Med Spa Licensing Guide

How to Start a Med Spa: Medical Director Requirement, Corporate Practice of Medicine, MSO Structure, and Startup Costs (2026 Guide)

A medical spa requires a physician medical director in virtually every state — the Botox injections, laser treatments, and dermal fillers that define med spa services are medical procedures under state medical practice acts. For non-physician owners, the corporate practice of medicine doctrine in most states prohibits direct ownership of the medical practice, requiring a Management Services Organization (MSO) structure paired with a physician-owned Professional Corporation. Add HIPAA compliance for medical records, DEA registration if you prescribe controlled substances, medical waste permits for sharps disposal, malpractice insurance, and esthetics licensing for non-medical services — and you have a compliance stack that requires a healthcare attorney before you open, not after.

Updated April 11, 2026 20 min read

Not legal advice. Requirements may change — always verify with your local government authority before applying. Last verified: .

The quick answer

  • 1A licensed physician (MD or DO) medical director is required in virtually every state — Botox, fillers, lasers, and medical peels are medical procedures that cannot legally be performed without physician oversight.
  • 2Corporate practice of medicine doctrine in most states prevents non-physicians from directly owning the medical practice — an MSO structure (Management Services Organization + Professional Corporation) is the standard legal solution.
  • 3HIPAA applies to med spas as covered entities — patient records, before/after photos, and any electronic health data must be protected under the Privacy and Security Rules.
  • 4Medical waste permit and licensed hauler required for sharps disposal — needles from injections cannot be disposed of in regular trash.
  • 5Budget 9–12 months from initial legal consultation to opening day — licensing, buildout permits, DEA registration, and facility inspections all run on their own timelines.

1. Medical director and ownership structure

The medical regulatory framework is the foundation of med spa compliance — get the ownership structure and physician oversight wrong, and everything else is built on an unstable base. This is the area where most non-physician med spa founders make costly mistakes, frequently because they relied on generic advice rather than state-specific healthcare legal counsel.

Medical director (licensed physician)

Required by: State medical board regulations License: Active, unrestricted MD or DO in your state Compensation: $1,000–$5,000/month for oversight services

The medical director is the licensed physician legally responsible for overseeing all medical procedures performed at the med spa. Responsibilities include: establishing written treatment protocols for each medical procedure offered, reviewing adverse event documentation, supervising practitioners (NPs, PAs, RNs) who perform procedures under their oversight, and being available (in person or by phone, depending on state requirements) when procedures are being performed. The medical director must hold an active, unrestricted license in the state where the med spa operates — a physician licensed in another state does not qualify.

Supervision proximity requirements vary significantly. Texas requires direct on-site supervision for laser procedures; California allows general supervision (physician available by phone but not necessarily present) for delegated acts to licensed RNs performing injections; Florida requires the physician to be "immediately available" during procedures, which most practitioners interpret as on-site or within the building. New York requires physician presence for many injection procedures at non-hospital facilities. Confirm your state's specific standard before building your staffing model.

MSO / Professional Corporation structure

Required in: Most states with corporate practice of medicine doctrine Legal cost: $5,000–$20,000 for initial attorney drafting Entities: MSO (non-physician owned LLC) + PC/PLLC (physician owned)

In states with corporate practice of medicine restrictions (California, Texas, New York, and most others), a non-physician cannot directly own or control the medical practice entity. The solution: the physician owns a Professional Corporation (PC) or PLLC that employs practitioners and supervises all medical services. A separate Management Services Organization (MSO), owned by the non-physician entrepreneur, manages the business operations and leases space/equipment to the PC for a fair-market fee. A healthcare attorney must draft the Management Services Agreement — the fee structure and operational control boundaries are highly specific to avoid CPOM violations.

In California, physicians must own 100% of the Professional Corporation; no partial non-physician ownership of the PC is permitted. In Texas, the PC can be a Professional Association (PA) and the same 100% physician ownership rule applies. Florida takes a somewhat different approach — the Florida Health Care Clinic Act allows certain non-physician-owned entities to operate medical clinics, but requires a clinic license from the Agency for Health Care Administration (AHCA) and has specific exemptions for physician-owned practices. Florida med spa owners should get state-specific legal guidance rather than assuming a generic MSO structure applies.

State esthetics / cosmetology board license

Issued by: State cosmetology or esthetics board Required for: Non-medical esthetic services (facials, waxing, cosmetic peels) Typical processing time: 4–8 weeks after application

The medical side of your med spa is regulated by the state medical board. But if you also offer esthetic services — facials, waxing, cosmetic-grade peels, eyelash services — those are regulated by the state cosmetology or esthetics board and require licensed estheticians. A med spa operating without properly licensed estheticians for esthetic services is in violation of two separate regulatory frameworks simultaneously. In California, the Bureau of Barbering and Cosmetology licenses both individual estheticians and establishments; a separate establishment license is required for the facility (fee approximately $250). In Texas, the Texas Department of Licensing and Regulation oversees cosmetology and esthetics (establishment license fee approximately $375). In Florida, the Department of Business and Professional Regulation (DBPR) licenses specialty salons and esthetics establishments (fee approximately $155 for initial registration, plus biennial renewal at approximately $100).

Malpractice insurance and specialty coverage

Type: Claims-made professional liability Entity coverage: $3,000–$10,000/year Tail coverage: 1–2x annual premium when cancelled

Standard business insurance policies (general liability, business owners policy) do not cover professional liability from medical procedures. Med spas require a separate medical malpractice / professional liability policy covering injuries from Botox adverse reactions, laser burns, infection from injections, or chemical peel complications. The entity needs its own policy ($1M/$3M minimum coverage recommended), and each individual practitioner (physician, NP, PA, RN) should carry individual coverage as well. Med spa policies are claims-made — when the policy is cancelled, you need tail coverage to protect against claims from prior procedures. Tail coverage typically costs 150–200% of the annual premium. Several specialty insurers focus on med spa coverage: Markel, PHLY (Philadelphia Insurance), and CM&F Group are commonly used. AmSpa (American Med Spa Association) maintains a vetted vendor list for member practices.

