The medical spa industry has exploded over the past decade — and regulators have noticed. What was once a gray zone between day spa and medical clinic is now firmly in the crosshairs of federal agencies and state licensing boards alike. If your med spa isn’t treating compliance as a clinical priority, you’re already behind.
FDA, OSHA, HIPAA, Infection Control and a Patchwork of State Requirements That No One Warned You About
Walk into virtually any medspa in America and you’ll find lasers, injectables, chemical peels, IV therapy, and a staff mix that might include a physician, a nurse practitioner, a laser technician, and an esthetician all operating under one roof, often under one loosely defined business structure. That complexity is exactly what makes med spas one of the most compliance-dense environments in the entire healthcare sector.
We work with med spas across the country at SafeLink, and the pattern we see is consistent: business owners who are sophisticated entrepreneurs, passionate clinicians, and talented practitioners but who were never handed a compliance roadmap when they opened their doors. This post is meant to be that roadmap, or at least the beginning of one.
$20B+ |
8,800+ |
50 |
4 |
| U.S. MedSpa industry revenue, growing 12% annually | Active MedSpas operating in the United States | Different state regulatory frameworks | Major federal agencies with jurisdiction |
The FDA's Long Reach Into Your Treatment Room
The Food and Drug Administration doesn’t just regulate the drugs in your formulary, it has authority over virtually every device and injectable in a modern med spa. The classification of your equipment matters enormously, and many owners are shocked to discover how broadly “device” is defined under federal law.
Laser & Energy-Based Devices
Laser systems, intense pulsed light (IPL) devices, radiofrequency platforms, and ultrasound equipment are all regulated as medical devices under the Federal Food, Drug, and Cosmetic Act. They must be FDA-cleared or approved for the specific indications you’re using them for. Using a device off-label doesn’t automatically make it illegal — but it shifts the burden of substantiation squarely onto you and creates meaningful liability exposure if adverse events occur.
The FDA’s Center for Devices and Radiological Health (CDRH) also requires that radiation-emitting devices comply with 21 CFR Part 1040. That means maintaining proper equipment records, service logs, and in some cases mandatory incident reporting if a device malfunction causes patient injury.
Injectables, Biologics & Compounded Drugs
Botulinum toxin products - Botox, Dysport, Xeomin, Jeuveau - are FDA-approved biologics with specific indication language. Dermal fillers are Class III devices with premarket approval requirements. The moment you stray from approved indications or purchase these products from unverified distributors, including offshore or gray-market suppliers, you are operating outside the FDA’s safety framework.
Compounded medications deserve particular attention. The 503A/503B compounding framework governs whether your compounded peptides, vitamin infusions, or custom topicals are legally sourced and patient-specific. The FDA has been increasingly aggressive about compounding pharmacies that supply medspas with bulk preparations, and enforcement actions have reached the clinic level.
! |
High-Alert Item: The FDA issued safety communications regarding counterfeit botulinum toxin products circulating in the aesthetics market. Adverse events, including hospitalizations, have been reported. Verification of your supply chain is not optional . It is a patient safety imperative. |
IV Therapy & Wellness Infusions
IV hydration and nutrient infusion services sit in a particularly complex regulatory space. Depending on the formulation, the compounding source, and whether a physician order is present, you may be touching FDA, DEA, and state pharmacy board regulations simultaneously. The wellness trend doesn’t create a compliance carve-out. It creates additional scrutiny.
02 - Workplace Safety
OSHA: Your Staff Deserves the Same Protection as Your Patients
The Occupational Safety and Health Administration’s standards apply to every employer in the country, including medspas. OSHA inspections in the healthcare sector have increased markedly in recent years, and medspas — with their combination of clinical procedures, chemical exposures, and physical hazards — present exactly the profile that generates citations.
Bloodborne Pathogens Standard (29 CFR 1910.1030
If your staff performs any procedure involving potential exposure to blood or other potentially infectious materials — and in a medspa, that includes microneedling, PRP treatments, injectables, and laser procedures with epidermal disruption — you are required to have a written Exposure Control Plan, provide hepatitis B vaccination, maintain proper sharps disposal protocols, conduct annual training, and keep exposure records. This is one of the most frequently cited OSHA standards in medical settings.
