Med Spas Under the Microscope

FDA, OSHA, HIPAA, Infection Control — and a Patchwork of State Requirements That No One Warned You About.

By Mary Barlett & Matt Rahman, MBA, CISSP, CHPSE · SafeLink Consulting Inc. ·

“The medical spa industry has exploded over the past decade and regulators have noticed. What was once a gray zone between day spa and medical clinic is now firmly in the crosshairs of federal agencies and state licensing boards alike. If your med spa isn’t treating compliance as a clinical priority, you’re already behind.” – Matt Rahman, President & Managing Partner SafeLink Consulting

Walk into virtually any med spa in America and you’ll find lasers, injectables, chemical peels, IV therapy, and a staff mix that might include a physician, a nurse practitioner, a laser technician, and an esthetician — all operating under one roof, often under one loosely defined business structure. That complexity is exactly what makes med spas one of the most compliance-dense environments in the entire healthcare sector.

We work with med spas across the country at SafeLink, and the pattern we see is consistent: business owners who are sophisticated entrepreneurs, passionate clinicians, and talented practitioners, but who were never handed a compliance roadmap when they opened their doors. This post is meant to be that roadmap, or at least the beginning of one.

01 · F E D E R A L

The FDA’s Long Reach Into Your Treatment Room

The Food and Drug Administration doesn’t just regulate the drugs in your formulary. It has authority over virtually every device and injectable in a modern med spa. The classification of your equipment matters enormously, and many owners are shocked to discover how broadly “device” is defined under federal law.

Laser & Energy-Based Devices

Laser systems, intense pulsed light (IPL) devices, radiofrequency platforms, and ultrasound equipment are all regulated as medical devices under the Federal Food, Drug, and Cosmetic Act. They must be FDA-cleared or approved for the specific indications you’re using them for. Using a device off-label doesn’t automatically make it illegal, but it shifts the burden of substantiation squarely onto you and creates meaningful liability exposure if adverse events occur.

The FDA’s Center for Devices and Radiological Health (CDRH) also requires that radiation-emitting devices comply with 21 CFR Part 1040. That means maintaining proper equipment records, service logs, and in some cases mandatory incident reporting if a device malfunction causes patient injury.

Injectables, Biologics & Compounded Drugs

Botulinum toxin products — Botox, Dysport, Xeomin, Jeuveau — are FDA-approved biologics with specific indication language. Dermal fillers are Class III devices with premarket approval requirements. The moment you stray from approved indications or purchase these products from unverified distributors, including offshore or gray-market suppliers, you are operating outside the FDA’s safety framework.

Compounded medications deserve particular attention. The 503A/503B compounding framework governs whether your compounded peptides, vitamin infusions, or custom topicals are legally sourced and patient-specific. The FDA has been increasingly aggressive about compounding pharmacies that supply med spas with bulk preparations, and enforcement actions have reached the clinic level.

! High-Alert Item: The FDA issued safety communications regarding counterfeit botulinum toxin products circulating in the aesthetics market. Adverse events, including hospitalizations, have been reported. Verification of your supply chain is not optional — it is a patient safety imperative.

IV Therapy & Wellness Infusions

IV hydration and nutrient infusion services sit in a particularly complex regulatory space. Depending on the formulation, the compounding source, and whether a physician order is present, you may be touching FDA, DEA, and state pharmacy board regulations simultaneously. The wellness trend doesn’t create a compliance carve-out — it creates additional scrutiny.

02 · W O R K P L A C E S A F E T Y

OSHA: Your Staff Deserves the Same Protection as Your Patients

The Occupational Safety and Health Administration’s standards apply to private employers in the U.S., including med spas. OSHA inspections in the healthcare sector have increased markedly in recent years, and med spas — with their combination of clinical procedures, chemical exposures, and physical hazards — present exactly the profile that generates citations.

