Medical spa requirements come down to one simple truth: a medical spa is a licensed medical facility, not a salon with a doctor’s name on the wall. Everything else follows from there, the licenses you need, the medical director you must hire, and the state law that decides whether you can even own the business at all. Skip any one of these pieces, and it won’t be a competitor who shuts you down. It’ll be a regulator.
Key Takeaways
- A medical spa is legally defined by what it treats and who performs the treatment, not by its name or its decor. Jump to Section
- Every medical spa needs a licensed medical director, and most non-physician owners need an MSO structure to comply with state law. Jump to Section
- Ownership rules, licensing, and medical director requirements vary so much by state that the same business model can be fully legal in Arizona and a licensing violation in New York. Jump to Section
What Qualifies as a Medical Spa?
The line between a day spa, a medical spa, and a hybrid aesthetic clinic comes down to three questions: what service is being performed, who is performing it, and whether a physician is legally responsible for the outcome. State regulators do not care what the sign outside says.
Traditional Day Spa
A day spa offers relaxation and cosmetic services that do not penetrate or alter living tissue. Facials, massages, body wraps, and basic waxing fall into this category. No medical license is required to perform these services, and no physician oversight applies because nothing performed is legally considered the practice of medicine.
Medical Spa
A medical spa offers treatments that affect the living layers of skin or the body’s tissue, which most states classify as the practice of medicine. Botox injections, dermal fillers, laser hair removal, chemical peels above a certain strength, and prescription weight-loss treatments all fall here. Because these services are medical procedures, a licensed physician must hold ultimate responsibility for them, even when a nurse practitioner or registered nurse performs the actual treatment.
Hybrid Aesthetic Clinic
A hybrid clinic offers both categories under one roof: relaxation services delivered by estheticians alongside medical-grade treatments delivered by licensed clinical staff. The compliance burden does not shrink because half the menu is non-medical. Every medical service still triggers the same licensing, supervision, and medical director rules as a stand-alone medical spa.
| Service Type | Who Performs It | Physician Involvement Required |
|---|---|---|
| Massage, facials, body wraps | Estheticians, massage therapists | No |
| Botox, fillers, neuromodulators | RN, NP, or physician under delegation | Yes |
| Laser hair removal, skin resurfacing | Licensed laser technician or RN | Yes, in most states |
| Medical weight loss, GLP-1 prescribing | NP or physician | Yes |
Medical Director Requirements
Every medical spa in the United States needs a licensed medical director. The requirement does not disappear because the spa is cash-pay, because the procedures are elective, or because the owner is a nurse practitioner with years of injection experience.Who Can Serve as a Medical Director
In every state, a licensed physician, an MD or a DO, can serve as medical director. In a growing number of states, a nurse practitioner with full practice authority can also fill the role, though several state boards, including Colorado’s, have informally pushed back on NP medical directors even where statute appears to allow it. According to the American Med Spa Association, the safest assumption for a new operator is that a physician medical director is required until your specific state confirms otherwise in writing.What the Medical Director Is Responsible For
The medical director’s job is not a formality. Responsibilities typically include writing and approving standard operating procedures, reviewing and signing off on standing delegation orders for any procedure performed by an NP, RN, or PA, maintaining oversight of patient charts and informed consent documentation, and accepting legal liability for clinical outcomes at the facility. A medical director who signs on without performing these duties creates exposure for everyone in the building, including the owner.How Medical Director Co. Fills This Role
Finding a medical director willing to take on this liability, and structuring the relationship so it satisfies your specific state’s corporate practice of medicine rules, is the single most common bottleneck for new med spa owners. Medical Director Co. places licensed, vetted medical directors with med spas in 24 hours, starting at $799 a month, with the contract structure built to match your state’s ownership requirements from day one.Compliance starts with the right director.
Get placed in 24 hours, guaranteed.
Licenses & Permits You Need
A compliant medical spa typically requires four categories of licensing. Missing any one of them is grounds for closure, regardless of how well the rest of the business is run.