2. Federal compliance requirements

Med spas are subject to HIPAA as healthcare providers, OSHA bloodborne pathogen standards, and potentially DEA registration requirements. These are federal floors — state requirements may be stricter, but federal compliance is mandatory regardless of state. Unlike many small businesses, a med spa starts with federal regulatory obligations on day one: the first injection procedure triggers both HIPAA and OSHA compliance obligations regardless of how many employees you have or how much revenue you generate.

HIPAA (Health Insurance Portability and Accountability Act)

Enforced by: HHS Office for Civil Rights (OCR) Penalties: $100–$50,000 per violation; up to $1.9M/year Applies to: Covered entities (med spas are typically covered entities)

HIPAA Privacy Rule requires a Notice of Privacy Practices given to each patient at the first visit; Security Rule requires administrative, physical, and technical safeguards for all electronic protected health information (ePHI). Business Associate Agreements must be signed with any vendor handling ePHI — EMR vendors, billing services, cloud storage. Before/after photos require both HIPAA-compliant storage and specific signed photo release authorizations before use in marketing. Non-compliance is a common enforcement area for med spas.

HIPAA compliance setup costs for a new med spa typically run $2,000–$10,000, which includes: selecting a HIPAA-compliant EMR (options like Aesthetic Record, PatientNow, Nextech, or Jane App — all have pre-signed BAAs), completing a security risk assessment ($500–$2,000 if done by a consultant), training all staff on HIPAA requirements, and establishing written Privacy and Security policies. Annual HIPAA training for all employees is required — budget $500–$1,500/year for ongoing training and policy reviews.

A specific area of frequent non-compliance in med spas is before/after photo management. Patient photos taken during or after procedures are protected health information (PHI) under HIPAA if they could identify the patient. Storing them in a shared Google Drive without a BAA, texting them between staff over personal phones, or posting them on Instagram without a properly executed photo release consent are all HIPAA violations. The photo release must be separate from the general treatment consent — it should specify which photos may be used, for what purposes (marketing, educational, social media), and for how long. Patients must sign separately and can revoke consent for future use.

OSHA Bloodborne Pathogens Standard (29 CFR 1910.1030)

Enforced by: OSHA Applies to: Any employee with occupational exposure to blood or OPIM Annual training cost: $200–$500 per employee

Injection procedures, blood draws for PRP, and any procedure involving blood exposure are subject to OSHA's Bloodborne Pathogens standard. Requirements: written Exposure Control Plan updated annually; Hepatitis B vaccination offered to all employees with occupational exposure; engineering controls (sharps containers, safe needle handling devices); PPE (gloves, face shields); annual training; post-exposure evaluation protocol. This applies from the first day you have an employee performing injection procedures.

The written Exposure Control Plan must identify all job classifications where occupational exposure may occur (injectors, practitioners drawing blood for PRP, any clinical staff present during procedures), specify the engineering controls and PPE used, and document the annual review process. OSHA inspectors look for this document first during med spa inspections. Failure to have a written plan is a citable violation even if the practice otherwise follows safe procedures. Several online OSHA compliance vendors sell customizable Exposure Control Plan templates for $100–$300 — these are acceptable as long as they are customized to your specific facility and procedures.

DEA registration (if prescribing controlled substances)

Issued by: Drug Enforcement Administration Fee: $888 for 3-year registration (practitioners) Processing time: 60–90 days for new registrations Required for: Testosterone (Schedule III), phentermine (Schedule IV), ketamine (Schedule III)

Any physician or mid-level practitioner who prescribes, administers, or dispenses Schedule II–V controlled substances must hold an active DEA registration. Common med spa controlled substances: testosterone for HRT (Schedule III), phentermine for weight loss (Schedule IV), ketamine for treatments (Schedule III). Note: semaglutide (Ozempic/Wegovy) and tirzepatide (Mounjaro/Zepbound) are not DEA-controlled substances but are prescription medications subject to state pharmacy regulations. If you plan to launch a weight loss or HRT program on opening day, apply for DEA registration 90 days in advance — the processing timeline is non-negotiable.

Form your business entity

Before applying for permits, you need a registered business. LegalZoom makes LLC formation fast and simple.

Form your LLC with LegalZoom →

Affiliate disclosure · no extra cost to you

3. Additional permits and registrations

Beyond the medical practice licensing and federal compliance obligations, med spas need a layer of facility-specific permits from local and state agencies. These permits are separate from the professional licenses held by individual practitioners and must be obtained in the name of the business entity.

Medical waste permit and licensed hauler

Issued by: State environmental or health agency Applies to: Sharps, biohazardous materials, pharmaceutical waste Hauler contract cost: $50–$200/month depending on volume

Needles, syringes, and lancets from injections must be collected in FDA-cleared sharps containers and disposed of through a licensed medical waste hauler — they cannot go in regular trash. Some states require a medical waste permit from the state environmental agency before you generate regulated medical waste. Contract with a licensed medical waste disposal company (Stericycle, Daniels Health, or local providers) before you perform your first injection procedure. Their service contract and waste manifest documents serve as evidence of compliant disposal if you are audited.

California requires generators of medical waste to register with the California Department of Public Health and use a licensed hazardous waste hauler under the Medical Waste Management Act. Texas med spas must register as medical waste generators with the Texas Commission on Environmental Quality (TCEQ). Florida requires medical waste generators to use a permitted transporter under the Florida Department of Health rules. In New York, generators must comply with Part 70 of the New York Sanitary Code on regulated medical waste. Budget $75–$150/month for a basic monthly pickup contract at a new med spa performing injections — more for facilities with higher procedure volumes.