Hazard Communication (HazCom) & Chemical Safety
Medspas use a wide range of chemicals: chemical peel agents (glycolic, TCA, phenol), disinfectants and sterilants, laser dyes and coolants, and skin care formulations that may contain sensitizers or irritants. Under OSHA’s HazCom standard (29 CFR 1910.1200), you are required to maintain Safety Data Sheets for all hazardous chemicals, label containers appropriately, and train employees on chemical hazards before they work with them.
Laser Safety
OSHA has issued extensive guidance on laser hazards in healthcare settings. Key requirements under ANSI Z136.3 include designating a Laser Safety Officer (LSO), establishing nominal hazard zones, ensuring appropriate optical density eyewear is available and used, posting laser-in-use warning signs, and maintaining equipment service records. Laser injuries to staff are OSHA-recordable events that can trigger inspections.
General Duty Clause Exposure
Beyond specific standards, OSHA’s General Duty Clause requires that employers furnish a workplace free from recognized hazards likely to cause serious harm. For medspas, this sweeps in ergonomic risks from treatment table work, electrical safety for high-powered devices, and indoor air quality concerns from laser plume.
03 - Privacy & Security
HIPAA: You Are a Covered Entity. Act Like One.
Medical spas that provide services constituting the practice of medicine, nursing, or other licensed healthcare and that transmit health information electronically are covered entities under HIPAA. Period. The aesthetic framing of your services doesn’t change the legal classification. Patient information is protected health information (PHI), and the Privacy and Security Rules apply in full.
|
A before-and-after photo posted to Instagram without proper authorization isn’t just a privacy misstep. It’s a potential HIPAA violation that can generate OCR complaints, state board sanctions, and civil liability simultaneously. |
The Photography Problem
Visual documentation is central to medspa practice - before-and-after photos are marketing currency and clinical records simultaneously. Photos that include identifiable features of a patient are PHI. Using them for marketing requires a valid HIPAA-compliant authorization that is distinct from your general consent forms. Many medspas are operating with photography consent language that a plaintiff’s attorney or an OCR investigator would shred in minutes.
Security Rule Compliance
If your practice management system, EHR, or patient intake platform stores or transmits PHI, you are required to have completed a Security Risk Analysis (SRA), implemented administrative, physical, and technical safeguards, and trained staff on security policies. Practice management platforms, text-based patient communication tools, and cloud storage solutions all require Business Associate Agreements (BAAs) before PHI flows through them.
Telehealth & Remote Consultations
Many medspas have expanded into telehealth consultations for treatment planning and follow-up. The platform must be HIPAA-compliant with a signed BAA, the provider must be licensed in the patient’s state at time of consultation, and documentation must meet clinical standards. Consumer video platforms, regardless of how many practices use them, do not satisfy HIPAA requirements.
04 - Clinical Safety
Infection Control: The Risk That Can End Your Practice Overnight
Infection control failures in medspas have resulted in patient hospitalizations, state board license revocations, and federal investigations. These are not hypothetical risks. They are documented, recurring events and the aesthetic medicine community has been on notice for years.
CDC & APIC Guidelines
The CDC’s Guidelines for Infection Control in Healthcare Personnel and the APIC frameworks provide the evidence base for medspa infection prevention programs. Key elements include hand hygiene protocols, single-use device policies, proper disinfection and sterilization of reusable instruments, environmental cleaning procedures for treatment rooms, and PPE requirements for each procedure type.
The Sterilization Standard
Autoclaves and other sterilization equipment require regular biological indicator testing, maintenance logs, and staff competency documentation. Spore testing should be performed weekly at minimum. A machine that appears to be sterilizing but has never been validated with spore strips is a liability, not an asset.
Single-Use & Multi-Use Confusion
One of the most common infection control findings we encounter is ambiguity around single-use versus multi-use designation for supplies. Needles, cannulas, and cartridges designated as single-use may never be reprocessed or reused not even on the same patient in a subsequent visit. Deviating from the manufacturer’s intended use voids device approvals and creates direct patient safety risk.
