Beyond the Glow: Key Medical Spa Compliance Challenges and Legal Pitfalls

The medical spa industry is rapidly growing, driven by technological advances and shifting consumer preferences for cosmetic and wellness services. While this growth offers many business opportunities for healthcare professionals and investors, it also comes with complex legal and regulatory challenges.

Owners and operators must navigate strict ownership requirements, licensing, advertising regulations, and risk management obligations. This client alert highlights key legal risks and compliance obligations related to the medical spa sector, particularly under California law, and provides practical guidance for ensuring patient safety, regulatory compliance, and long-term success.

What is a Medical Spa?

A "Medical Spa" (also commonly referred to as a MedSpa or Medi-Spa) is a hybrid day spa and medical treatment facility that offers aesthetic medical procedures and cosmetic treatments in a comfortable and luxurious environment. The most commonly provided Medical Spa aesthetic medical procedures and cosmetic treatments include chemical peels, laser hair and tattoo removal, dermal fillers and injections, photo-facial pulsed light (IPL), body contouring, skin rejuvenation, microdermabrasion, anti-aging treatments, hair loss treatment, and more.

Driven by technological advancements and trends towards cosmetic care and holistic well-being, the Medical Spa industry has been experiencing significant growth. Marketdata, a market research company, recently reported that by 2022, the Medical Spa industry had grown to 8,900 Medical Spas, generating $17.5 billion in annual revenues, with average revenues of $1.9 million per Medical Spa. Medical Spa industry revenues more than tripled from 2012 to 2022 and are projected to grow to $82.5 billion by 2034.

An expansion of services to include anti-aging treatments, radiofrequency devices, mental health and wellness and holistic health services, the availability of telemedicine for virtual consultations, and the introduction of artificial intelligence for personalized treatment recommendations are expected to increase the appeal of Medical Spas as business and investment opportunities for healthcare professionals and the private equity investor community.

Depending on location and equipment, Medical Spa startup costs can range from $250K to more than $1M. Many Medical Spas generate twenty-five percent (25%) to forty percent (40%) profit margins, making them a strong return on investment business opportunity. Eighty-five percent (85%), and with Medical Spa franchises at ten percent (10%) and Medical Spa chains at five percent (5%), of Medical Spas are owned by independent owners (a single person or small group of people). Several Medical Spa chains and franchise models are popular in the market, many of which have adopted different approaches. 

Some of the most well-known Medical Spa franchisors include VIO MedSpa, Massage Envy, Hand and Stone Massage and Facial Spa, 4Ever Young, Elements Massage, Spavia Medical Spa, and LaVida Massage. Medical Spa chains include Goldfingers Aesthetics, It's a Secret Med Spa, Revive Med Spa, and CanyonRanch. Medical Spa business operational models include:

• Luxury Spa Experience: High-end, boutique spa offering premium skincare treatments and advanced anti-aging therapies.
• Membership-Based Model: Monthly subscription packages that offer clients a selection of free monthly services and discounts on other services.
• Specialty Niche: Focus on two or three services, such as massages, skin care, laser treatments, dermal fillers, injectables, or body contouring.
• Pop-Up Medical Spa: A medical spa model where services are delivered on-site to groups at conventions, corporate parties, luxury hotels, or private events.

Medical Spa Ownership, Entity, and Operational Structures

Who Can Own a Medical Spa in California?

California defines "outpatient elective cosmetic medical procedures or treatments" as "medical procedures or treatments that are performed to alter or reshape normal structures of the body solely in order to improve appearance." (Cal. Bus. Prof. Code Section 2417.5(b)). The corporate practice of medicine, which is applicable in most states, requires entities that provide medical services to be owned by physicians.

Thus, if a Medical Spa offers aesthetic medical procedures or cosmetic medical services, including but not limited to the use of prescriptive medical devices and/or prescription drugs, then ownership of the Medical Spa requires ownership by a person with a medical license in most states.

