The med spa industry is booming. Revenue in the U.S. medical aesthetics market is projected to reach $18.5 billion by 2027, and new practices are opening at a rate that regulators can barely keep pace with. But here is the uncomfortable reality that most med spa owners discover too late: the rules governing your practice are a patchwork of federal regulations, state-specific medical board requirements, and advertising laws that vary wildly depending on where you operate and what services you offer.
Unlike a traditional dermatology office or plastic surgery practice, med spas exist in a regulatory space that many state legislatures have not fully addressed. You are performing medical procedures in a spa-like setting, which means you are subject to healthcare regulations that many business owners -- especially those coming from the aesthetics or beauty side -- may not fully understand. And the penalties for getting it wrong are severe.
In 2025 alone, state medical boards took action against dozens of med spas for scope of practice violations, improper supervision, and inadequate patient documentation. The Office for Civil Rights (OCR) settled HIPAA violations in aesthetic practices for amounts ranging from $50,000 to $1.5 million. These are not hypothetical risks. They are happening to practices that thought they were doing everything right.
This guide breaks down every major compliance area that med spa owners need to understand, the specific requirements you must meet, and the mistakes that most commonly lead to enforcement actions.
HIPAA Requirements for Med Spas
The most common misconception in the med spa industry is that HIPAA does not apply because "we are not a hospital" or "we only take cash payments." This is dangerously wrong. HIPAA applies to any entity that creates, receives, maintains, or transmits protected health information (PHI) in the course of providing healthcare services. The moment you take a patient's medical history, photograph their face for treatment planning, or store their treatment records in your EMR system, you are a covered entity.
What counts as PHI in a med spa
Protected health information is broader than most practice owners realize. In a med spa context, PHI includes:
- Patient intake forms -- medical history, current medications, allergies, and health conditions
- Treatment records -- what was performed, injection sites, units used, device settings
- Before and after photos -- any clinical photograph linked to a patient's identity
- Payment records -- when tied to specific treatments or health information
- Communication records -- texts, emails, and messages about treatments or health concerns
- Scheduling data -- appointment types that reveal the nature of medical treatment
This catches many med spas off guard. Clinical photos stored on phones, shared in team group chats, or posted to social media without proper HIPAA authorization are all potential violations. Every before/after photo must be stored securely, transmitted through encrypted channels, and shared publicly only with a signed HIPAA authorization from the patient -- separate from general consent forms.
The HIPAA compliance checklist for med spas
- Designate a HIPAA Privacy Officer and a HIPAA Security Officer
- Conduct a formal risk assessment (required annually)
- Implement written policies and procedures for PHI handling
- Execute Business Associate Agreements (BAAs) with all vendors who access PHI
- Train all staff on HIPAA within 30 days of hire and annually thereafter
- Encrypt all electronic PHI at rest and in transit
- Implement access controls -- staff should only access records they need
- Maintain audit logs of who accessed which patient records
- Establish a breach notification procedure (72-hour reporting requirement)
- Post a Notice of Privacy Practices and provide copies to patients
- Secure physical records in locked cabinets with restricted access
- Use HIPAA-compliant communication tools (not standard texting or personal email)
The most commonly missed item on this list is the Business Associate Agreement. Every vendor that touches your patient data -- your EMR provider, your patient communication platform, your payment processor, your cloud storage provider, even your IT support company -- must sign a BAA. Without it, you are in violation of HIPAA even if they never actually breach any data. The BAA itself is the requirement.
Make a list of every software tool and service provider your practice uses. For each one, ask: "Does this vendor ever see, store, or transmit patient information?" If the answer is yes, you need a BAA on file. Common ones that get missed: email marketing platforms, review management tools, social media scheduling apps (if they handle before/after photos), and cloud backup services.
Scope of Practice: Who Can Do What
Scope of practice violations are the single most common reason state medical boards take action against med spas. The rules vary significantly by state, but the core principle is the same everywhere: medical procedures must be performed by qualified, licensed professionals under appropriate physician oversight.
