Compliance Checklist for California Med Spas: 2026 Edition

Staying compliant in California doesn’t simply mean ticking boxes. It also means protecting your med spa’s license, your patients, and your business’s long-term health. As we move into 2026, California med spa compliance is becoming even more important. With California’s Senate Bill 351, the state is sharpening its focus on medical ownership structures, individualized treatment orders, proper delegation, and truth-in-advertising standards, meaning that med spas of every size need to stay proactive and informed.

To help you navigate the year ahead with confidence, this California med spa compliance checklist breaks down the essentials: from licensing and medical director oversight to scope of practice, patient documentation, OSHA/HIPAA requirements, and device-specific regulations. Whether you’re a physician-led practice or operating under an MSO model, this guide is designed to help you understand what’s required, while making compliance feel clear and actionable.

Understanding California’s Legal Landscape

California’s regulatory environment has always been one of the most stringent in the U.S., but 2026 brings added clarity (and added responsibility) for medical spa operators. Before diving into the checklist, it’s important to understand the legal foundation that shapes how med spas must operate across the state.

Corporate Practice of Medicine (CPOM) Rules

At the heart of California’s med spa regulations is the Corporate Practice of Medicine doctrine. In simple terms, only a licensed physician can own a medical practice or make decisions that influence patient care. That means clinical judgment, treatment planning, and provider oversight must remain firmly in the hands of an MD or DO.

Many med spas work with Management Service Organizations (MSOs) for support with branding, operations, or marketing. However, under CPOM, these entities cannot direct or control medical decisions. In 2026, California is placing even greater emphasis on this separation, reinforcing that administrative partners may guide business operations, while physicians retain exclusive authority over anything involving diagnostics, treatments, or provider delegation. For practices using an MSO model, keeping these boundaries clear and well-documented will be essential.

Overview of New 2026 Med Spa Compliance Requirements

A major shift for 2026 is California’s renewed focus on patient-specific medical oversight. The state is moving firmly away from broad or generic standing orders, and now requires individualized Patient-Specific Orders (PSOs) for any medical procedure: injectables, laser services, IV therapy, wellness injections, and similar treatments.

In practice, this means every patient must receive a tailored order based on their medical history, aesthetic goals, and a full evaluation by an appropriately licensed provider. This means that blanket authorizations, pre-approved treatment menus, and “one-size-fits-all” protocols no longer apply. The new approach strengthens patient safety, while ensuring that all medical services are delivered within the boundaries of California’s updated med spa regulations.

For clinics, implementing this shift early, through updated intake workflows, charting templates, and provider oversight processes, will be key to staying compliant throughout 2026 and beyond.

Med Spa Licensing & Ownership Checklist

California’s med spa licensing and ownership rules set the foundation for lawful operations. Before hiring staff, purchasing devices, or offering services, every practice must ensure its business structure and registrations align with California medical spa licensing requirements and state laws governing medical practices. Below is a streamlined checklist to help you verify the essentials.

Business Licensing

Every med spa operating in California must hold the appropriate state and local business licenses before opening its doors. This typically includes:

A general business license: This is issued by the city or county where the med spa operates.
A seller’s permit: If your practice sells retail products (such as skincare, supplements, or gift cards), subject to California sales tax.
Any required local permits: These include zoning approvals or health permits, depending on your municipality.

Medical Board Registration

If your clinic provides any medical procedures: injectables, lasers, microneedling with PRP, chemical peels using prescription-only ingredients, IV therapy, and more, you must be registered with the Medical Board of California.

This registration ensures the state has documentation of:

Your medical corporation or professional corporation
The supervising physician or Medical Director
The scope of services you intend to offer
Your compliance with med spa legal requirements in California

Failure to register can lead to fines, formal citations, or forced closure, so this step should be completed well before offering any medical treatments.

Physician Ownership Structure

California’s Corporate Practice of Medicine doctrine governs who can legally own and control a medical spa. Under this doctrine:

Only a licensed physician (MD or DO) may own a medical practice outright.
If operating under a Professional Corporation (PC), the physician must hold at least 51% ownership, thereby retaining control over all decisions related to patient care.
Non-physician partners (such as RNs, NPs, PAs, or administrative professionals) may hold minority shares, only if allowed under California’s Professional Corporation rules.
If you use an MSO (Management Services Organization) model, the MSO may manage branding, operations, marketing, HR, or payroll, but cannot control medical decision-making, medical service pricing, or provider supervision.

This structure protects clinical independence, a central feature of California’s med spa regulatory framework.

Medical Director & Provider Oversight

Strong clinical oversight is the backbone of any compliant California med spa. Proper supervision protects patients, ensures treatments stay within legal scope, and safeguards your practice from regulatory penalties. In 2026, med spas must document and enforce oversight more rigorously than ever.

Who Can Serve as Medical Director?

Your Medical Director must be a licensed physician (MD or DO) in California who is actively practicing and directly engaged in clinical supervision. This role isn’t simply ceremonial. The Medical Director is also responsible for:

Establishing and approving clinical protocols for all medical procedures
Overseeing provider delegation and scope of practice compliance
Reviewing patient treatment plans as needed to ensure safety and legal compliance

The Medical Director should be fully integrated into your clinic’s operations, not a distant or absentee figure. Their involvement is a key requirement for California med spa compliance.