Each state has its own statutes, regulations, and guidelines that must be met. In California, laypersons, or lay entities (i.e., non-licensed healthcare professionals or general corporations) may not own a medical practice or medical corporation. (Cal. Bus. Prof. Code Section 13401.5(a)), and physicians may not be employed or contracted by a general corporation to provide medical services. (Cal. Bus. Prof. Code Sections 2052, 2400)

Physicians must either own the practice wholly or through a medical corporation owned by California-licensed physicians, with no more than 49 percent owned by other licensed healthcare professionals. (Cal. Bus. Prof. Code Section 13401.5(a))

Legal Entity and Operational Structures for Medical Spas

Medical Spa business and operational structures usually involve establishing separate legal entities for medical services and management and administrative functions, often utilizing a Professional Corporation (PC) for the provision of medical services and the employment or contracting of licensed healthcare professionals; and a Management Services Organization (MSO), which may be a general corporation or limited liability corporation, for the provision of business and administrative operational services such as:

• facilities, furniture, fixtures, equipment, and utilities;
• business office and other support personnel;
• financial management; billing and collection services;
• marketing and advertising;
• risk management and regulatory compliance;
• IT support and infrastructure; technology integration; and
• human resources management. 

The PC and MSO affiliated entity structure enables laypersons or lay entities to share the profits generated by a Medical Spa, consistent with the prohibition on the corporate practice of medicine.

In California, the PC can be owned by physicians and other licensed healthcare professionals, or the PC may be owned by a friendly physician (who may be the medical director or contracted supervising physician) who may be replaced by the MSO at any time pursuant to contractual agreements between the PC and MSO.

The PC and MSO enter into a management services agreement ("MSA"), which outlines the duties and responsibilities of each respective party and the PC's obligation to make a management fee monthly payment to the MSO. A Medical Spa MSA must be carefully structured to ensure that the MSO avoids interfering with the professional judgment and clinical decisions of physicians and other licensed healthcare professionals.

Failure to comply with the referenced ownership and operational structure requirements is important, as California laws provide that non-compliance is a criminal violation subject to imprisonment and fines and penalties of up to $500,000:

A business organization that offers to provide, or provides, outpatient elective aesthetic medical procedures or treatments, that is owned or operated in violation of Section 2400, and that contracts with, or otherwise employs, a physician and surgeon to facilitate its offers to provide, or the provision of, outpatient elective aesthetic medical procedures or treatments that may be provided only by the holder of a valid physician's and surgeon's certificate is guilty of violating paragraph (6) of subdivision (a) of Section 550 of the Penal Code. (Cal. Bus. Prof. Code Section 2417.5(a)).

Operational Licensing

Medical License

Opening and operating a Medical Spa requires licensing and compliance with regulations that vary by state. In general, Medical Spas are medical practices that require a medical license for ownership and operation, and registration or licensure with the respective state medical board.

Business License

A Medical Spa must obtain the necessary local business licenses and permits, obtain a tax identification number, and comply with sales tax and zoning laws. If the Medical Spa uses a business name other than the name of the physician or the corporate name, the Medical Spa may need to register it as a fictitious business name or that the Medical Spa is "doing business as" (dba). (Cal. Bus. Prof. Code Section 2272).

Scope of Practice Limitations for Medical Spa Staff

Who Can Perform What Types of Medical Spa Procedures in California?

Medical Spa staff scope of practice requirements, which are established by state licensing authorities, can vary significantly by state and the specific procedures being performed. "Scope of practice" refers to the range of activities, functions, responsibilities, and roles that a licensed healthcare professional has the authority to perform.

Generally, licensed medical professionals like physicians, physician assistants, and nurse practitioners have the broadest scope of practice, while other licensed staff like registered nurses, estheticians, cosmetologists, electrologists, licensed vocational nurses, and medical assistants have more limited roles.