Business license and zoning

Issued by: City or county clerk's office Zoning: Medical or professional services zoning typically required Business license fee: $50–$500/year depending on city and revenue

Med spas typically require commercial zoning that permits medical offices or professional services. Some jurisdictions classify med spas as medical uses (requiring medical zone) rather than personal services (which permits a broader range of commercial zones). Verify with the local planning department before signing a lease. Also confirm that your lease permits medical use — many commercial leases for retail space exclude medical uses that generate biohazardous waste or require medical gas storage.

In Los Angeles, med spas typically operate under C2 (Community Commercial) or C4 (Commercial) zoning that permits medical offices. In Houston (which has no formal zoning code), deed restrictions and city ordinances governing medical waste govern site selection. In New York City, medical offices are permitted uses in many commercial zones (C1, C2, C4) but require a Certificate of Occupancy specifying medical use. In Miami-Dade County, Florida, a Business Tax Receipt is required in addition to any state licenses. Always pull the zoning compliance letter and the Certificate of Occupancy classification before signing your lease — changing a CO classification after buildout starts is expensive.

State medical board facility notification

Issued by: State medical board or department of health Required in: Selected states — confirm with your state's medical board

Several state medical boards require physicians who perform medical procedures at an office-based facility to notify the board of the facility's location, procedures performed, and emergency protocols. Florida's medical board has specific requirements for office surgery settings. Texas requires reporting of certain adverse events occurring in office-based settings. California does not have a general facility notification requirement for medical offices (only for ambulatory surgery centers), but specific rules apply when procedures are performed under sedation. Confirm with the American Med Spa Association's state regulatory resources or a healthcare attorney whether your state requires any medical board registration or notification.

Signage and advertising regulations

Regulated by: State medical board, FTC, state attorney general Key risk areas: Scope-of-practice misrepresentation, unsubstantiated claims

Med spa advertising is subject to regulation by multiple agencies simultaneously. The FTC prohibits deceptive advertising claims — before-and-after photos must reflect typical results, not outliers. State medical board rules in many states prohibit advertising that misleads the public about the qualifications of practitioners. Advertising that implies a procedure is performed by a physician when it is actually performed by an NP or esthetician under general supervision is a common compliance problem. In California, Business & Professions Code Section 651 prohibits false or misleading advertising by healthcare professionals and includes specific rules about use of credentials, board certifications, and specialty designations.

Weight loss advertising carries additional regulatory risk. The FDA has issued warning letters to med spas and telehealth companies making unsubstantiated weight loss claims for semaglutide or tirzepatide compounded products. If your marketing references specific outcomes ("lose 20 pounds in 90 days"), you are in FTC deceptive advertising territory. Keep claims modest and substantiated — "FDA-cleared prescription weight management program" is safer than specific outcome promises. Have a healthcare regulatory attorney review all marketing materials for medical services before publication.

4. Realistic timeline to open a med spa

Budget 9–12 months from initial planning to opening day. Attempting to compress this timeline typically produces compliance gaps that surface later as enforcement actions or licensing delays.

Phase 1: Legal structure and entity formation (Months 1–3)

Engage a healthcare attorney with experience in your state to design the MSO/PC structure. This involves selecting and incorporating both the Management Services Organization (MSO) and the Professional Corporation (PC), drafting the Management Services Agreement (MSA), the physician employment agreement, and any option agreements that protect the non-physician owner's economic interest. In California and New York, this phase alone takes 2–3 months when attorney availability is factored in. Budget $5,000–$20,000 for legal fees. Do not sign a lease or spend money on equipment until the legal structure is confirmed by your attorney.

Phase 2: Site selection, lease, and buildout (Months 2–7)

Finding a space that is correctly zoned for medical use, negotiating a lease that permits medical procedures and biohazardous waste, and completing the buildout are parallel tracks that take 3–6 months combined. Buildout permit processing times vary widely by jurisdiction — cities like Los Angeles and San Francisco routinely take 3–5 months to process tenant improvement permits for medical office spaces. Houston is faster (4–8 weeks for commercial permits) due to its streamlined permitting system. New York City can take 4–6 months for medical office TI permits through the Department of Buildings. Budget the permit timeline into your buildout schedule or you will face delays after contractor work is complete.

For laser rooms, additional structural review may be required. Class IV laser systems require a designated laser safety officer, appropriate door interlocks or warning signage, and often specific electrical capacity (some systems require 208V three-phase service). Confirm electrical requirements with your equipment vendor before finalizing the space and buildout plans.

Phase 3: Licensing, credentialing, and compliance setup (Months 3–7)

Apply for your city or county business license (2–4 weeks processing), state esthetics establishment license (4–8 weeks), and medical waste hauler contract. If you will prescribe controlled substances, apply for DEA registration at least 90 days before your intended opening — DEA processing for new practitioner registrations averages 60–90 days and cannot be expedited. Set up your HIPAA-compliant EMR system and complete the security risk assessment. Place malpractice and general liability insurance. In states that require a medical board facility notification or clinic license, file those applications during this phase.

Phase 4: Equipment, staffing, and pre-opening inspections (Months 6–10)

Order medical equipment early — new laser devices from major manufacturers (Cynosure, Lumenis, Cutera, Sciton) frequently have 8–16 week lead times. Used devices are faster to acquire but require maintenance records and FDA clearance verification. When purchasing used equipment, obtain the FDA 510(k) clearance number and verify it covers the indications you intend to offer. A laser cleared for hair removal is not cleared for tattoo removal; using an FDA-cleared device outside its cleared indications is an off-label use that carries regulatory and liability risk.

Hire and credential clinical staff before opening. Verify each practitioner's license through your state medical board's online license verification portal — do not rely solely on copies of license certificates provided by the practitioner, as licenses may have lapsed or have undisclosed restrictions. Conduct primary source verification for every clinical hire. Contract with your medical waste hauler before your first injection procedure. Schedule local health department facility inspections, fire marshal inspection, and building occupancy permit inspection — in high-demand markets, booking these inspections can take 3–6 weeks. You cannot legally open until the Certificate of Occupancy is issued or updated for your new use.

