliance for Healthcare
Cost of Getting Compliance Wrong
Compliance failures can lead to investigations, corrective action, penalties, patient complaints, staff turnover, reputational harm, and business disruption.
HHS OCR reports HIPAA enforcement activity involving corrective measures, settlements, and civil money penalties. HHS OCR Enforcement Highlights
How Counsel Can Help
An attorney familiar with healthcare-adjacent businesses can help a medspa review entity structure, medical director agreements, MSO arrangements, provider contracts, policies, consent forms, advertising claims, privacy practices, incident response procedures, and recordkeeping systems.
Legal review is especially important for ownership, scope-of-practice, supervision, delegation, and licensing issues because those rules are state-specific.
Services That Commonly Raise MedSpa Compliance Questions
Not every service carries the same level of MedSpa compliance risk. As a practice adds treatments, each new service should be checked against scope-of-practice rules, supervision requirements, device regulation, and documentation expectations before it is offered to patients. The categories below tend to generate the most questions.
- Injectables. Neuromodulators and dermal fillers usually require a good-faith medical evaluation, appropriate supervision, and clear rules about who may inject under state law.
- Energy-based devices. Lasers, intense pulsed light, and radiofrequency devices can involve both device regulation and state limits on who may operate them.
- Microneedling and skin treatments. Depending on depth and technique, these may cross from cosmetic into medical practice, changing who may perform them.
- IV therapy and weight-loss services. These often involve prescribing, standing orders, and medical oversight questions that vary widely by state.
Because the answer depends on the state, the device, and the provider’s license, a medspa should confirm the rules for each service line rather than assume that a treatment offered elsewhere is automatically permissible in its own jurisdiction.
How to Build a MedSpa Compliance Program
A durable approach to MedSpa compliance treats regulation as an ongoing operating system rather than a one-time project. A written compliance program gives owners, the medical director, and staff a shared reference for how services are delivered, how records are kept, and how problems are handled. It also creates evidence of good-faith effort if a regulator, insurer, or patient ever questions the practice.
A practical MedSpa compliance program usually addresses the following building blocks:
- Governance and ownership. Confirm the entity structure, medical director arrangement, and any management services organization terms are consistent with state law and preserve clinical independence.
- Written policies and protocols. Maintain standing orders, treatment protocols, delegation rules, and supervision expectations that match the services actually offered.
- Staff credentialing. Verify licenses, certifications, and scope of practice for every person performing clinical work, and re-verify at renewal.
- Documentation standards. Standardize intake, medical history, informed consent, treatment notes, product and lot tracking, and follow-up communications.
- Privacy and security. Determine whether HIPAA applies, and if so, implement the required safeguards, business associate agreements, and breach response steps.
- Advertising review. Route marketing claims, testimonials, and before-and-after photos through a substantiation and authorization check before they are published.
- Workplace safety. Keep an exposure control plan, sharps handling procedures, and training records aligned with OSHA expectations.
- Audit and correction. Schedule periodic internal reviews and document corrective action when gaps appear.

Because the rules differ from state to state, a written program should be reviewed by counsel familiar with healthcare-adjacent businesses rather than copied from a template built for a different jurisdiction.
MedSpa Compliance and State Law in Utah
State law usually controls the most consequential MedSpa compliance questions, including who may own the business, what supervision is required, and which licensed professionals may perform a given procedure. In Utah, medical and cosmetic services are governed by professional licensing and practice rules administered through the state’s occupational and professional licensing framework, and those rules can change as new services and devices enter the market.
Utah medspa owners should confirm current requirements directly against state statutes and administrative rules before adopting an ownership model, adding a service line, or relying on standing orders. General information about Utah’s professional licensing structure is available through the Utah Division of Professional Licensing. Utah Division of Professional Licensing
Related reading: What Are the Legal Requirements for Health and Wellness Businesses in Utah?
Documentation and Recordkeeping Best Practices
Good documentation is one of the most reliable ways to reduce MedSpa compliance risk. Records serve three purposes at once: they support patient safety, they satisfy legal and privacy obligations, and they provide a defense if a treatment outcome is later questioned. Weak or inconsistent documentation tends to be the common thread in disputes.
Records that a medspa typically maintains include the patient’s medical history and contraindications, the informed consent signed for each specific procedure, the treatment plan and the notes describing what was actually done, the products or devices used along with lot numbers where applicable, photographs where consent allows, follow-up instructions, and any adverse-event reports. Records should be corrected only through clearly identified addenda, never by altering the original entry.