All individuals involved with the performance of Medical Spa aesthetic medical procedures and cosmetic treatments, including a performing or supervising physician, physician assistant, nurse practitioner, registered nurse, licensed vocational nurse, medical assistant, esthetician, electrologist, and cosmetologist should have appropriate certifications, education, experience, and training with respect to the aesthetic medical procedures and cosmetic medical treatments performed. State regulators may additionally require specific training to operate certain medical devices, such as lasers, and require physician oversight regarding the operation of such medical devices. 

Nurse Practitioner

• Nurse practitioners ("NPs") are licensed healthcare professionals who can perform various medical procedures in a Medical Spa, especially those involving injectables, laser treatments, and other aesthetic services. NPs may be delegated the task of providing the appropriate prior examination and ordering a drug or prescriptive device for the patient if acting under standardized procedures.
• In California, NPs can operate either under the supervision of a physician or, in some cases, independently, if they have the requisite experience and training to operate under an expanded scope of practice. ( Bus. Prof. Code Sections 2837.103 and 2837.104 and Title 16, California Code of Regulations Section 1480 et seq.)

Physician Assistant

• Physician assistants ("PAs") can perform many of the same procedures as NPs. However, they must work under the direction and supervision of a licensed physician, usually pursuant to a supervising physician or delegation agreement that addresses their scope of practice and any applicable restrictions.
• PAs may be delegated responsibility for the "appropriate prior examination" of the patient, but physicians must provide their supervision and evaluation of the PA's performance regarding such examinations. (Bus. Prof. Code Section 3500 et seq. and Title 16, California Code of Regulations Section 1399.540)

Registered Nurse

• The scope of practice for a Registered Nurse ("RN") is more limited and subject to stricter delegation and supervision than that of an NP or PA. The level of independence for an RN will depend on the RN's training and experience.
• RNs must be trained in the specific procedures they perform to ensure safety and compliance. In addition, an RN must work under the supervision of a licensed physician, NP, or PA (Bus. Prof. Code Section 2725 and Title 16, California Code of Regulations Section 1474).

Licensed Vocational Nurse

• The scope of practice for licensed vocational nurses ("LVNs") is to perform "services requiring those technical, manual skills acquired" in approved vocational nursing courses.
• LVNs may perform tasks such as injecting medication, withdrawing blood, and starting IV fluids when directed by a physician; however, LVNs may not perform aesthetic medical procedures even if a physician supervises them. ( Bus. Prof. Code Section 2859 and Title 16, of the California Code of Regulations Section 2518.5).

Medical Assistant

• California-certified Medical Assistants ("MAs") are only authorized to perform "basic administrative, clerical and technical supportive services," and technical support services such as administering medication, performing skin tests, and non-invasive specimen collection. (Bus. Prof. Code Section 2052; Title 16 of the California Code of Regulations Section 1366.3(a)(1)).

Esthetician, Electrologist, and Cosmetologist: 

• Estheticians, electrologists, and cosmetologists are licensed by barber and cosmetology boards with respect to a limited scope of services.
• However, they are considered unlicensed personnel with regard to the provision of medical services, and thus their Medical Spa roles are limited to administering non-medical procedures, such as facials, massages, waxing, body scrubs, and hair or skincare treatments. (Bus. Prof. Code Sections 7316 and 7330).

Medical Spa Staff Supervision

Supervising Physician Duties and Qualifications

Physician supervision requirements vary from state to state and by the type of healthcare practitioner being supervised. Supervising physicians must supervise and evaluate performance, rather than lend their license to unlicensed persons or entities without providing any supervision, as such would be a violation of applicable law.

A supervising physician, RN, or PA cannot provide guidance, direction, evaluation, and oversight unless they have sufficient knowledge and training in the aesthetic medical procedure or cosmetic treatment being delegated.

If they are to supervise the procedure, they should also be capable of performing aesthetic medical procedures or cosmetic treatments. Supervising Physicians should be familiar with scope of practice limitations and should know each non-physician staff member's licensure, education, training, experience, and certification status for each aesthetic medical procedure or cosmetic treatment the non-physician will perform.