5. Cost breakdown to open a med spa

Total startup costs for a med spa typically range from $150,000 on the lean end (small footprint, used equipment, simple services menu) to $500,000+ for a full-service multi-treatment-room facility with new equipment. Here is a detailed line-item breakdown.

Market matters significantly. Opening a med spa in Miami or Dallas is substantially cheaper than in Los Angeles or New York due to real estate costs, labor rates, and permitting timelines. A 1,800 sq ft med spa in Dallas might have total startup costs of $175,000–$250,000 (lease in a medical office park at $28–$35/sq ft NNN, efficient buildout, used laser equipment). The equivalent facility in Beverly Hills or Manhattan would cost $350,000–$600,000+ primarily due to higher real estate and buildout costs.

Item Typical cost Notes
Healthcare attorney — MSO/PC structure $5,000–$20,000 Non-optional in CPOM states; drafts MSA and entity docs
Lease and buildout $50,000–$200,000 Medical-grade construction; treatment room specs
Laser/IPL device $20,000–$80,000 Used to new; per technology platform
Other medical equipment $15,000–$80,000 Microneedling, body contouring, procedure tables
Initial product and supply inventory $5,000–$15,000 Skincare lines, disposables; injectables ordered by physician
Medical director fees (first year) $12,000–$60,000 $1,000–$5,000/month; at fair market value
Licenses and permits (all) $2,000–$8,000 Business license, DEA reg, medical waste permit, esthetics license
HIPAA compliance setup $2,000–$10,000 EMR, security risk assessment, policies, BAAs
Insurance (malpractice + GL + property) $8,000–$20,000/year Med spa specialty policy; claims-made requires tail coverage
Marketing and website $5,000–$20,000 Before/after photo policy must comply with HIPAA
Working capital (6 months) $30,000–$75,000 Rent, payroll, supplies while building client base

6. Common mistakes when opening a med spa

Using a template MSO structure without state-specific legal review

Generic MSO/PC templates sold online are not state-specific and do not account for your state's specific corporate practice of medicine rules, fee-splitting prohibitions, or scope-of-practice requirements for your procedures. A structure that works in Texas may violate California law. The consequences of a defective structure are not administrative — they can result in medical board action against your physician director, loss of their license, and civil liability for the non-physician owners. Pay for a qualified healthcare attorney in your state. The cost is $5,000–$20,000 and it is not a place to cut corners.

Allowing estheticians to perform medical procedures

A common compliance failure in med spas is allowing licensed estheticians to perform Botox injections, medium-depth chemical peels, or laser treatments because they have received training in those procedures. Training does not create authority to perform medical procedures outside your licensed scope of practice. An esthetician who injects Botox — regardless of training — is practicing medicine without a license. The med spa employing them faces citation, potential closure, and if a client is injured, civil and criminal exposure. Map every procedure on your menu to the specific practitioner license required to perform it in your state, before you hire anyone.

Neglecting HIPAA on day one

Med spa owners frequently treat HIPAA as something to address "later, when we're bigger." HHS OCR has no size threshold for enforcement — small practices have been fined for basic HIPAA failures. The most common violations in med spas: using before/after photos on social media without a HIPAA-compliant photo release, texting patient information over unsecured SMS, using consumer cloud services (personal Dropbox, Google Drive without a BAA) for patient photos, and failing to have a Business Associate Agreement with the EMR or billing vendor. Set up HIPAA compliance before your first patient appointment.

No written treatment protocols from the medical director

State medical boards require physician supervision to be substantive — not just a name on a contract. In practice, supervision means written treatment protocols for each procedure, standing orders for which practitioners can perform which treatments under which conditions, and documentation that the medical director has reviewed and approved them. A medical director who signed a contract but has not written protocols, reviewed charts, or been reachable for clinical questions is a liability, not a compliance asset. The medical board can and does investigate medical directors who provide nominal-only supervision — it jeopardizes their license, and the med spa's right to operate.

Signing a commercial lease before verifying zoning and medical use permissions

Med spa founders sometimes sign leases in attractive retail or commercial spaces before confirming that the space is zoned for medical use and that the landlord's lease permits medical procedures and biohazardous waste generation. Some retail leases specifically exclude medical tenants. Others require landlord consent for medical use, which may be withheld. Discovering a zoning or lease conflict after signing exposes you to lease liability without the ability to operate. Always obtain a written confirmation from the local planning department on permitted uses, and have a real estate attorney review the lease for medical use permissions before signing.

7. License renewals and ongoing compliance

Opening a med spa creates permanent ongoing compliance obligations. Set calendar reminders for every renewal deadline before you open — a lapsed license discovered during a routine inspection can force closure while the renewal processes.

License / requirement Renewal frequency Typical renewal cost
Physician medical license Every 1–2 years (varies by state) $100–$400/year
NP / PA / RN individual licenses Every 1–2 years (varies by state) $50–$250/year
DEA registration (practitioner) Every 3 years $888 per renewal (2024 rate)
Esthetics establishment license Every 1–2 years (varies by state) $50–$200
City business license Annually $75–$500 (revenue-based in some cities)
Medical waste hauler contract Annual contract renewal $900–$2,400/year (monthly pickups)
OSHA Exposure Control Plan review Annually (required) Staff time; training $200–$500/employee
Malpractice insurance Annually $3,000–$10,000/year (entity policy)
HIPAA security risk assessment Annually (required) $500–$2,000 if consultant-assisted

8. State-by-state regulatory highlights

Med spa regulation is primarily state law. These are the four largest med spa markets and the most important jurisdiction-specific requirements for each. Confirm current rules with a healthcare attorney licensed in your state — regulations change and this summary reflects the framework as of April 2026. The American Med Spa Association (AmSpa) maintains a continuously updated state regulatory database that is the most reliable secondary source for state-specific requirements.