The medical director requirement
In virtually every state, a med spa must have a medical director -- a licensed physician (MD or DO) who is responsible for overseeing clinical operations. But the specifics of what "oversight" means vary dramatically:
| Supervision Level | What It Means | Example States |
|---|---|---|
| Direct supervision | Physician must be physically present in the facility during procedures | New York, New Jersey |
| On-site supervision | Physician must be on the premises but not necessarily in the treatment room | Florida, California |
| General supervision | Physician oversees protocols and is available by phone but does not need to be on-site | Texas, Arizona |
| Collaborative agreement | NPs or PAs operate under a collaborative practice agreement with a physician | Illinois, Pennsylvania |
Who can perform which treatments
This is where med spas most frequently get into trouble. The general hierarchy, though state laws vary, looks like this:
- Physicians (MD/DO) -- Can perform all treatments. Required to be the medical director in most states.
- Nurse Practitioners (NP) -- Can perform injectables and most medical aesthetic procedures. Some states require collaborative agreements; others allow independent practice.
- Physician Assistants (PA) -- Can perform injectables and medical procedures under physician supervision. Supervision requirements vary by state.
- Registered Nurses (RN) -- Can administer injectables in most states under physician delegation. Cannot independently assess or diagnose.
- Licensed Practical Nurses (LPN) -- Very limited scope in most states. Generally cannot perform injectable treatments.
- Medical Aestheticians -- Can perform non-invasive treatments like chemical peels, microdermabrasion, and some laser treatments (with proper certification). Cannot perform injectables in any state.
- Aestheticians / Cosmetologists -- Limited to non-medical cosmetic services. No injectables, no medical-grade devices, no prescription treatments.
Allowing aestheticians or unlicensed staff to perform injectable treatments. This is the violation that generates the most enforcement actions, the largest fines, and the most malpractice lawsuits. It does not matter how well-trained your aesthetician is or how many "certification courses" they have completed. If your state law requires a licensed medical professional, a certification course does not change the legal requirement.
Informed Consent: Your Legal Shield
Informed consent is not just a form patients sign before treatment. It is a legal process that, when done correctly, is your strongest defense against malpractice claims. When done poorly -- or not at all -- it is the plaintiff attorney's easiest path to a settlement.
A legally defensible informed consent process requires that the patient genuinely understands what they are agreeing to. Handing someone a clipboard and saying "sign here" while they are sitting in the treatment chair is not informed consent. It is documentation theater.
What your consent forms must include
- Clear description of the specific procedure to be performed
- Expected results and realistic outcome expectations
- All known risks and potential side effects, including rare complications
- Alternative treatment options (including the option of no treatment)
- Qualifications and credentials of the person performing the treatment
- Pre-treatment instructions and preparation requirements
- Post-treatment care instructions and expected recovery
- Financial disclosure: total cost, refund policy, touch-up policy
- Statement confirming the patient had the opportunity to ask questions
- Patient's dated signature and the provider's dated signature
- For injectables: specific product name, quantity, and injection sites
- For devices: specific device name, settings used, and treatment areas
Critical point: consent forms must be treatment-specific, not generic. A single "I consent to aesthetic treatment" form that covers everything from a facial to neurotoxin injections is insufficient. Each procedure category should have its own consent form that addresses the specific risks, expected outcomes, and aftercare requirements of that treatment.
Courts have consistently held that informed consent is about the process, not just the paperwork. Document the conversation in the patient's chart: what was discussed, what questions were asked, and how they were answered. If a patient later claims they were not told about a risk, your chart notes showing the discussion are stronger evidence than the signed form alone.
Advertising Regulations: FTC, FDA, and State Rules
Med spa advertising is regulated at three levels -- federal (FTC and FDA), state medical board rules, and general consumer protection laws. The stakes are high: the FTC has increased its focus on health-related advertising claims, and state medical boards are actively monitoring social media accounts of licensed practitioners.
FTC requirements
The Federal Trade Commission requires that all advertising be truthful, not misleading, and substantiated by evidence. For med spas, this means:
- Before and after photos must represent typical results -- If the results shown are not typical, you must clearly disclose what typical results look like. "Results may vary" is not sufficient; you need specific disclosure of typical outcomes.
- Testimonials and reviews cannot be misleading -- If you feature a patient testimonial describing exceptional results, you must disclose that the results are not typical (with specifics about what is typical).
- Claims must be substantiated -- Saying a treatment "eliminates wrinkles" requires clinical evidence. "Reduces the appearance of fine lines" is defensible. "Guaranteed results" is almost never compliant.
- Paid endorsements must be disclosed -- If you give influencers free treatments in exchange for posts, they must disclose the relationship. "#ad" or "#sponsored" is required.