Supervising Physician Delegation of Supervision Tasks to Medical Spa Staff

Medical Spa aesthetic medical procedures and cosmetic treatments administered to patients are medical in nature. While a physician can delegate their performance to others, a licensed healthcare professional (a physician, nurse practitioner, physician assistant, or registered nurse) should actively supervise and oversee the administration of aesthetic medical procedures and cosmetic treatments.

Before aesthetic medical procedures and cosmetic treatments can be delegated to non-physicians, the Supervising Physician has the duty to assess the healthcare provider's qualifications to perform them.

Supervising Physician Delegation of Performance Tasks to Medical Spa Staff

Supervising Physician delegation to non-physicians may occur pursuant to collaboration or delegation agreements, standardized protocol, or patient-specific orders. NPs, PAs, RNs, and any other licensed healthcare professional performing an aesthetic medical procedure or cosmetic treatment in a Medical Spa should make sure that their personnel files include documentation that they received appropriate training for that aesthetic medical procedure or cosmetic treatment and are competent to perform each procedure or treatment.

Medical Spa Supervising Physician Availability

Supervising Physician availability requirements vary from state to state:

• Personal Supervision: Some states require personal supervision (a supervisor in the room when the service is performed);
• Direct Supervision: Some require direct supervision (a supervisor is on-site and immediately available, but not in the room); and
• Indirect Supervision: Others may only require indirect supervision (a supervisor is not on-site but must be available for consultation by various means within a proscribed period of time).

In California, the Supervising Physician is not required to always be on-site:

Whenever an elective cosmetic procedure involving the use of a laser or intense pulse light device is performed by a licensed health care provider acting within the scope of his or her license, a physician with relevant training and expertise shall be immediately available to the provider. For the purposes of this section, "immediately available" means contactable by electronic or telephonic means without delay, interruptible, and able to furnish appropriate assistance and direction throughout the performance of the procedure and to inform the patient of provisions for post-procedure care. Such provisions shall be contained in the licensed health care provider's standardized procedures or protocols. (Cal. Code Regs. Tit. 16, § 1364.50).

Advertising and Marketing Compliance

Medical Spas must adhere to advertising and marketing rules and regulations to avoid making misleading claims and to ensure transparency with potential clients. Applicable rules and regulations encompass various areas, including the inclusion of physician supervision details, the use of accurate medical titles, and compliance with social media marketing guidelines.

California law requires advertising to include the owner physician's name or the name under which they have a fictitious name permit, and the name of the supervising physician. (Cal. Bus. Prof. Code Section 2272). The use of discount or "bait and switch" promotions is prohibited, and the use of "for as low as" in advertising is prohibited. (Cal. Bus. Prof. Code Section 651).

Truthful Advertising and Avoiding Guarantees

Truth-in-advertising laws, enforced by the Federal Trade Commission ("FTC"), ensure that advertisements are truthful, not misleading, and supported by evidence. Advertising must accurately represent products or services, avoiding outright lies or exaggerations. Advertisements cannot be misleading, and any disclaimers must be clear and conspicuous. Advertisers must also have reasonable grounds, like scientific evidence, to support their claims. When disclaimers are needed, they must be easily accessible and understandable to consumers. 

Medical Spa advertisements should be truthful and accurate and should not guarantee specific results. Medical Spas must clearly disclose the qualifications of their practitioners and the risks associated with the services offered. Medical Spas may not make claims of professional superiority unless they have objective supporting evidence. Advertisements should avoid deceptive pricing and not use phrases like "as low as" or "and up to."

Advertised prices for products must be clearly disclosed and should include all related charges for the product. They must also include clear and conspicuous disclosures regarding limitations, conditions, or exclusions. Price comparisons must be based on verifiable data maintained by the advertiser (Cal. Bus. Prof. Code Section 17500).

Social Media Marketing and the Use of Testimonials

Social media marketing involves several legal requirements, primarily concerning advertising practices, intellectual property, and user data protection. Key areas include ensuring truthful advertising, disclosing sponsored content, respecting copyright and trademark laws, and adhering to platform-specific rules and privacy regulations.

