Aesthetic services and the medical spa industry have continued to grow over the past few years as clients continue to demand the availability of such cosmetic services. In response, many providers and investors in the health care industry are seeing opportunities to open or invest in a medical spa.

Before opening or investing in a medical spa there are several key elements to be considered:

Corporate Structure

One of the first elements to consider when opening a medical spa is the corporate structure and ownership of the medical spa. Many jurisdictions have “Corporate Practice of Medicine” (“CPOM”) regulations that prohibit non-licensed professionals or a company from owning or controlling a professional practice. In order to comply with the CPOM doctrine, many health care corporate structures, including medical spas, will have a physician or a physician-owned professional corporation that owns the medical spa and is responsible for the clinical aspects of the practice, and a separate management services organization (“MSO”) that is responsible for the administrative aspects of the practice and enters into a management services agreement with the physician-owned professional corporation. Another consideration in the corporate structure of a medical spa is whether the medical spa will be a stand-alone facility or if the medical spa will be part of a dermatology practice or plastic surgery center as there may be additional corporate structures to consider in these arrangements.

Scope of Practice

Medical spas are typically staffed with multi-disciplinary professionals such as physicians, physician assistants, nurse practitioners, and aestheticians. The scope of practice for each of the professionals varies from state to state so it is important to understand state specific licensure and scope of practice requirements. For example, in many states, nurse practitioners can function independently without physician supervision. The supervision requirements for physician assistants can vary from “on-site supervision” to “off-site supervision”. Many states also have requirements specifying the types of medical spa services that must be provided by a licensed professional while other states may remain silent or not provide a clear answer. For example, in New York aestheticians are permitted to provide laser hair removal, but not other types of laser procedures (e.g., Clear and Brilliant®), Coolsculpting®, and/or injectable services.[1] As there is state variability, it is key to understand the various state professional scope of practices and services provided to appropriately staff a medical spa in a compliant manner.

Licenses and Registrations

Different states have different licensing and registration requirements for medical spas, so it is important to thoroughly analyze and understand which requirements are needed before opening a medical spa. Most will require licensure of the medical spa itself usually through the state board of public health or the state board of medicine. In addition to the licensure of the medical spa, there can be other licensure requirements, such as a cosmetology license to provide services rendered by an aesthetician or laser registration requirements for laser services provided. In addition to laser registration, some states have additional laser requirements such as the state of Illinois[2] which requires a designated safety officer laser safety officer and specific requirements regarding qualifications, duties and responsibilities.

State Law Referral Restrictions

The vast majority of medical spa providers are cash-based and do not take government reimbursement such as Medicare and are therefore not subject to federal Anti-Kickback Statute or Stark Law prohibitions. However, there may still be restrictions by similar state laws as many states have prohibitions related to commissions and fee-splitting with referral sources. For example, in California , physicians are prohibited from offering, delivering, receiving or accepting rebates, refunds, commissions, preferences, patronage dividends, or discounts for referring patients, clients or customers to any person, irrespective of any membership, proprietary interest or co-ownership in or with any person to whom the patients, clients, or customers are referred.[3] States often have permissible business entities and arrangements such as professional corporations that allow sharing of profits among professionals related to services, however, because of the referral and compensation laws, this should be carefully analyzed and structured based on the corporate structure and the providers rendering services.

HIPAA & Data Privacy

Due to the possibility of having protected health information (“PHI”), all medical spas should be evaluated to determine if the medical spa is considered a “covered entity” under the privacy and security regulations of the Health Insurance Portability and Accountability Act of 1996, as amended (collectively, “HIPAA”). Even if a medical spa is not a “covered entity” under HIPAA, there may be other data privacy and security laws and consumer protection laws that a medical spa needs to be in compliance with. As a matter of best practice and client trust, medical spa owners should establish key privacy and security policies to protect client information. This can be particularly important when medical spas promote client services through the medical spa’s website as well as various advertising and marketing platforms. For example, there are patient consent laws and requirements that a medical spa must follow when using the patient’s before and after result photos as part of its marketing of services.

Other Regulatory Considerations

In addition to the legal considerations above, there are other regulatory requirements to consider. For example, some states require medical spas to have a medical director who meets certain educational and professional standards. There may also be states that require medical spas to have implemented compliance programs with quality improvement processes. Medical spa owners should also consider whether operating a medical spa will trigger a certificate of need (“CON”) requirement from the state, as some CON laws are drafted broadly and provide the state agency with discretion in determining if an entity, such as a medical spa, requires a CON. For example, in the District of Columbia, under the applicable CON regulations and guidance of the District of Columbia State Health Planning and Development Agency, depending on the types of services provided, medical spas may require a CON. The CON laws of the specific state should be carefully reviewed and analyzed prior to commencing operations to determine if opening a medical spa would require a CON within the specific state.

* * *

The laws and regulations are constantly evolving for the health care industry, including for medical spas, and the applicability of these laws and regulations to medical spas should be analyzed on a case-by-case basis. If you are considering opening or investing in a medical spa practice, you should consider the key elements above and consult with a health care attorney to ensure compliance with state regulations.

[1] NYS Department of State, Appearance Enhancement Licenses – Procedural Service Determinations (last updated December 14, 2022), available at

[2] Ill. Admin. Code tit. 32 § 315.90.

[3] Cal. Bus. & Prof. Code § 650(a).

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.