How to Open a Med Spa Legally: 7-Step Compliance Guide | Inhouse

Most people who want to open a med spa think the hard part is finding the right space or hiring good staff. It's not. The hard part is getting the legal structure right before you spend a dollar on anything else. Get it wrong and you're looking at fines, forced closure, or a complete ownership restructure six months in. Get it right and everything else follows.

Here's how to do it legally, step by step.

Step 1: Understand Your State's CPOM Laws

Corporate practice of medicine (CPOM) is the legal doctrine that controls who can own a medical practice. And in most states, med spas count as medical practices. That means if you're not a physician, you can't just form an LLC and start injecting Botox under your own name.

California, Texas, and Florida enforce this strictly. Other states are more lenient. But you need to know exactly where your state stands before you incorporate because the wrong structure at formation is expensive and painful to unwind.

Three questions to answer before you do anything else:

• Does your state allow non-physicians to own the business side of a med spa?
• What supervision requirements apply to the specific services you're planning to offer?
• Are aesthetic procedures treated differently from general medical practice in your state?

The Medical Board of California and Texas Medical Board both publish guidance on this. Read it. Then talk to a healthcare attorney.

Step 2: Choose Your Business Structure

Once you know your state's CPOM rules, you have two main paths.

Medical Director Agreement

You own the business, an LLC or corporation. You hire a licensed physician as your medical director. They're responsible for all medical decisions, supervise clinical staff, and sign off on protocols. You run the business side.

This works when your state allows non-physician ownership of the management entity. But the medical director has to be genuinely involved. A physician who just signs paperwork and never shows up is called a "ghost director", and that's a CPOM violation waiting to happen.

MSO/PC Split

This is the structure you'll need in strict CPOM states. It splits the business into two separate legal entities:

• Management Services Organization (MSO): owned by you (non-physician). Handles business operations, billing, marketing, HR, and facilities.
• Professional Corporation (PC): owned by a licensed physician. Handles all medical services, clinical staff, and patient care decisions.

The two entities sign a Management Services Agreement. The MSO supports the PC operationally; the PC handles everything clinical. You make money through the management fee. The physician owns the medical side and carries that liability.

It's more complex to set up. But it's the right structure if you're in California, Texas, or any other state that takes CPOM seriously. And it scales, you can add locations under the same MSO without restructuring.

Either way, don't DIY this. A healthcare attorney who understands your state's rules is worth every dollar here. The wrong structure can void your contracts, kill your insurance reimbursements, and put your physician's license at risk.

Step 3: Secure Required Licenses and Permits

There's no single license that covers everything. You'll need several, and they come from different agencies.

• Business License: Your city or county. Standard for any business.
• Facility License: Required by your state health department. Some states classify med spas as ambulatory surgical centers depending on what procedures you offer.
• Professional Licenses: Every person providing services needs a current state license. RNs, NPs, PAs, estheticians, laser operators requirements vary by service and state.
• DEA Registration: Required if you're using controlled substances. That includes lidocaine, ketamine, and some weight-loss medications.
• Health Department Permits: Some states require separate certification for laser devices or IV therapy.
• OSHA Documentation: Bloodborne pathogen exposure plan, hazard communication, sharps disposal.

Who can do what also varies by state. As a general rule:

• Physician (MD/DO): Can perform injectables and laser. No medical director required.
• Nurse Practitioner (NP): Injectables and laser vary by state. Medical director depends on state.
• Registered Nurse (RN): Injectables under physician/NP order only, laser limited. Medical director required.
• Licensed Esthetician: No injectables, low-level laser only. Medical director required.

Check your state's med spa licensing requirements for the specifics.

Step 4: Develop Medical Protocols

Before your first patient walks through the door, your medical director needs to have written protocols in place. This isn't optional — most states legally require it. And practically speaking, it's your main protection if something goes wrong.

Work with your medical director on:

• Procedure protocols: For every service you offer — Botox, filler, laser, chemical peels, IV therapy. Each one needs contraindications, dosing limits, and a complication management plan.
• Emergency procedures: What happens if a patient goes into anaphylaxis? Who calls 911? Where's the epinephrine?
• Infection control: Sterilization, PPE, sharps disposal.
• Patient screening and consent: Who does the intake, what gets documented, how consents are captured.
• Staff training: Initial and ongoing, by service type.

Review and re-sign these at least once a year. Update them every time you add a new service.

Step 5: Implement Documentation Systems

HIPAA applies to your med spa. If you're collecting patient names, contact info, or treatment records — you're handling protected health information (PHI). That makes you a covered entity, and the rules that come with that are real.

You need:

• A HIPAA-compliant EHR: Paper charts are a liability. Most states require medical records to be retained for 7–10 years.
• Procedure-specific consent forms: Not a generic "I consent to treatment" form. Each procedure needs its own, with documented risks. See required med spa consent forms.
• Supervision logs: Written records showing your medical director is actually supervising. Dates, decisions, sign-offs.
• Training records: Who got trained on what and when, including HIPAA training for every employee.
• Business Associate Agreements: Any vendor that touches PHI needs one. That includes your billing software, your EMR, your scheduling tool, your cloud storage.

A breach — even from a lost laptop — can trigger an OCR investigation, fines from $100 to $50,000 per violation, and the kind of press you don't want. Budget for a HIPAA compliance review before you open.

Step 6: Arrange Professional Insurance

Standard business insurance won't cover you. Med spa insurance is a specialty category, and most general policies specifically exclude medical services.