FDA considerations
The FDA regulates medical devices and injectable products. Key compliance points for med spas:
- Off-label use -- Using products off-label (e.g., Botox in areas not FDA-approved) is legal when done by a licensed physician, but you cannot advertise off-label uses. You can discuss them with patients in a clinical setting.
- Product claims -- You cannot make claims about a product that exceed its FDA-approved indications. "FDA-approved for frown lines" is fine. "FDA-approved to make you look 10 years younger" is not.
- Counterfeit products -- Purchasing injectables from unauthorized distributors is an FDA violation. Only buy from authorized distributors. "Gray market" products carry legal and safety risks.
State medical board advertising rules
Many states have additional advertising restrictions for medical practices:
- Some states prohibit using the word "board certified" unless the certification is from an ABMS-recognized board
- Several states require advertising to include the medical director's name and license number
- Some states restrict the use of terms like "specialist" to physicians with specific board certifications
- Price advertising may be restricted in certain states -- check your state medical board's rules
Every Instagram post, TikTok video, and Facebook ad your practice publishes is advertising under FTC rules. The same requirements for truthfulness, substantiation, and disclosure apply to social media as they do to print ads and billboards. "Casual" social media posts showing patient results without proper consent and disclaimers are both HIPAA violations and FTC violations simultaneously.
Insurance Requirements
Operating a med spa without adequate insurance is like driving without a seatbelt -- everything is fine until it is catastrophic. The minimum insurance portfolio for a med spa should include:
| Insurance Type | What It Covers | Typical Annual Cost |
|---|---|---|
| Professional liability (malpractice) | Claims of negligence, injury, or improper treatment | $3,000 - $12,000 |
| General liability | Slip-and-fall, property damage, non-medical injuries | $1,500 - $3,000 |
| Workers' compensation | Employee injuries on the job (required in most states) | $2,000 - $5,000 |
| Cyber liability | Data breaches, HIPAA violation costs, notification expenses | $1,000 - $3,000 |
| Commercial property | Equipment, furnishings, leasehold improvements | $1,000 - $2,500 |
| Product liability | Claims from adverse reactions to products sold or applied | $500 - $1,500 |
One critically overlooked area: individual provider coverage. The practice's malpractice policy covers the business entity, but individual providers (NPs, PAs, RNs) should also maintain their own malpractice insurance. If a claim is filed, the practice's insurer may prioritize protecting the business, not the individual provider. Personal policies make sure each provider has independent legal representation.
A single HIPAA data breach triggers mandatory notification to every affected patient, notification to the Department of Health and Human Services, potential media notification (for breaches affecting 500+ individuals), forensic investigation costs, legal fees, and potential fines. Cyber liability insurance covers these costs. Without it, a breach can easily generate $100,000+ in expenses before any fine is assessed.
The 7 Most Common Compliance Mistakes
After reviewing hundreds of enforcement actions, malpractice cases, and compliance audits in the med spa industry, the same mistakes appear over and over. These are the violations that regulators look for first and that plaintiff attorneys exploit most effectively.
1. Absentee medical director
Having a physician's name on paper as "medical director" while they never visit the practice, never review protocols, and never examine patients is the definition of a sham arrangement. Medical boards are increasingly scrutinizing these relationships. The medical director must be genuinely involved in clinical oversight -- reviewing treatment plans, establishing protocols, conducting periodic chart reviews, and being available for consultation.
2. Scope of practice violations
Allowing staff to perform procedures beyond their licensure, even with "training" or "certification," is the fastest path to losing your medical license and facing criminal charges. Know your state's scope of practice laws for every provider category in your practice, and enforce them without exception.
3. Inadequate informed consent
Using generic consent forms, not discussing risks, or having patients sign consent while already prepped for treatment. Consent must be informed, voluntary, and documented -- and it must happen before the patient is in the treatment room.
4. Missing Business Associate Agreements
Every technology vendor that touches patient data needs a BAA. The most commonly missed: social media management tools, email marketing platforms, and cloud storage providers. This is a technical HIPAA violation even if no breach occurs.
5. Unsecured patient photos
Storing before and after photos on personal phones, sharing them in iMessage group chats, or uploading them to social media without HIPAA authorization. Patient photos are PHI. They must be stored on encrypted, access-controlled systems and shared only with explicit written authorization.
6. Misleading advertising claims
Promising "guaranteed results," using non-typical before and after photos without disclaimers, or failing to disclose influencer relationships. The FTC is actively monitoring health and beauty advertising, and state medical boards review social media accounts during investigations.