California

California enforces strict CPOM doctrine under Business & Professions Code Section 2052. Physicians must own 100% of the Professional Corporation; no partial non-physician ownership of the PC is permitted. The MSO structure is widely used but must be carefully structured to avoid "alter ego" problems where a court or regulator could find the MSO is simply a disguised owner of the PC. The California Medical Board does not issue a facility license for general medical offices, but requires that physicians practice within their specialty and maintain appropriate supervision. Laser procedures must be performed by or under the direct supervision of a licensed physician, NP, or PA — estheticians cannot operate medical-grade lasers. The California Bureau of Barbering and Cosmetology requires a separate establishment license for the esthetics portion of your business (fee: approximately $250 for a new establishment license). Business license requirements and fees vary by city — Los Angeles charges a business tax based on gross receipts.

Texas

Texas Medical Practice Act (Occupations Code Chapter 155) enforces CPOM. The Texas Medical Board (TMB) has been one of the most aggressive state medical boards in enforcing proper supervision requirements at med spas — there have been multiple enforcement actions against physicians serving as nominal medical directors without substantive involvement. Laser procedures must be performed or directly supervised on-site by a physician. The Texas Department of Licensing and Regulation (TDLR) oversees cosmetology and esthetics establishment licensing; a cosmetology establishment license is required for the esthetics portion of your services (fee approximately $375). Texas does not have a separate medical clinic license requirement for standard med spas operating under local anesthetic only. The Texas Commission on Environmental Quality (TCEQ) regulates medical waste generators — register as a generator before your first injection procedure.

Florida

Florida is distinctive in that its Health Care Clinic Act (Section 400.990–400.995, Florida Statutes) allows certain non-physician-owned clinics to operate with a clinic license from the Agency for Health Care Administration (AHCA) — but there are specific exemptions, including an exemption for clinics wholly owned by licensed practitioners. Non-physician-owned med spas that are not otherwise exempt must obtain an AHCA clinic license (fee: $1,800 initial application as of 2024). Florida's medical board requires physicians to be "immediately available" during procedures — interpreted as on-site or immediately accessible. Florida's Department of Health (FDOH) licenses medical professionals; the Department of Business and Professional Regulation (DBPR) licenses cosmetology establishments (fee: approximately $155 for a new specialty salon/salon establishment). Miami-Dade County also requires a Local Business Tax Receipt in addition to state licenses.

New York

New York enforces CPOM through its Education Law and the rules of the New York State Education Department (NYSED) Board of Regents. The New York State Department of Health (DOH) has jurisdiction over health facilities. Medical spas offering Botox, fillers, or laser treatments generally operate as physician offices — no separate facility license is required for medical office-based procedures under local anesthetic only. However, if any procedure involves moderate sedation or deeper, the facility must register with DOH as an office-based surgery site. New York's Office of the Professions (part of NYSED) licenses individual practitioners; the Division of Licensing Services under NYSED licenses cosmetology establishments (fee: $50 initial esthetics salon registration). New York City requires a NYC Business Certificate and the applicable Department of Health permits. Building permit processing times in New York City for medical office tenant improvements routinely run 4–6 months through the NYC Department of Buildings — factor this into your buildout timeline.