Medical Spas should implement policies and procedures to ensure compliance with social media content, including disclaimers, disclosures, and adherence to industry regulations and consumer protection laws. Medical Spas must provide accurate information in their social media advertising campaigns and clearly disclose any material connection between the Medical Spa and the products being advertised.

Medical Spas should not include copyrighted images, videos, or music without permission, and should avoid trademark violations by using the logos or brand names of Medical Spa medical devices, drugs, or equipment without authorization. Medical Spas must also be transparent about how personal data is collected, used, and protected. To the extent that photos and testimonials are utilized to attract patients, it is important to obtain patient consent for the use of such, and to provide the requisite disclosures regarding before and after results.

Marketing testimonials and endorsements require authenticity, accuracy, and permission from the patient. These should also reflect genuine opinions, findings, or experiences of the endorser. Additionally, testimonials used in advertising must be truthful and not misleading, and include disclosure if the patient is being paid to provide the testimonial. (See, FTC Guide On the Use of Endorsements and Testimonials in Advertising).

Medical Spa Risk Management Best Practices

By implementing effective risk mitigation strategies, Medical Spas can reduce legal liability risks and ensure patient safety and compliance with professional standards of care.

Patient Safety

To effectively mitigate patient safety risks, Medical Spas should implement:

• a comprehensive patient safety plan that includes standardized operating procedures;
• an emergency response plan, policies, and procedures;
• a comprehensive patient assessment and evaluation of the patient's medical history and suitability for requested cosmetic medical treatments; 
• informed consent processes that explain the risks and the benefits to patients for all medical procedures;
• detailed medical records documentation processes; and
• policies and procedures for management of patient complications.

Additionally, implementing infection control protocols, conducting regular audits, and developing emergency response plans are essential to ensure patient safety. 

Medical Spas should establish and abide by requirements for hiring and training qualified staff, ensuring adequate supervision of staff training, and documenting the process used to determine that a non-physician is competent to safely perform aesthetic medical procedures and knows how to document the patient treatment in the medical record.

Medical Spa non-physician policies and procedures should precisely define the roles and responsibilities for each type of healthcare professional employed; specify the types of cosmetic procedures they are allowed to perform; and relay that patients are permitted to request treatment by a physician provider. Medical Spas should also ensure that non-physicians are educated and trained in the possible risks and complications of cosmetic procedures.

Regulatory Compliance

Medical Spas also must comply with a complex web of state and federal regulations, which are frequently updated. One key area of regulatory compliance is the corporate practice of medicine prohibition, and state fee-splitting and anti-kickback laws.

Corporate Practice of Medicine

• In order for a for-profit business to directly provide cosmetic medical services to customers in California or other states with a corporate practice of medicine prohibition, the business entity generally must be incorporated as a professional corporation and may only be owned by licensed physicians and/or other licensed healthcare professionals, if permitted by state law.
• Without the proper legal structure for Medical Spa professional corporation and MSO arrangements, physicians and other healthcare professional owners may be engaged in the corporate practice of medicine, which may put their professional licenses at risk, and expose themselves to potential civil and criminal liability.

Fee-Splitting

• Many states have laws that prevent a physician or PC from sharing medical practice profits ("fee-splitting") with non-physicians.
• A Medical Spa that shares profits with non-physicians and/or pays commissions to non-physicians (including employees or referral sources) for aesthetic medical procedures would violate fee-splitting prohibition laws, leading to fines and medical board disciplinary actions, which could include suspension or revocation of a physician's medical license. (Cal. Bus. Prof. Code Section 650).
• Safeguards to mitigate fee-splitting regulatory risk include ensuring that patient loyalty programs, patient referral programs, influencer relationships, and commissions and bonus compensation structures comply with applicable legal requirements.