Bloodborne Pathogens Standard (29 CFR 1910.1030)

If your staff performs any procedure involving potential exposure to blood or other potentially infectious materials — and in a medspa, that includes microneedling, PRP treatments, injectables, and laser procedures with epidermal disruption — you are required to have a written Exposure Control Plan, provide hepatitis B vaccination, maintain proper sharps disposal protocols, conduct annual training, and keep exposure records. This is one of the most frequently cited OSHA standards in medical settings.

Hazard Communication (HazCom) & Chemical Safety

Med spas use a wide range of chemicals: chemical peel agents (glycolic, TCA, phenol), disinfectants and sterilants, laser dyes and coolants, and skin care formulations that may contain sensitizers or irritants. Under OSHA’s HazCom standard (29 CFR 1910.1200), you are required to maintain Safety Data Sheets for all hazardous chemicals, label containers appropriately, and train employees on chemical hazards before they work with them.

Laser Safety

OSHA has issued extensive guidance on laser hazards in healthcare settings. Key requirements under ANSI Z136.3 include designating a Laser Safety Officer (LSO), establishing nominal hazard zones, ensuring appropriate optical density eyewear is available and used, posting laser-in-use warning signs, and maintaining equipment service records. Laser injuries to staff can be OSHA-recordable events that can trigger inspections.

General Duty Clause Exposure

Beyond specific standards, OSHA’s General Duty Clause requires that employers furnish a workplace free from recognized hazards likely to cause serious harm. For med spas, this sweeps in ergonomic risks from treatment table work, electrical safety for high-powered devices, and indoor air quality concerns from laser plume.

03 · P R I V A C Y & S E C U R I T Y

HIPAA: You Are a Covered Entity. Act Like One.

Medical spas that provide services constituting the practice of medicine, nursing, or other licensed healthcare — and that transmit health information electronically — are covered entities under HIPAA. Period. The aesthetic framing of your services doesn’t change the legal classification.
Patient information is protected health information (PHI), and the Privacy and Security Rules apply in full.

A before-and-after photo posted to Instagram without proper authorization isn’t just a privacy misstep. It’s a potential HIPAA violation that can generate OCR complaints, state board sanctions, and civil liability simultaneously.

The Photography Problem

Visual documentation is central to med spa practice — before-and-after photos are marketing currency and clinical records simultaneously. Photos that include identifiable features of a patient are PHI. Using them for marketing requires a valid HIPAA-compliant authorization that is distinct from your general consent forms. Many med spas are operating with photography consent language that a plaintiff’s attorney or an OCR investigator would shred in minutes.

Security Rule Compliance

If your practice management system, EHR, or patient intake platform stores or transmits PHI, you are required to have completed a Security Risk Analysis (SRA), implemented administrative, physical, and technical safeguards, and trained staff on security policies. Practice management platforms, text-based patient communication tools, and cloud storage solutions all require Business Associate Agreements (BAAs) before PHI flows through them.

Telehealth & Remote Consultations

Many med spas have expanded into telehealth consultations for treatment planning and follow-up. The platform must be HIPAA-compliant with a signed BAA, the provider must be licensed in the patient’s state at time of consultation, and documentation must meet clinical standards. Consumer video platforms — regardless of how many practices use them — do not satisfy HIPAA requirements.

04 · C L I N I C A L S A F E T Y

Infection Control: The Risk That Can End Your Med Spa Overnight

Infection control failures in med spas have resulted in patient hospitalizations, state board license revocations, and federal investigations. These are not hypothetical risks. They are documented, recurring events — and the aesthetic medicine community has been on notice for years.

CDC & APIC Guidelines

The CDC’s Guidelines for Infection Control in Healthcare Personnel and the APIC frameworks provide the evidence base for med spa infection prevention programs. Key elements include hand hygiene protocols, single-use device policies, proper disinfection and sterilization of reusable instruments, environmental cleaning procedures for treatment rooms, and PPE requirements for each procedure type.

The Sterilization Standard

Autoclaves and other sterilization equipment require regular biological indicator testing, maintenance logs, and staff competency documentation. Spore testing should be performed weekly at a minimum. A machine that appears to be sterilizing but has never been validated with spore strips is a liability, not an asset.