Business License
Every medical spa needs a standard local or state business license, the same baseline requirement as any commercial enterprise. Apply through your city or county clerk’s office before signing a commercial lease.
Medical and Clinical Licenses
Every clinician who touches a patient, the medical director, any NPs, PAs, or RNs performing procedures, must hold an active, unrestricted license in the state where the spa operates. Verify each license directly with the state medical or nursing board rather than relying on a copy provided by the employee.
Facility and Health Permits
Many states require a separate health department or facility permit specific to clinics performing medical procedures, on top of the general business license. Requirements vary by state, so confirm with your local health department before opening.
Device and Equipment Certifications
Anyone operating a laser, radiofrequency device, or other energy-based equipment typically needs device-specific training and, in many states, a separate certification. Some states also require the facility itself to register specific laser devices with the state health department.
Insurance & Liability Requirements
A medical spa carries two different categories of risk: the risk of a treatment going wrong, and the risk of running a physical business that the public walks into. Both require separate insurance, and most new owners only budget for one.
Medical Malpractice Insurance
Every clinician who touches a patient needs an active medical malpractice policy, not just the medical director. This includes the supervising physician, any nurse practitioners or physician assistants performing procedures, and registered nurses administering injectables.
Some malpractice carriers exclude cosmetic procedures by default, so confirm that the policy explicitly covers the specific treatments your spa offers: neuromodulators, dermal fillers, laser treatments, and medical weight-loss prescribing each carry different risk profiles and sometimes different coverage requirements.
A common gap shows up in MSO structures where the owner often assumes the physician-owned clinical entity’s malpractice policy covers the entire operation. It typically does not. The non-clinical MSO entity still needs its own liability coverage for anything outside the physician’s direct clinical responsibility.
General Business Liability
General liability insurance covers the risks that have nothing to do with medicine: a client who slips in the lobby, water damage to a leased suite, or a piece of equipment that injures a staff member. Most commercial landlords require proof of general liability coverage before signing a lease, so secure this policy before you sign anything, not after you open.
Cyber and Data Breach Liability
Because a medical spa stores HIPAA-protected patient records and processes card payments, a standalone cyber liability policy is worth the added cost. A breach involving patient health information triggers HIPAA breach notification obligations regardless of whether the breach was the spa’s fault or a vendor’s, and the notification and remediation costs alone can exceed what a general liability policy will pay out.
What to Confirm Before You Open
- Malpractice coverage names every clinician individually, not just the medical director
- Malpractice coverage explicitly lists the procedures performed, not a generic “aesthetic services” category
- General liability coverage meets or exceeds whatever minimum your commercial lease requires
- A cyber liability policy is in place before the practice management software goes live with real patient data
Patient Records, Consent & Privacy Compliance
Clients at a medical spa are legally patients the moment they sit down for a medical procedure, even if the spa’s marketing never uses the word. That status triggers federal and state recordkeeping obligations that a day spa never has to think about.
HIPAA-Compliant Records and Scheduling
Standard salon booking software does not meet HIPAA requirements. A medical spa needs an electronic medical record and scheduling system built for healthcare use, with the access controls, audit logs, and business associate agreements that HIPAA requires. Using a consumer-grade booking tool for a clinical practice is one of the more common compliance gaps regulators flag during an audit, according to the American Med Spa Association.
Intake Forms and Informed Consent
Every patient needs a complete medical intake form and history before any procedure, covering current medications, allergies, prior reactions to similar treatments, and relevant medical conditions. Informed consent has to be procedure-specific. A single blanket waiver covering “all aesthetic services” does not meet the standard most states expect for a discrete medical procedure like a chemical peel or a laser treatment, and it offers little protection in a malpractice claim if something goes wrong.
Standard Operating Procedures
Three categories of SOPs come up in nearly every regulatory review: biohazard disposal, infection control, and incident reporting.
- Biohazard disposal covers needles, sharps, and any materials exposed to bodily fluids, with documented disposal logs that match state health department requirements.
- Infection control covers sterilization protocols for reusable instruments and surface disinfection between patients, posted where staff can reference it during a procedure.