! |
Real-World Consequences: Several medspas have faced state board actions after patients developed atypical mycobacterial infections following procedures. In nearly every case, investigators identified gaps in instrument sterilization, water quality, or single-use compliance. These outbreaks are preventable and they’re career-ending when they occur. |
05 - State Regulation
The State Patchwork: Where Compliance Gets Truly Complicated
If federal compliance is the floor, state regulation is the entire building and no two buildings are alike. Medical spa regulation at the state level is fragmented, inconsistently enforced, and evolving rapidly. What is permitted under physician supervision in one state may require direct physician presence in another, or may be restricted to a specific license type entirely.
|
Regulatory Domain |
What Varies by State |
Risk Level |
|
Medical Director Requirements |
Whether a supervising physician must be on-site, available by phone, or simply listed on paperwork. Some states require physician ownership under the Corporate Practice of Medicine doctrine. |
High |
|
Scope of Practice for NPs & PAs |
Full practice authority vs. collaborative agreement vs. direct supervision requirements vary dramatically by state. |
High |
|
Laser Operator Licensing |
Some states require specific certification or direct RN/NP/MD supervision for any laser procedure. Others have no specific requirements. |
High |
|
Esthetician Scope |
What estheticians can legally perform — chemical peels, microdermabrasion, dermaplaning — varies by state board rule. |
Medium |
|
Facility Licensing |
Some states require a healthcare facility license or ambulatory care registration depending on procedures performed. |
High |
|
Controlled Substance Handling |
DEA registration, state pharmacy board rules, and prescription monitoring program requirements affect practices offering ketamine, sedation, or Rx topicals. |
High |
|
Advertising & Marketing Rules |
Many state medical boards limit before/after imagery, require disclosure of supervising physician identity, or restrict promotional language. |
Medium |
|
OSHA State Plan Requirements |
22 states operate their own OSHA-approved plans. CA, WA, and MI have standards more stringent than federal OSHA. |
Medium |
The Corporate Practice of Medicine (CPOM) doctrine deserves special mention. In states like California, Texas, and New York, it is unlawful for a non-physician to own or control a medical practice. This affects medspa ownership structures in ways that many franchise and multi-location operators have failed to account for. A management services organization (MSO) structure may be required and getting that structure wrong has resulted in multi-million dollar enforcement actions.
Multi-location operators face compounding complexity. A group running medspas across several states isn’t dealing with one regulatory framework. They’re dealing with overlapping, sometimes contradictory requirements across multiple medical boards, health departments, and occupational licensing agencies.
06 - Path Forward
What Proactive Compliance Actually Looks Like
Compliance in a medspa isn’t a binder on a shelf or a set of policies emailed to staff once a year. It is a living program that touches every aspect of operations — clinical, administrative, physical, and digital. Here is what we consistently recommend as the foundational structure:
▸ Conduct a baseline compliance gap assessment covering all four federal domains (FDA, OSHA, HIPAA/Security, infection control) alongside a state-specific regulatory review. You cannot fix what you haven’t mapped.
▸ Formalize your medical director relationship in writing, with a supervision agreement that reflects your state’s actual requirements — not a generic template purchased online.
▸ Build a written HIPAA program including a current Security Risk Analysis, updated policies, staff training documentation, and BAAs with every vendor that touches PHI.
▸ Establish an Exposure Control Plan under OSHA’s Bloodborne Pathogen standard and designate a Laser Safety Officer if you operate energy-based devices.
▸ Implement an infection control program with written protocols for sterilization, disinfection, PPE, and single-use device management — documented with logs that can withstand scrutiny.
▸ Audit your supply chain for injectables and devices. Know your distributors, verify FDA clearances for your specific indications, and document your sourcing.
▸ Train your staff - all of them. HIPAA, OSHA, infection control, and scope-of-practice training should be documented at onboarding and annually thereafter.
▸ Review your scope-of-practice matrix for every license type in your practice against your state’s current board rules. Review annually or whenever staff composition changes.
|
Compliance isn’t the enemy of a thriving medspa. It’s the foundation of one. The practices that survive enforcement scrutiny are the ones that built the infrastructure before they needed it. |
The medspa industry is maturing rapidly, and regulatory maturity is following close behind. State legislatures are moving to close gaps that allowed the industry to operate with ambiguous oversight. The FDA is increasing enforcement around device misuse and compounding. OCR is conducting proactive audits of covered entities regardless of size. OSHA has made healthcare a priority enforcement sector.
The practices that get ahead of this that build compliance infrastructure before they receive a complaint or an inspection notice are the ones that protect their patients, their staff, their licenses, and their businesses.
Ready to build a compliance program that works?
SafeLink Consulting provides site assessments, written program development, staff training, and ongoing managed compliance for med spas across the country. Discover more.