Frequently asked questions

Does a med spa need a medical director?
Yes, in virtually every state. The procedures that define a medical spa — Botox and other botulinum toxin injections, dermal fillers, laser and IPL treatments, IV therapy, chemical peels beyond cosmetic-grade, platelet-rich plasma (PRP) therapy, and body contouring with medical devices — are classified as medical procedures under state medical practice acts. Medical procedures can only be performed or supervised by licensed medical professionals. The medical director role: A medical director is typically a licensed physician (MD or DO) who oversees the medical procedures performed at the spa, establishes protocols, reviews patient records, and is legally responsible for the medical care delivered. In most states, the medical director must hold an active, unrestricted license in the state where the med spa operates. Can a non-physician be medical director? Some states allow nurse practitioners (NPs) or physician assistants (PAs) to serve as medical director under certain conditions — but this typically still requires physician supervision of the NP or PA. States like California, Florida, and Texas are strict about requiring an MD or DO as the supervising physician for med spa procedures. On-site supervision requirements: States vary significantly on how close the physician supervision must be. Some states require the physician to be physically present when procedures are performed; others allow general supervision with defined protocols in place. Texas, for example, requires physicians to directly supervise or perform laser procedures. California allows "general supervision" for certain delegated acts to RNs, but physician availability is still required. New York takes one of the strictest positions — requiring physician presence or immediate availability for many injection procedures. Medical director compensation: Medical directors who are not the owner of the med spa are typically compensated through a monthly fee (commonly $1,000–$5,000/month) or a percentage of revenue from supervised procedures. Consult a healthcare attorney on the structure — kickback and fee-splitting rules apply.
What is the corporate practice of medicine and how does it affect med spa ownership?
The corporate practice of medicine (CPOM) doctrine is a legal principle adopted by most US states that prohibits non-physician entities (corporations, LLCs owned by non-physicians) from employing physicians or controlling the delivery of medical services. The rationale is that medical decisions should be controlled by licensed professionals, not corporations motivated purely by profit. How it affects med spa ownership: If you are not a physician and you want to open a med spa that offers medical procedures, you face a fundamental legal problem in most states: you cannot own a corporation or LLC that employs physicians or directs their medical practice. States with strict CPOM enforcement: California, Texas, New York, New Jersey, Ohio, and most other states enforce CPOM doctrine for physician services. Florida has a more permissive structure for some practitioner types but still requires physician oversight. California Business & Professions Code Section 2052 prohibits unlicensed persons from practicing medicine or employing a physician to practice on their behalf — violations can result in criminal prosecution. States with more permissive rules: A handful of states (including some that allow mid-level practitioners to practice independently) have less restrictive CPOM rules, but these are a minority. Arizona and Colorado are among the more permissive states for NP-led practices, but even there, the ownership structures for med spas attract regulatory scrutiny. The practical implication: A non-physician who wants to open a med spa must work around CPOM through a carefully structured ownership arrangement — typically involving a Management Services Organization (MSO) and a separate Professional Corporation or PLLC. This structure requires specialized healthcare attorney review before formation. Risks of ignoring CPOM: Operating a med spa with a structure that violates CPOM exposes the owners to: state medical board enforcement action against the supervising physician (which can cost that physician their license), regulatory investigation of the business, civil liability exposure, and in some states criminal charges for practicing medicine without a license through an unlicensed entity.
What is an MSO structure for a med spa, and how does it work?
The Management Services Organization (MSO) structure is the standard legal workaround used by non-physician investors and entrepreneurs to operate med spas in states with corporate practice of medicine restrictions. How the structure works: 1. Professional Corporation (PC) or PLLC: A physician (the medical director or a physician partner) forms a Professional Corporation or Professional Limited Liability Company (PLLC), which is the entity type most states require for entities that practice medicine. The physician owns 100% of this entity (or the required percentage under state law). The PC employs the practitioners and is the entity that holds the medical practice license and supervises all medical procedures. 2. Management Services Organization (MSO): A separate LLC or corporation is formed and owned by the non-physician investor/entrepreneur. The MSO does not provide medical services — it provides management, administrative, and operational services to the PC. Services include: billing and collections, marketing, HR for non-clinical staff, leasing the clinic space and equipment to the PC, purchasing supplies, and handling IT. 3. Management Services Agreement (MSA): A contract between the PC and the MSO specifies what management services the MSO provides and the fee the PC pays the MSO. The MSA fee structure must be structured at fair market value — not a percentage of the PC's medical revenue, which can constitute illegal fee-splitting in many states. What the MSO can and cannot control: The MSO can control business operations, scheduling, marketing, and non-clinical staff. The MSO cannot direct clinical decisions, override the physician's medical judgment, or set standards of care. The physician retains autonomous medical authority. Cost to implement: A properly structured MSO/PC arrangement requires healthcare attorney drafting — typically $5,000–$20,000 in legal fees for the initial structure. In high-complexity states like California or New York, fees can reach $25,000–$35,000 for the full document package including option agreements, employment agreements, and the MSA. Attempting to draft these documents from templates without attorney review is a high-risk approach given the regulatory complexity.
Which procedures require physician supervision vs. an esthetician license?
This is one of the most critical questions for med spa operations, and the answer varies by state — but the general framework is consistent. Esthetician scope of practice (no physician supervision required in most states): - Superficial facial treatments: European facials, hydrafacials, basic extractions - Cosmetic-grade chemical peels: Low-concentration AHA/BHA peels (typically glycolic acid under 30%, lactic acid, salicylic acid under 2%) that do not penetrate below the epidermis - Waxing and threading - Non-invasive LED light therapy - Basic microdermabrasion - Eyebrow and eyelash services Medical procedures (require physician supervision or prescription in most states): - Botox and all botulinum toxin injections: Require physician prescription and supervision in all states. Who can administer under supervision varies — some states allow RNs; others require physician administration. - Dermal fillers (Juvederm, Restylane, Sculptra): Medical procedures requiring physician oversight in all states. - Medium and deep chemical peels (TCA 20%+, phenol peels): Classified as medical procedures in most states. - Laser and IPL treatments: Generally medical procedures — specific rules vary widely by state. - Microneedling: Classified as a medical procedure in most states; some states allow licensed estheticians with specific training to perform it with physician supervision. - PRP (platelet-rich plasma) therapy: Blood draw and injection — medical procedure in all states. - IV therapy: Medical procedure in all states; requires physician oversight. Practical implication: Your med spa needs to categorize every service on its menu as either esthetic (esthetician scope) or medical (physician supervision required), and staff accordingly. A licensed esthetician performing Botox injections without physician supervision is practicing medicine without a license — regardless of their training.