7. No incident response plan
When an adverse event occurs -- a bad reaction, a complication, a data breach -- the first 72 hours determine whether it becomes a manageable situation or a catastrophe. Practices without a documented incident response plan make mistakes under pressure: delaying notifications, failing to document, or saying the wrong thing to the patient. Having a written plan that everyone has rehearsed is not optional.
Building a Compliance Culture
Compliance is not a one-time project. It is not a binder that sits on a shelf. It is an ongoing operational discipline that must be woven into how your practice runs every single day. The practices that avoid enforcement actions and malpractice suits are not the ones with the most expensive attorneys. They are the ones where compliance is part of the culture.
Monthly compliance rhythm
Establish a monthly compliance routine that becomes as automatic as payroll:
- Week 1: Review all provider licenses and certifications. Verify nothing has expired or is approaching expiration.
- Week 2: Audit 5-10 random patient charts for consent form completeness, proper documentation, and treatment record accuracy.
- Week 3: Review HIPAA access logs. Confirm no unauthorized access to patient records. Check that terminated employees have been removed from all systems.
- Week 4: Review operations checklist items, emergency protocols, and equipment maintenance records. Conduct a brief staff compliance refresher.
Annual compliance audit
Once a year, conduct a comprehensive compliance audit covering every area in this guide. Many practices hire a healthcare compliance consultant for this -- the cost ($3,000 to $10,000) is a fraction of what a single violation could cost. The audit should produce a written report with specific findings and a corrective action plan with deadlines and assigned owners.
In compliance, if it is not documented, it did not happen. Every training session, every protocol review, every incident investigation, every corrective action should be documented with dates, participants, and outcomes. When a regulator or attorney asks "what did you do about X?" your answer needs to be a dated document, not a verbal recollection.
Frequently Asked Questions
Do med spas have to be HIPAA compliant?
Yes. Any med spa that performs medical treatments, maintains patient health records, or bills insurance is considered a covered entity under HIPAA. Even if you only accept cash payments, the moment you store patient medical histories, treatment records, photos, or health information digitally, HIPAA applies. Penalties for non-compliance range from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category.
Who can legally perform injectable treatments at a med spa?
Scope of practice varies by state, but generally physicians (MDs/DOs), nurse practitioners, physician assistants, and registered nurses can perform injectable treatments. In most states, a medical director must oversee the practice and establish treatment protocols. Some states require the medical director to be on-site during procedures, while others allow remote supervision. Aestheticians and unlicensed staff cannot perform injectable treatments in any state.
What should a med spa informed consent form include?
A legally defensible informed consent form should include: a clear description of the procedure, expected results and realistic outcomes, all known risks and potential side effects, alternative treatment options, the qualifications of the person performing the treatment, pre-treatment and post-treatment care instructions, financial disclosure including costs and refund policy, a statement that the patient has had the opportunity to ask questions, and the patient's dated signature. Consent forms should be treatment-specific, not generic.
Can med spas advertise before and after photos?
Yes, but with important restrictions. The FTC requires that before and after photos represent typical results, not best-case outcomes. If the results shown are not typical, you must include a clear disclaimer stating what typical results look like. Photos must not be digitally altered or enhanced. You must have written patient consent (a HIPAA authorization) specifically for marketing use of their images. Some states have additional restrictions on medical advertising that may apply.
What insurance does a med spa need?
At minimum, med spas need professional liability insurance (malpractice coverage), general liability insurance, and workers' compensation. Most practices also carry commercial property insurance, cyber liability insurance (for HIPAA data breaches), and product liability coverage. Individual providers should also maintain their own malpractice policies in addition to the practice's coverage. Total annual insurance costs typically range from $8,000 to $25,000 depending on services offered and state requirements.
How often should a med spa conduct a compliance audit?
Med spas should conduct a comprehensive compliance audit at least annually, with quarterly spot-checks on high-risk areas like HIPAA documentation, consent forms, and staff credentials. Whenever regulations change, new services are added, or staff turnover occurs, an additional targeted review is warranted. Many compliance consultants recommend a monthly checklist covering the most critical items: provider license verification, consent form completeness, PHI access logs, and emergency protocol review.
Stay compliant with RunMedSpa
Our AI operations platform includes HIPAA-compliant patient communication, automated consent tracking, and documentation tools designed specifically for med spas.
Launching soon. Join the waitlist for early access.