Related reading: Data Retention Compliance for Healthcare
Vendor, Membership, and Payment Compliance
Many medspas sell memberships, packages, gift cards, and financed treatment plans, and they process card payments and store customer information. These workflows raise consumer-protection and payment-security questions that belong inside the compliance program alongside the clinical rules. Refund terms, auto-renewal disclosures, and billing descriptions should be clear and accurate, and payment data should be handled in a way that protects cardholder information.
Related reading: PCI Compliance for Healthcare and HR Compliance Manuals.
Related Jeremy Eveland Posts
- What Are the Legal Requirements for Health and Wellness Businesses in Utah?
- Data Retention Compliance for Healthcare
- PCI Compliance for Healthcare
- HR Compliance Manuals
Structural Options
Common medspa structures may include physician-owned entities, management services organization arrangements, or hybrid business models. The right structure depends on the state, the services offered, ownership goals, professional licensing rules, and whether the arrangement preserves clinical independence.
Because state law controls many of these issues, no ownership structure should be copied from another medspa without legal review.
What to Do if a Compliance Problem Appears
- Preserve relevant records, including charts, consent forms, messages, incident reports, photos, treatment notes, and business records.
- Do not alter records after the fact, except through properly identified corrections or addenda.
- Identify whether the issue involves patient safety, privacy, advertising, staffing, supervision, billing, or licensing.
- Conduct a focused internal review.
- Document corrective action.
- Obtain state-specific legal guidance when ownership, scope of practice, supervision, delegation, or licensing issues are involved.
Common Mistakes Owners Make
- Treating a medspa like a beauty business rather than a healthcare-adjacent business.
- Using copied consent forms that do not match actual procedures.
- Expanding services without checking scope-of-practice rules.
- Treating the medical director role as a passive title.
- Making aggressive claims without substantiation.
- Posting patient photos without proper authorization.
- Ignoring privacy and cybersecurity risk.
- Failing to train staff on incident response and documentation.
Key Laws and Agencies
Several federal frameworks may affect medspa operations depending on the business model and services offered:
- HHS OCR: HIPAA privacy, security, and breach notification enforcement.
- FTC: advertising, consumer protection, consumer health information, and Health Breach Notification Rule issues.
- OSHA: workplace safety, sharps, bloodborne pathogens, and exposure control.
- FDA: aesthetic devices, medical lasers, and certain products depending on intended use.
FDA states that aesthetic devices may be regulated depending on intended use and whether they affect the structure or function of the body. FDA Aesthetic Devices
Frequently Asked Questions
What are MedSpa compliance and regulatory requirements?
They are the combined legal and operational rules that govern how a medspa offers services while addressing licensure, supervision, scope of practice, privacy, documentation, patient safety, advertising, staffing, and workplace safety.
Do MedSpas have to follow HIPAA?
A medspa must follow HIPAA if it qualifies as a covered entity or business associate. If HIPAA does not apply, other privacy and consumer protection rules may still apply.
Who can own a MedSpa?
That depends on state law. Some states restrict non-physician ownership or require structures that preserve licensed medical control over clinical decisions.
Who can perform injections and laser treatments in a MedSpa?
That depends on the state, the provider’s license, the procedure, the supervision model, and applicable board rules.
Are advertising and social media real compliance risks?
Yes. Marketing claims should be truthful, evidence-based, and not misleading. Patient photos, testimonials, and before-and-after images may also create privacy and advertising issues.
What happens after a data breach?
A breach may trigger investigation, notification, corrective action, and enforcement duties depending on whether HIPAA, the FTC Health Breach Notification Rule, or other laws apply.
Does a MedSpa need a medical director?
Many medspas that offer medical services need meaningful clinical oversight, and a number of states expect a supervising physician or medical director whose duties match the services provided. The specific requirement depends on the state, the services offered, and the license types involved.
How often should a MedSpa review its compliance program?
A practical approach is to review MedSpa compliance policies at least annually and again whenever the practice adds a service, changes ownership or supervision, adopts a new device, or experiences an incident. Regular review keeps documentation, staffing, and protocols aligned with current rules.
Jeremy Eveland
17 North State Street
Lindon UT 84042
(801) 613-1472
Jeremy Eveland
8833 S Redwood Road
West Jordan UT 84088
(801) 613-1472