What are the laser device regulations for med spas, and do you need a laser license?
Laser and intense pulsed light (IPL) device regulations for med spas are highly variable by state — some states require specific licensure to operate these devices, others require physician oversight but no separate device license, and a few have minimal requirements. Federal FDA regulation: All laser devices used in medical procedures are classified as medical devices and are subject to FDA regulation under the Federal Food, Drug, and Cosmetic Act. Manufacturers must obtain FDA clearance or approval for specific uses. As a med spa operator, you must use devices for only their FDA-cleared indications — using a laser for non-cleared procedures is an off-label use that carries legal risk. State-by-state laser regulation — key examples: - Texas: Lasers used for medical purposes (hair removal, tattoo removal, skin resurfacing) must be performed or directly supervised by a physician. The Texas Medical Board has been aggressive in enforcement. - California: No specific laser operator license required, but procedures must be performed by a licensed practitioner (physician, NP, PA, or in some cases an RN) within their scope of practice. Estheticians cannot use medical-grade lasers. - Florida: The Board of Medicine has issued guidance that laser procedures constitute the practice of medicine; physician supervision required. - Arizona: Has relatively permissive rules — licensed nurses can perform many laser procedures under indirect physician supervision. - New York: Laser procedures are medical procedures; physician or licensed practitioner supervision required. Who can operate laser devices: Depending on state, laser procedures may be performed by: physicians, NPs, PAs (under physician supervision), RNs (under physician supervision), or in some states medical assistants under specific supervision protocols. Estheticians typically cannot operate medical-grade lasers for medical procedures in most states. Device safety training: Regardless of state licensing requirements, operators should complete manufacturer training and ideally certification through an accredited laser safety course. OSHA also has laser safety guidelines for employee protection.
What DEA registration is required for med spas offering weight loss medications?
Med spas that prescribe or administer controlled substances — including some weight loss medications, testosterone for hormone replacement therapy (HRT), and ketamine for certain treatments — must comply with DEA registration requirements. DEA registration: A Drug Enforcement Administration (DEA) registration is required for any physician or mid-level practitioner who prescribes, administers, or dispenses Schedule II–V controlled substances. The DEA number is individual — it is tied to the practitioner, not the facility. Common controlled substances in med spas: - GLP-1 agonists (semaglutide, tirzepatide for weight loss): Note that semaglutide (Ozempic/Wegovy) and tirzepatide (Mounjaro/Zepbound) are NOT DEA-controlled substances — they are non-scheduled prescription drugs. A prescribing physician's DEA number is not required solely for semaglutide, but a valid prescribing license is. Med spas prescribing semaglutide must comply with compounding pharmacy regulations if sourcing from compounders. - Phentermine: Schedule IV controlled substance — DEA registration required. - Testosterone: Schedule III controlled substance — DEA registration required for any practice that prescribes, administers, or dispenses testosterone. - Ketamine: Schedule III controlled substance — DEA registration required. State pharmacy board rules: Even for non-scheduled prescription drugs, med spas that maintain on-site drug inventory may be subject to state pharmacy board rules, which can require a pharmacy license or specific storage and recordkeeping requirements for prescription drug samples or stock. DEA registration fees: DEA registration costs $888 for a 3-year registration for practitioners (as of 2024; fees may be updated). Registration is per practitioner per practice location in some cases. Practical note: Before advertising any weight loss injection programs, consult a healthcare regulatory attorney to confirm your state's specific rules on prescribing, dispensing, and compounding at med spa facilities.
What are the HIPAA requirements for med spas?
Med spas are healthcare providers under HIPAA if they conduct electronic transactions (billing, payment processing, appointment scheduling systems that transmit health information) or if they treat patients and maintain medical records. Most med spas qualify as "covered entities" under HIPAA. What HIPAA requires for med spas: 1. Privacy Rule compliance: Patients must be given a Notice of Privacy Practices (NPP) describing how their health information will be used and shared. The NPP must be provided at the first service encounter and posted in the facility and on your website. Patients must acknowledge receipt. 2. Security Rule compliance: All electronic protected health information (ePHI) — electronic medical records, before/after photos stored digitally, email communications about patient health — must be protected by administrative, physical, and technical safeguards. This includes: password policies, encrypted storage, access controls, audit logs, and a written security risk assessment. 3. Breach notification: If a data breach exposes unsecured ePHI, the med spa must notify affected patients within 60 days of discovery, and notify HHS. Breaches affecting 500+ individuals in a state also require notification to prominent media outlets in that state. 4. Business Associate Agreements (BAAs): Any vendor who handles ePHI on your behalf — EMR/EHR software vendors, billing services, cloud storage providers, IT support firms — must sign a BAA. Using a vendor that processes patient data without a signed BAA is a HIPAA violation. 5. Before/after photos: Patient photos used for marketing require both HIPAA-compliant handling and a specific signed photo release consent — separate from the general treatment consent. Do not post patient photos on social media without a signed, HIPAA-compliant photo release. Penalties: HIPAA violations range from $100 to $50,000 per violation (per incident), up to $1.9 million annually for violations of the same type. HHS Office for Civil Rights (OCR) enforces HIPAA and conducts audits.
What are the medical waste disposal requirements for med spas?
Med spas generate regulated medical waste — specifically sharps (needles, syringes used for Botox, fillers, PRP, IV therapy) and potentially other biohazardous materials. Federal and state regulations govern disposal. Federal baseline: The EPA and DOT regulate medical waste disposal and transport at the federal level. The Medical Waste Tracking Act provides a framework, but specific requirements are primarily state law. What med spas typically generate: - Sharps waste: Needles, syringes, lancets, and broken ampules from injections. This is the primary regulated waste category for most med spas. - Contaminated materials: Gauze, gloves, and materials contaminated with blood or other potentially infectious materials. - Pharmaceutical waste: Unused or expired medications — particularly relevant if your med spa carries prescription medications or controlled substances on-site. Disposal requirements: 1. Sharps containers: FDA-cleared sharps containers must be used for all needles and sharps. Containers must be puncture-resistant, leak-proof, and properly labeled. Never overfill — fill to the indicated fill line only. 2. Licensed medical waste hauler: Most states require sharps and biohazardous waste to be picked up by a licensed medical waste disposal company. The hauler provides a manifest documenting chain of custody from your facility to the treatment facility. 3. Mail-back programs: Some states permit sharps disposal through FDA-cleared mail-back programs as an alternative to on-site pickup. These are available from vendors like Stericycle and Sharps Compliance. Pharmaceutical waste: Unused prescription medications cannot be disposed of in regular trash or flushed down drains in most cases. EPA rules under RCRA may classify certain unused pharmaceuticals as hazardous waste. Consult your state environmental agency for specific disposal requirements. State medical waste permit: Some states require a permit from the state environmental or health agency to generate and store regulated medical waste. Check with your state health department before opening.
What malpractice insurance does a med spa need?