- Incident reporting covers what happens when a treatment causes an adverse reaction, including who gets notified, how the event gets documented, and how it factors into the medical director’s ongoing oversight of the practice.
Why This Section Gets Audited First
Patient records and consent documentation are the easiest compliance items for a regulator or a plaintiff’s attorney to request, and the easiest to find missing. A medical spa with a flawless ownership structure and a fully licensed staff can still face serious liability if its consent forms are generic or its records system was never built for healthcare use.
State-by-State Compliance Overview
No two states regulate medical spas the same way. The table below covers eleven of the highest-volume med spa markets in the country. It is not a substitute for confirming current rules with your state medical board, but it shows how dramatically the requirements shift from state to state.
| State | CPOM Status | Physician Ownership Required | Medical Director Requirement |
|---|---|---|---|
| California | Strict | Yes, physician must hold at least 51 percent of a medical corporation | Physician or, in limited cases, a qualifying NP |
| New York | Strict | Yes, no exceptions for non-physician ownership | Physician |
| Texas | Strict | Yes, physician-owned PC plus written delegation under TMB Rule 169.28 | Physician |
| Florida | None (CPOM does not apply) | No, but a physician must oversee every medical procedure | Physician; ARNPs must work under a written collaborative agreement |
| Georgia | Moderate | Generally yes, through a professional corporation | Physician, with a written APRN protocol agreement for delegated services |
| Arizona | Minimal | No, non-physician and NP ownership permitted | Physician or NP, depending on structure |
| Colorado | Moderate | Physicians must retain majority ownership | Physician in practice, even where NP ownership is technically allowed |
| Washington | Strict | Yes, through a professional corporation or PLLC | Physician |
| Illinois | Strict | Yes, though APRNs with full practice authority may also own | Physician or qualifying APRN |
| Ohio | Moderate | No, non-physicians and corporations may own | Physician medical director required regardless of ownership |
| Virginia | Moderate | Generally yes, through licensed professional entities | Physician |
Disclaimer: CPOM laws vary by state and change frequently. Verify current requirements with the relevant state medical board or the American Med Spa Association before relying on this information. Not legal advice.
Non-physician entrepreneurs in strict-CPOM states most often resolve the ownership gap with a Management Services Organization, or MSO, structure: the physician-owned entity holds the medical license and employs clinical staff, while a separate, non-physician-owned company owns the brand, the lease, and the equipment, and collects a management fee under a Management Services Agreement.
Ready to get compliant?
Our team is standing by to help.
Equipment & Facility Standards Checklist
Your treatment rooms, your equipment, and your paperwork all fall under the same inspection, and regulators don’t grade on a curve. A med spa that nails the patient experience but skips sharps-disposal logs or FDA-clearance documentation is still out of compliance. This section covers the physical and administrative standards that turn your facility from a liability into a defensible, audit-ready practice.
Treatment Room Requirements
- Dedicated, private treatment rooms for any procedure involving needles, lasers, or prescription medication
- Adequate lighting and ventilation appropriate to the procedures performed
- Hand-washing stations and sharps disposal containers in every treatment room
Equipment Safety and FDA Clearance
- Use only devices with FDA clearance or approval for the specific procedure being marketed
- Maintain manufacturer documentation and service records for every laser and energy-based device
- Confirm state-specific registration requirements for Class IV lasers, which several states regulate separately from general medical equipment
Sanitation Standards
- Follow OSHA bloodborne pathogen standards for any procedure involving needles or blood exposure
- Maintain a documented sterilization protocol for reusable instruments
- Post infection control procedures where staff can reference them during procedures
Record-Keeping Setup
- Use HIPAA-compliant electronic medical records and scheduling software
- Retain signed informed consent forms and medical intake histories for every patient and every procedure
- Maintain incident reports and biohazard disposal logs as part of your standard operating procedures
Staff Medical Spa Requirements: The Non-Negotiables for a Compliant Medical Spa
Your entire staff has to meet medical spa requirements, not just your medical director. Every role, from nurse practitioners to estheticians, comes with its own scope-of-practice rules, and getting one wrong creates the same liability exposure as skipping a license altogether.
