Due to surging interest in cosmetic and wellness treatments, the Medical Spa (“MedSpa”) industry is experiencing rapid and dynamic growth. This growth presents exciting opportunities, but interested parties must exercise caution as they navigate the industry’s complex legal and regulatory landscape. Unlike traditional day spas that focus on relaxation and personal care, MedSpas offer medical-grade... Continue Reading
Due to surging interest in cosmetic and wellness treatments, the Medical Spa (“MedSpa”) industry is experiencing rapid and dynamic growth. This growth presents exciting opportunities, but interested parties must exercise caution as they navigate the industry’s complex legal and regulatory landscape. Unlike traditional day spas that focus on relaxation and personal care, MedSpas offer medical-grade treatments – like injectables, laser hair removal, and body contouring – that are often regulated as the “practice of medicine.” This means MedSpas must be structured, staffed, and operated in compliance within the relevant healthcare regulatory framework.
Before opening or otherwise operating or investing in a MedSpa, it is important to familiarize yourself with certain requirements including, but not limited to, ownership, licensing, and physician supervision to avoid common regulatory pitfalls and set your business up for lasting success. MedSpa regulations can be extensive and vary by state, so staying informed is essential to keeping your operations both compliant and competitive. While this article does not provide an exhaustive list of every legal issue relevant to MedSpas, and while requirements can vary by state, below are five key legal considerations every aspiring MedSpa owner should have on their radar.
1. Corporate Structure and Corporate Practice of Medicine (CPOM)
- Key Takeaway: Ownership and – critically – control of clinical decision-making must remain with appropriately licensed professionals where CPOM applies.
- One of the most significant factors in structuring a MedSpa is compliance with your state’s corporate practice of medicine (“CPOM”) doctrine, if applicable. At its core, the CPOM doctrine generally prohibits non-physicians from owning or controlling the delivery of medical services or employing physicians (or other licensed practitioners of the healing arts). Many states, including California, New York, and Texas, limit ownership of medical practices to licensed physicians or physician-owned professional corporations, though some permit other licensed healthcare providers (e.g., registered nurses (RNs), nurse practitioners (NPs) and physician assistants (PAs)), to own minority or non-controlling interests. As a result, non-physicians generally cannot fully own or control a MedSpa that provides medical procedures, but they can play other important roles in supporting and facilitating MedSpa operations as outlined below.
- As mentioned, some states permit minority ownership by other licensed health professionals, such as RNs, NPs, and PAs, but these laws can be strictly enforced and vary by jurisdiction. For instance, California requires physicians to own at least fifty-one percent (51%) of the medical entity (formed as a professional corporation), with up to forty-nine percent (49%) allowed for other licensed providers. Additionally, some states may permit non-clinician investors to participate through investment into management services organizations (MSOs), which handle administrative duties but must avoid clinical decision-making (also known as the “Friendly PC Model”). Several states – including Oregon, Massachusetts, and California – are advancing or have advanced legislative initiatives to strengthen enforcement of the CPOM doctrine and potentially limit the use of the Friendly PC Model.[1] These developments may have significant implications for MedSpa ownership structures and compliance obligations. MedSpa operators and investors should closely monitor these efforts and review their business models for compliance with evolving state laws.
- Subject to the applicable state’s CPOM doctrine, MedSpas that offer medical-grade cosmetic procedures face specific regulations regarding who may provide and oversee these services. For example, California defines “outpatient elective cosmetic medical procedures or treatments” as “medical procedures or treatments that are performed to alter or reshape normal structures of the body solely in order to improve appearance.”[2] Therefore, MedSpas offering medical procedures or cosmetic medical services such as Botox injections, dermal fillers, and use of prescriptive medical devices/prescriptions, should ensure that licensed physicians retain authority over medical decisions. Any non-physician clinical staff must only deliver care within the boundaries of their professional license and must adhere to applicable supervisory and oversight requirements, as further detailed in Section 3 below.
- It is essential to structure all agreements – whether with staff, contractors, or MSOs – to clearly divide clinical authority from business functions and comply with a particular state’s CPOM rules to ensure that clinical independence remains solely with licensed physicians and practitioners.
2. Fee-Splitting and State Anti-Kickback Laws
- Key Takeaway: Compensation and management fees must be structured to avoid payments tied to referrals or the volume/value of the medical business.
- Most states (even non-CPOM states) have fee-splitting laws that prevent a physician from sharing profits or commissions with non-physicians related to medical procedures. Penalties for violations include fines and possible revocation of licenses.
- Moreover, state anti-kickback laws generally prohibit payments or other exchanges of value to induce patient referrals. While federal laws like the Anti-Kickback Statute often apply to government-funded programs, such as Medicare and Medicaid, many state laws extend these prohibitions to private insurance and cash-based services, which are common in MedSpas.