Med spa insurance requirements are more complex than a typical small business because medical procedures create professional liability exposure that standard general liability policies exclude. Medical malpractice / professional liability insurance: Covers claims arising from injuries caused by medical procedures performed at the spa — adverse reactions to Botox or fillers, laser burns, infections from injections, adverse outcomes from chemical peels. This is a separate policy from general liability. Who needs it: Every physician, NP, PA, and RN who performs medical procedures should have individual malpractice coverage. The med spa entity should also carry an entity-level malpractice policy. Coverage structure: Med spa malpractice policies are typically claims-made policies (covering claims reported during the policy period, not when the incident occurred). When a claims-made policy is cancelled, a "tail" policy is needed to cover incidents that occurred during the policy period but are reported after cancellation. Tail coverage can cost 1–2x the annual premium. Coverage amounts: Minimum recommended coverage is $1,000,000 per occurrence / $3,000,000 aggregate for the entity. Physicians typically carry $1,000,000/$3,000,000 individually. General liability insurance: Covers third-party bodily injury and property damage at the facility — a client slipping and falling, for example. This does not cover professional liability from medical procedures. Both GL and malpractice are required. Specialty med spa policies: Several insurers offer combined med spa policies that bundle professional liability, general liability, and property coverage. American Med Spa Association (AmSpa) maintains a list of insurers that specialize in med spa coverage. Cost: Med spa malpractice insurance typically runs $3,000–$10,000/year for the entity, depending on procedures offered, location, revenue, and claims history. Adding IV therapy, laser, or PRP increases premiums.
What does it cost to open a med spa?
Med spas are among the most capital-intensive service businesses to start, with typical startup costs ranging from $150,000 to $500,000. Here is a detailed breakdown: Legal structure (MSO/PC setup): $5,000–$20,000. A properly structured MSO/Professional Corporation arrangement requires healthcare attorney drafting. This is not optional in most states — getting it wrong exposes both the physician medical director and the business owners to serious regulatory risk. Lease and buildout: $50,000–$200,000. Med spas typically occupy 1,500–3,500 sq ft in medical or high-end retail centers. Buildout requires medical-grade construction: proper electrical for laser equipment, plumbing, treatment rooms with appropriate privacy and lighting, reception and waiting area. Class IV laser rooms may require specific structural modifications (laser safety interlocks, light barriers). Medical equipment: $50,000–$150,000. Laser/IPL device: $20,000–$80,000 (used to new, depending on technology). Microneedling device: $2,000–$10,000. Body contouring equipment: $10,000–$80,000. Injectables refrigerator, mixing station, procedure table. Initial product and supply inventory: $5,000–$15,000. Injectables (Botox, fillers — note these are prescriptions and must be ordered by the supervising physician through licensed distributors). Skincare product lines. Disposable supplies. Medical director compensation (first year): $12,000–$60,000. Monthly medical director fees vary by market and scope of supervision. Licenses and permits: $2,000–$8,000 total for business license, entity formation, DEA registration (if applicable), medical waste permit, state medical board facility notification (required in some states). Insurance (malpractice + GL + property): $8,000–$20,000/year. HIPAA compliance setup (EMR, BAAs, policies): $2,000–$10,000. Marketing and website: $5,000–$20,000. Working capital (6 months): $30,000–$75,000.
Do med spas need a state facility license or medical clinic permit?
Beyond the business license and professional licenses held by individual practitioners, some states require a separate facility-level registration or permit for medical offices and clinics — including med spas. The specific requirement depends on your state and the procedures you offer. States with facility registration requirements: - Florida: The Florida Agency for Health Care Administration (AHCA) requires an "office surgery" registration for facilities that perform certain procedures under IV sedation or general anesthesia. Med spas performing procedures under local anesthesia only are generally exempt, but any use of deeper sedation triggers the registration requirement and facility inspection. - California: Med spas operating as medical offices generally do not need a separate facility license from the Medical Board of California, but offices providing ambulatory surgical services under sedation may be subject to the California Department of Public Health's regulations for ambulatory surgery centers. - Texas: The Texas Medical Board has rules for "facility-based procedures" — med spas performing certain procedures may need to notify or register with the TMB depending on the nature of procedures and anesthesia used. - New York: The New York State Department of Health requires facilities performing "office-based surgery" to register when procedures are performed under deep sedation or general anesthesia. What triggers facility-level regulation: The primary trigger in most states is the type and depth of anesthesia used. Med spas that stick to topical anesthetic creams and local anesthetic injections (lidocaine) for procedures like Botox, fillers, and laser treatments typically fall below the threshold that triggers facility registration. Once you add moderate IV sedation, the regulatory requirements escalate significantly. Local health department permits: Regardless of state facility registration, most cities and counties require a business operating certificate and may conduct a health department inspection of the physical facility before you can open. Inspection timelines range from 2–8 weeks in most jurisdictions; schedule early. Cities like Los Angeles, New York, and Houston have active health department oversight of medical offices.
How long does it take to open a med spa from start to finish?
The timeline from initial planning to opening day for a med spa is typically 6–12 months, and often longer in states with more complex regulatory requirements. Rushing any phase of the compliance process creates regulatory risk. Phase 1 — Legal structure and entity formation (1–3 months): Hiring a healthcare attorney, selecting the MSO/PC structure appropriate for your state, forming the entities, and drafting the Management Services Agreement. In California or New York, this phase alone can take 3–4 months when attorney availability is factored in. Phase 2 — Site selection, lease negotiation, and buildout (2–6 months): Finding a suitable space (medical zoning, appropriate sq footage, plumbing), negotiating a lease that permits medical use and biohazardous waste, and completing buildout. Permit processing for buildout varies widely — in cities like San Francisco or Los Angeles, building permits for medical office tenant improvements can take 3–6 months to process. Phase 3 — Licensing and credentialing (2–4 months): Applying for business licenses, esthetics establishment license, medical director contracting, DEA registration (if needed — allow 60–90 days for DEA processing), medical waste hauler contracting, HIPAA compliance setup, and malpractice insurance placement. Phase 4 — Equipment procurement and staff hiring (1–3 months): Sourcing laser equipment (new medical devices often have 6–12 week lead times), hiring and credentialing practitioners, and completing OSHA training. Phase 5 — Pre-opening inspections (2–6 weeks): Local health department facility inspection, fire marshal inspection, building occupancy permit. In high-demand markets, scheduling these inspections adds weeks. Realistic timeline summary: Budget 9–12 months from initial attorney engagement to opening day. Well-capitalized, well-organized operators in less-regulated states have opened in 6 months; operators in high-regulation states (California, New York) with complex buildouts often take 12–18 months.

Official Sources

Related Guides

Stop guessing about permits

Know exactly what permits your business needs

Get a personalized permit report with every license, registration, and permit required for your business — with costs, timelines, and official application links.

Get Your Permit Report — $9.99
Ready in ~60 seconds Secure payment via Stripe 50 states, 4,000+ jurisdictions