Who Can Perform Which Procedures
Scope of practice determines who can legally touch a patient for a given service, and it varies by role as much as it does by state.
- Physicians (MD/DO): Can perform any procedure within their training and delegate to qualified staff.
- NPs and PAs: Can perform most injectables and laser procedures, but only under a written delegation or collaborative agreement.
- Registered nurses: Can administer neuromodulators and fillers under a physician’s standing order, but can’t evaluate patients or set treatment plans independently.
- Estheticians: Limited to non-medical services, most states bar them from any treatment that penetrates the dermis.
Hiring a clinician for a role outside their licensed scope is one of the fastest ways to turn a single complaint into a board investigation that affects the entire facility, not just the employee involved.
Training and Credentialing Beyond Licensure
A current license confirms someone can legally practice. It does not confirm they are trained on your specific equipment or your specific protocols. Build a credentialing file for every clinical staff member that includes their active license, their device-specific training certificates, proof of any required continuing education, and documentation that the medical director has reviewed and approved them to perform each procedure they are scheduled for.
Background Checks and Verification
Run primary-source verification on every license before a clinician’s first shift, directly through the state medical or nursing board rather than a copy the candidate provides. Many states also require a criminal background check for anyone with unsupervised patient access, separate from the standard employment background check most businesses run.
Ongoing Compliance, Not a One-Time Check
Licenses expire, certifications lapse, and collaborative practice agreements need periodic renewal. Build a recurring calendar to track every clinician’s license expiration date, certification renewal date, and delegation agreement review date. A medical spa that meets every staffing requirement at opening but lets credentials lapse six months later is just as exposed as one that never met the requirement in the first place.
Common Compliance Mistakes to Avoid
Operational longevity in the medical spa industry requires strict adherence to regulatory standards from day one. Many common compliance pitfalls stem from overlooking specific licensing, ownership, or record-keeping mandates that regulators frequently audit. Below are key mistakes to avoid to keep your facility fully compliant and avoid costly enforcement actions.
- Absentee medical directors: Signing a medical director who never reviews charts is a liability, not compliance, and regulators have pursued enforcement over it.
- Skipping the MSO structure: In strict-CPOM states like New York or California, owning a med spa without a PC-plus-MSO setup is a direct violation.
- Assuming one permit covers both: A business license and a facility permit are separate approvals, getting one doesn’t mean you have the other.
- Generic consent forms: A downloaded waiver doesn’t meet the procedure-specific consent standard most states require.
- Lapsed device certifications: An expired laser or device certification carries the same risk as having none at all.
- Marketing services you can’t deliver: Advertising treatments with no licensed clinician on staff is both a licensing and advertising violation.
FAQ
What are the medical spa requirements to open legally in the US?
A legal medical spa needs a compliant ownership structure, a licensed medical director, and full business and facility licensing before treating patients. You’ll also need proper insurance, FDA-cleared equipment, and HIPAA-compliant recordkeeping. Requirements vary by state, so confirm your specific state’s rules before opening.
Does a medical spa need a licensed physician on staff?
Some states have a licensed physician who must serve as medical director and hold clinical responsibility for every procedure. Some states now allow a nurse practitioner with full practice authority to fill this role instead. Even there, certain procedures may still require physician delegation.
What licenses are required to operate a medical spa?
A compliant med spa needs a business license, active clinical licenses for every provider, facility/health permits, and device certifications for laser or energy-based equipment. Some states also require Class IV laser registration and periodic credential renewals. Skipping any one category is still a violation, even if the rest are approved.
Can a nurse practitioner own a medical spa without a physician?
It depends on the state’s corporate practice of medicine laws and the NP’s scope-of-practice status. States like Arizona, Colorado, and New York generally allow independent NP ownership, though specific procedures may still need physician delegation. Strict states like California and Texas typically require a physician-owned entity or MSO structure instead.
What are the medical spa requirements by state?
Requirements hinge on whether the state enforces corporate practice of medicine, requires physician ownership, and who can serve as medical director. Strict states like California, New York, and Texas leave little flexibility, while states like Florida and Arizona allow more non-physician ownership. Rules change often, so check with your state medical board before opening.