Single-Use & Multi-Use Confusion

One of the most common infection control findings we encounter is ambiguity around single-use versus multi-use designation for supplies. Needles, cannulas, and cartridges designated as single-use may never be reprocessed or reused — not even on the same patient in a subsequent visit.
Deviating from the manufacturer’s intended use voids device approvals and creates direct patient safety risk.

! Real-World Consequence: Several med spas have faced state board actions after patients developed atypical mycobacterial infections following procedures. In nearly every case, investigators identified gaps in instrument sterilization, water quality, or single-use compliance. These outbreaks are preventable — and they’re career-ending when they occur.

05 · S T A T E R E G U L A T I O N

The State Patchwork: Where Compliance Gets Truly Complicated

If federal compliance is the floor, state regulation is the entire building — and no two buildings are alike. Medical spa regulation at the state level is fragmented, inconsistently enforced, and evolving rapidly. What is permitted under physician supervision in one state may require direct physician presence in another or may be restricted to a specific license type entirely.

The Corporate Practice of Medicine (CPOM) doctrine deserves special mention. In states like California, Texas, and New York, it is unlawful for a non-physician to own or control a medical practice. This affects med spa ownership structures in ways that many franchise and multi-location operators have failed to account for. A management services organization (MSO) structure may be required — and getting that structure wrong has resulted in multi-million dollar enforcement actions.

Multi-location operators face compounding complexity. A group running med spas across several states isn’t dealing with one regulatory framework — they’re dealing with overlapping, sometimes contradictory requirements across multiple medical boards, health departments, and occupational licensing agencies.

06 · P A T H F O R W A R D

What Proactive Compliance Actually Looks Like

Compliance in a med spa isn’t a binder on a shelf or a set of policies emailed to staff once a year. It is a living program that touches every aspect of operations — clinical, administrative, physical, and digital. Here is what SafeLink consistently recommends as the foundational structure:

• Conduct a baseline compliance gap assessment covering all four federal domains (FDA, OSHA, HIPAA/Security, infection control) alongside a state-specific regulatory review. You cannot fix what you haven’t mapped.
• Formalize your medical director relationship in writing, with a supervision agreement that reflects your state’s actual requirements — not a generic template purchased online.
• Build a written HIPAA program including a current Security Risk Analysis, updated policies, staff training documentation, and BAAs with every vendor that touches PHI.
• Establish an Exposure Control Plan under OSHA’s Bloodborne Pathogen standard and designate a Laser Safety Officer if you operate energy-based devices.
• Implement an infection control program with written protocols for sterilization, disinfection, PPE, and single-use device management — documented with logs that can withstand scrutiny.
• Audit your supply chain for injectables and devices. Know your distributors, verify FDA clearances for your specific indications, and document your sourcing.
• Train your staff — all of them. HIPAA, OSHA, infection control, and scope-of-practice training should be documented at onboarding, when policies change, and annually thereafter.
• Review your scope-of-practice matrix for every license type in your practice against your state’s current board rules. Review annually or whenever staff composition changes.

“Compliance isn’t the enemy of a thriving med spa, it’s the foundation of one. The practices that survive enforcement scrutiny are the ones that built the infrastructure before they needed it”. – Mary Bartlett, Founder & SVP SafeLink Consulting

The med spa industry is maturing rapidly, and regulatory maturity is following close behind. State legislatures are moving to close gaps that allowed the industry to operate with ambiguous oversight. The FDA is increasing enforcement around device misuse and compounding. OCR is conducting proactive audits of covered entities regardless of size. OSHA has made healthcare a priority enforcement sector.

The practices that get ahead of this — that build compliance infrastructure before they receive a complaint or an inspection notice — are the ones that protect their patients, their staff, their licenses, and their businesses.

Ready to build a compliance program that works?

SafeLink Consulting provides site assessments, written program development, staff training, and ongoing managed compliance for med spas across the country.

Contact SafeLink Consulting | info@safelinkconsulting.com