- MedSpas should consider establishing safeguards in all financial arrangements with non-physician affiliates, such as MSOs. Structuring these agreements to be commercially reasonable, reflect fair market value, and avoid payments tied to the volume or value of business generated between the parties can reduce regulatory risk associated with fee-splitting and anti-kickback laws.
- Similarly, structuring patient loyalty programs, patient referral programs, influencer relationships, and commissions and bonus compensation arrangements in compliance with applicable legal requirements is also crucial in avoiding regulatory pitfalls.
3. Licensing, Scope of Practice, and Physician Supervision Requirements
- Key Takeaway: Every service must map to a licensed provider’s scope – and supervision must match state-specific rules for the procedure and provider type.
- MedSpas must also ensure compliance with state medical licensing laws and obtain appropriate business licenses and permits. For example, in California, this may include securing a fictitious name permit (“FNP”) with the Medical Board of California to lawfully operate and advertise a medical practice under a name other than the physician’s own name or partnership name.
- MedSpa medical-grade treatments – such as Botox injections and deep microdermabrasion –must be performed by licensed healthcare professionals, including physicians, or other licensed practitioners working under physician supervision, as applicable. Each healthcare professional must strictly adhere to the legal scope of their license, as performing procedures beyond their authorized scope can result in serious penalties, including license revocation. Staff, such as estheticians or medical assistants, are limited to non-medical treatments unless directly supervised and acting within specific scope limitations.
- Physician supervision requirements vary by state, procedure, and provider type. Some states require personal or direct supervision for mid-level providers; others allow remote oversight or general autonomy. For example, in California, physicians are generally prohibited from supervising more than four mid-level providers at a given time and in any combination (i.e., PAs, NPs, and clinical nurse midwives). There are limited exceptions. For example, as mentioned in detail in our previous blog post,[3] NPs may seek certification to practice without standardized procedures in certain settings (103 NPs and 104 NPs) and thus outside of the standard supervisory requirements. Notably, 104 NP applications will open on January 1, 2026, allowing 104 NPs to practice independently, subject to statutory and regulatory limitations.
4. Advertising, Marketing, and Informed Consent Requirements
- Key Takeaway: MedSpa marketing must focus on accuracy, substantiation, proper disclosures, and clear consent.
- In mitigating regulatory risk, MedSpas should ensure that all marketing materials are accurate and comply with applicable legal standards by avoiding misstatements of fact or omission that could mislead a reasonable consumer.
- Advertising must accurately present any before-and-after photos and clearly state qualifications of providers and potential risks, among other relevant legal requirements.
- Patients should be provided with clear informed consent (usually written) outlining risks, benefits, and alternatives prior to a procedure or the use of patient images or testimonials, as mandated by a respective state’s requirements.
- MedSpas that bill commercial and/or governmental payors must comply with HIPAA, and all MedSpa practices must comply with applicable state patient privacy laws to ensure that patients’ confidential information is securely stored and protected from unauthorized access. Maintaining strong privacy practices not only reduces legal risk, but also reinforces trust and confidence in your MedSpa among patients and regulators.
- Under the Friendly PC Model, MedSpas should ensure that final decision-making authority regarding the content and presentation of advertisements and marketing materials for clinical services are the ultimate responsibility of the MedSpa physician-owner(s) and not the MSO or other management entity.
5. Risk Management and Insurance
- Key Takeaway: Strong protocols, documentation, training, and proper insurance coverage reduce liability and support sustainable growth.
- Implementing effective risk management strategies – including a comprehensive patient safety plan with standardized protocols for assessment, documentation, emergency response, and ongoing staff training – helps MedSpas minimize legal liability and maintain compliance with professional standards of care.
- Maintaining thorough medical and business records as well as conducting regular practice audits can further safeguard the MedSpa from regulatory risk and supports consistent, high-quality patient experiences.
- Obtaining appropriate insurance coverage – professional liability, general liability, directors and officers (D&O) liability insurance, workers compensation insurance, and cyber liability insurance – that reflects the full scope of your operations is important to mitigate potential claims arising from the provision of medical services or business operations.
Conclusion
Launching and operating a MedSpa requires diligent compliance with legal, regulatory, and business standards including thoughtful consideration of ownership structure, compensation arrangements, licensing, supervision, marketing, patient consent and privacy standards. Investing in effective risk management strategies and comprehensive insurance is important to protect the practice, its management team, and its affiliated entities. By proactively addressing these complexities, MedSpa owners can avoid costly pitfalls and build sustainable, high-quality practices that earn patient trust and regulatory confidence.
FOOTNOTES
[1] See e.g., Lenny Lipsky et al., Oregon Targets Corporate Practice of Medicine with Enacted Bill: What SB 951 Means for MSOs, PE-Backed Physician Groups, and Physicians (June 17, 2025).
[2] Cal. Bus. & Prof. Code § 2417.5(b).
[3] John Golembesky, et al., Pulse Check: How is Your California Practice Leveraging “103 NPs” – and Preparing for the Arrival of “104 NPs” in 2026? (July 18, 2025).