Lasting Compliance Starts Before You Open
Medical spa requirements aren’t a single form or a one-time application and licensing step. It’s an ownership structure, a medical director relationship, a facility permit, and a documentation system, and they all have to hold together at the same time. Get the structure right before you open, and everything else in this guide turns into routine maintenance instead of a recurring risk.
Your medical director is one click away.
Placement starts the moment you reach out.
Bolton M. Harris, J.D., is a seasoned attorney with a formidable background in criminal law and a focus on healthcare law and compliance. As the in-house legal counsel at Medical Director Co., Harris brings a unique blend of prosecutorial experience and regulatory expertise to support healthcare professionals across Texas. Her career spans roles as a prosecutor in multiple counties and now as a trusted advisor on the legal intricacies of medical practice operations.
Education & Early Career
Bolton Harris completed her undergraduate studies at Southern Methodist University (SMU) in 2013. During her time at SMU, she was not only a dedicated student but also a competitive athlete on the university’s women’s swimming team. She went on to earn her Juris Doctor from Texas A&M University School of Law in 2016 and became a member of the Texas Bar that same year. Armed with a strong academic foundation and discipline honed as a student-athlete, Harris embarked on a career in criminal law immediately after law school.
Prosecutorial Experience in Texas
Bolton Harris began her legal career in public service as a criminal prosecutor. She served as an Assistant District Attorney in multiple jurisdictions, where she quickly rose through the ranks and handled a broad spectrum of cases. Some highlights of her prosecutorial career include:
- Assistant District Attorney, Dallas County, Texas: Prosecuted a high volume of criminal cases in one of the state’s busiest DA offices, gaining extensive trial experience in both misdemeanor and felony courts.
- Assistant District Attorney, Ellis County, Texas: Continued to hone her courtroom advocacy skills, known for meticulous case preparation and a tenacious pursuit of justice on behalf of the community.
- Assistant District Attorney, Navarro County, Texas: Broadened her legal expertise by handling diverse criminal matters in a smaller county, working closely with law enforcement and community leaders to uphold the law.
Through these roles, Harris built a reputation for being a tough but fair advocate. She brought numerous cases to trial and developed an in-depth understanding of the criminal justice system. This distinguished prosecutorial background laid a strong foundation for the next phase of her career in the private sector.
Healthcare Law & Compliance at Medical Director Co.
After her tenure as a prosecutor, Harris shifted her focus to healthcare law, applying her legal acumen to the medical field. She recognized that the same attention to detail and tenacity that served her in criminal law could benefit healthcare providers navigating complex regulations. Embracing this new direction, Harris became well-versed in the intricate laws governing medical practices – from licensing requirements to patient safety and privacy standards – and is passionate about helping practitioners stay compliant.
In her current role as the in-house attorney for Medical Director Co., Bolton Harris oversees all legal and compliance matters for the organization and its clients. Medical Director Co. is a nurse-owned firm that connects nurse practitioners (NPs), physician assistants (PAs), and registered nurses with qualified medical directors and collaborating physicians, offering fast placements and comprehensive compliance support for healthcare practices. Harris ensures that each of these partnerships and clinical ventures adheres to all applicable state and federal laws. She is responsible for drafting and reviewing collaborative practice agreements, advising on regulatory requirements, and providing ongoing legal counsel as clients establish and grow their clinics. Drawing on her prosecutorial eye for risk management, Harris proactively identifies potential legal issues and addresses them before they escalate, giving healthcare professionals peace of mind.
Bolton M. Harris’s multifaceted expertise – spanning high-stakes courtroom litigation to detailed healthcare compliance – makes her a formidable legal ally. Whether advocating in front of a jury or guiding a medical practice through regulatory hurdles, she remains committed to the highest standards of the legal profession. Her blend of courtroom-tested skill and healthcare law knowledge ensures that clients of Medical Director Co. receive elite-level counsel and steadfast protection in an ever-evolving legal landscape.