What you need:

• Professional Liability (Malpractice): For every licensed provider. Standard med spa policy is $1M per occurrence / $3M aggregate.
• General Liability: Premises coverage. Typically $1M/$2M.
• Property Insurance: Covers your equipment. Laser devices alone can run $50,000–$150,000.
• Business Interruption: Covers lost revenue if you have to close temporarily.
• Cyber Liability: Required if you're storing electronic health records. Covers breach notification costs, regulatory fines, and patient notification.

Expect to spend $5,000–$25,000 a year depending on your services, provider count, and location. Work with insurers who specialize in medical aesthetics — they understand the exposure in a way general brokers don't.

Step 7: Ensure Facility Compliance

Your space needs to pass inspection before you can treat patients. And the requirements go well beyond a standard commercial lease build-out.

• Health department inspection: Required before opening in most states. Treatment rooms, sharps disposal, and infection control will all be evaluated.
• OSHA compliance: Bloodborne pathogen controls, hazard labeling, employee training documentation.
• Fire and building codes: You'll need a certificate of occupancy. If you're using Class IV lasers, expect additional fire marshal requirements: specific ventilation, door controls, signage.
• ADA accessibility: All patient-facing areas need to meet ADA standards.
• Medical waste: You need a contracted, licensed disposal company in place before day one.

Schedule your health department pre-opening inspection early. Failing it delays your opening, and the remediation costs add up fast.

How Much Does It Cost to Open a Med Spa?

There's no single number. It depends on your state, your services, and whether you're building out a raw space or moving into an existing clinic. But here's a realistic range by category:

• Business formation (LLC/PC/MSO): $500–$5,000 (higher with a healthcare attorney)
• State licensing fees: $500–$5,000 per license; varies by state
• Medical director: $2,000–$10,000+/month — see the full cost breakdown
• Professional liability insurance: $5,000–$25,000/year
• Equipment: $20,000–$200,000+ (lasers are the biggest single line item)
• Facility build-out: $10,000–$250,000+ depending on space condition and size
• EHR / software: $200–$1,000+/month (must be HIPAA-compliant)
• Total startup budget: $50,000–$500,000+ — most first-timers land between $100k–$300k

The medical director is usually your largest recurring cost. For a detailed look at what drives that number, see the guide on how much a medical director costs.

Common Startup Mistakes

Most of these aren't rookie mistakes. They happen to people who move fast and skip steps.

• Using out-of-scope practitioners. An RN doing injectables without a standing order, or an esthetician running a laser without physician oversight — this is the most common compliance violation in the industry.
• Hiring a ghost medical director. Signing an agreement with a physician who never actually supervises is a CPOM violation. It also exposes you personally if something goes wrong.
• Missing permits. Operating without a facility license or health department permit can get you shut down immediately.
• Generic consent forms. "I agree to treatment" isn't enough. Each procedure needs specific, documented informed consent.
• No documentation. No protocols, no supervision logs, no training records means you have no defense if a regulator or plaintiff comes calling.
• Launching marketing without checking the rules. Before-and-after photos, testimonials, and clinical claims are all regulated. The FTC and state medical boards both enforce this.

Timeline Expectations

Plan for longer than you think. Here's what's realistic:

• Business structure setup: 4–8 weeks
• Licensing and permits: 2–4 months (add time for California and New York)
• Facility build-out: 2–6 months
• Protocol development and staff training: 4–8 weeks
• Insurance placement: 2–4 weeks
• Total: 5–10 months minimum

Don't sign a lease or buy equipment until your legal structure is in place. That's the order of operations.

Frequently Asked Questions

Can a non-physician own a med spa?

It depends on the state. In California and Texas, you can't directly own the medical practice, but you can own the MSO that contracts with a physician-owned PC. In states with softer CPOM rules, non-physician ownership is possible with proper medical director oversight. See the full guide on non-physician med spa ownership.

Do I need a medical director to open a med spa?

Yes, in virtually every state. Injectables and laser treatments are classified as the practice of medicine. A licensed physician has to supervise. The medical director agreement is what defines that relationship.

What licenses do I need to open a medical spa?

At minimum: a business license, a facility license, professional licenses for all clinical staff, and DEA registration if you're using controlled substances. Many states add requirements on top of that, like laser certifications, ASC registration, specific health department permits. Check your state health department directly.

How long does it take to open a med spa legally?

Plan for 5–10 months from decision to first patient. Legal structure, state licensing, and build-out are the long poles. Rushing any of them creates compliance exposure.

What is CPOM and how does it affect med spa ownership?

CPOM (corporate practice of medicine) is the doctrine that prevents non-physicians from owning or controlling a medical practice. It exists in most states and it directly shapes how your med spa has to be structured. Violating it can void your contracts, cost you insurance reimbursements, and trigger action against your physician's license.

What is an MSO structure for a med spa?

An MSO structure splits your business into two entities: a non-physician-owned management company (the MSO) and a physician-owned Professional Corporation (PC). You run the business; the physician runs the clinical side. It's the standard structure for strict CPOM states. See the full guide on MSO structures for med spas.

---

Learn more in our complete Med Spa Compliance Guide, including medical director agreements and MSO structures. Or go straight to the state-specific rules: California · Texas · Florida.

Generate your startup compliance documents in 5 minutes — AI-drafted for $49, or get full attorney review for $349. Get Started →