Anti-Kickback Laws

• State anti-kickback laws are relevant to Medical Spas as they aim to prevent illegal practices where compensation is provided to induce referrals or the purchase of services. These laws prohibit offering or receiving any value in exchange for directing patients to a particular provider or facility. 
• Medical spas, especially those that accept Medicare or Medicaid patients, need to ensure they comply with both federal and state anti-kickback laws when structuring their referral arrangements, compensating staff, and engaging with other healthcare providers. 
• Referral-based payments and revenue sharing based on referrals are prohibited by anti-kickback laws. (Cal. Bus. Prof. Code Section 650). Safeguards to mitigate anti-kickback law regulatory risk include ensuring that the PC – MSO management fee (a) does not exceed fair market value for bona fide services actually provided, (b) is not a percentage-based fee or other fee that varies based upon the volume or value of services provided to patients, and (c) is set in advance and not changed more than once a year. In general, regulatory risk will be minimized if the management fee is a flat fee or based on a cost-plus management fee structure.

General Regulatory Laws

• Other key regulatory compliance risk areas include state Medical Spa licensing and supervision requirements, staff licensing, confidentiality and data privacy, medical waste disposal, and OSHA workplace safety standards.
• Failure to comply with applicable laws and regulations can result in an injunction, fines, and suspension or revocation of the owner's medical license. Medical spa regulatory compliance risk mitigation involves adopting a compliance plan to ensure compliance with federal and state regulations and partnering with a qualified healthcare law attorney.

Legal Risk Management

Organizational Risks

• In order to mitigate organizational risks, Medical Spa owners and operators should consult with competent healthcare law counsel who will assist them in understanding and keeping up with changes in state laws that regulate spa and cosmetic services.
• These include requirements related to ownership structures and the corporate practice of medicine; licensing requirements; scope of practice for distinct types of providers (in relation to cosmetic services and prescriptive devices; and supervision requirements for licensed and unlicensed providers).

Operational Risks

• Medical Spa legal risk management requires proactively identifying and mitigating potential legal issues to protect the business, staff, and patients. 
• This includes maintaining documentation of patient treatment, vendor contract management, implementation of operational policies and procedures, incident reporting, ensuring that equipment is properly maintained and calibrated, as well as maintaining proper staffing, insurance coverage, and operational policies and procedures. Establishing a relationship with experienced healthcare counsel to obtain guidance and advice is an effective legal risk management strategy.

Takeaways

Medical Spas offer high profit margins, recurring revenue streams, lack of dependence on insurance payors, and opportunities to provide a robust suite of services that create multiple revenue streamsthat can yield significant profits if the owners are able to address the numerous legal, regulatory, and operational challenges.

Federal and state governments are increasingly pursuing enforcement actions against healthcare providers, including Medical Spas. The level of governmental scrutiny and the potentially punitive enforcement actions create an incentive for Medical Spas to adopt and implement robust compliance programs, including policies and procedures that address legal and operational risk areas.

It is important for Medical Spa owners to assess the compliance of their current or proposed operations with applicable legal requirements to determine which aesthetic medical procedures and cosmetic treatments constitute the practice of medicine, and the level of physician supervision, if any, required if mid-level practitioners provide the services.

Physicians and others involved in the development and operation of a Medical Spa should familiarize themselves with applicable legal and regulatory requirements and remain aware of the changing regulatory environment affecting Medical Spa operations.

Failure to comply with Medical Spa legal and operational requirements can result in grave consequences, including business interruptions and financial instability, thereby jeopardizing continuing operations. Conversely, ensuring that Medical Spa owners and operators are aware of and comply with the applicable laws and regulations will mitigate risks and contribute to the success of your Medical Spa. It is essential that Medical Spa owners take action to protect their business investment.

For information concerning Medical Spa development, licensing, operational issues, mergers and acquisitions, and contractual disputes, it is important to contact competent healthcare law legal counsel like Hinshaw & Culbertson LLP for a review of your current practices and identification of ways you can mitigate your legal and regulatory risks.