Delegation & Supervision Agreements

California law allows certain licensed clinicians, such as nurse practitioners (NPs), physician assistants (PAs), and registered nurses (RNs), to perform medical procedures, but only under a formal delegation agreement from the Medical Director. These agreements must:

Clearly define which procedures each provider is authorized to perform
Document the scope of practice for each provider in line with California law
Outline supervision policies, including how the Medical Director remains available for guidance or intervention

Having up-to-date, signed delegation and supervision agreements is a critical step in your California med spa compliance checklist, protecting both you and your practice.

Documentation of Oversight

Regulators expect med spas to demonstrate active oversight. Maintain clear records, including:

Annual oversight logs showing review of protocols and staff performance
Supervisory visit records, including any clinical observations or interventions
Contact logs proving the Medical Director’s availability to staff
Protocol review documentation whenever clinical procedures or devices are updated

These records not only support compliance with state regulations, but also create a clear internal roadmap for quality assurance, risk management, and training.

Scope of Practice & Clinical Procedures

Clear boundaries around who can perform which treatments are essential for both patient safety and California med spa compliance. This is where many clinics unintentionally drift out of scope, especially as new devices and treatment categories emerge. The safest approach is simple: every procedure must be clinically justified, properly authorized, and performed only by providers with the training and licensure to do so.

Treatment Authorization (PSOs vs Good Faith Exams)

In California, medical treatments (including injectables, lasers, radiofrequency, IV therapy, and peptides) require an individualized patient order, not a blanket authorization. This means:

Every patient must receive a clinically appropriate assessment, either in-person or via telehealth.
Providers must document a patient-specific order (PSO) confirming that the treatment is suitable, safe, and aligned with the patient’s medical history.
A “good faith exam” alone is not enough, unless it results in a documented, individualized plan for that specific treatment.

Each PSO should clearly identify the procedure, outline any contraindications, and reflect the supervising physician’s oversight. This ensures the client’s treatment plan is fully compliant and medically sound.

Who Can Perform What

California draws firm lines around clinical responsibilities in med spas. To remain compliant, treatments should be performed only by clinicians with appropriate licensure and delegation from the supervising physician.

RNs, NPs, and PAs

These licensed professionals may perform medical procedures, including injectables and fillers, lasers, and energy-based devices, when delegated appropriately. They must have:

Verified competency and documented training
A clear delegation of services from the Medical Doctor
Ongoing clinical supervision in accordance with state law

Nurse Practitioners with standardized procedures may have expanded autonomy, but must still follow practice-appropriate protocols for cosmetic treatments.

LVNs, MAs, and Estheticians

These roles have limited or no authority to perform medical procedures.

LVNs may assist with medical tasks, but cannot independently perform injectables, lasers, RF, or other medical treatments.
Medical Assistants may support physicians or RNs with non-invasive tasks, but cannot operate medical devices or administer treatments.
Estheticians may perform cosmetic, non-medical skincare services only. Once a device penetrates the skin, alters tissue, or delivers medical-grade energy, it becomes a medical procedure requiring a licensed clinician.

This division protects patient safety while ensuring your practice stays aligned with California’s injectables and fillers regulations, and laser and device regulations for med spas.

Patient Consent, Records & Documentation

Accurate documentation is far more than a best practice in California; it’s a legal safeguard. From informed consent to detailed charting, proper records demonstrate that treatments are medically appropriate, patient-specific, and delivered under the right level of oversight. In 2026, regulators are expanding from focusing on the services that med spas provide, and paying closer attention to how med spas document care.

Informed Consent

Every medical treatment performed in a California med spa must be supported by written, procedure-specific informed consent. Generic or bundled consent forms are no longer sufficient, especially for higher-risk treatments such as injectables, lasers, and energy-based devices.

Your consent forms should clearly outline:

The specific procedure being performed
Potential risks and side-effects, including rare but serious complications
Expected benefits and realistic outcomes
Available alternatives, including the option of no treatment
Confirmation that the patient had an opportunity to ask questions

Consent must be obtained before treatment, and documented in the patient’s chart. Keeping these forms current – especially as devices, techniques, or protocols change – is a key component of meeting California med spa consent form requirements.

Charting & Documentation Standards

Thorough charting is essential for both patient safety and regulatory protection. California med spas are expected to maintain complete, accurate, and timely patient records for every medical service provided.

Each patient chart should include:

A comprehensive medical history and intake assessment
The patient-specific order (PSO) authorizing treatment
Documentation of the provider performing the service
Detailed treatment notes, including product used, device settings, dosages, and anatomical sites
Any post-treatment instructions, follow-up recommendations, or adverse effects

Clear, consistent charting not only supports continuity of care, but also demonstrates compliance with California med spa charting requirements, if your practice is ever audited or reviewed.

Record Retention

California requires medical records to be retained for a defined period, even after a patient is no longer active. While retention timelines may vary based on patient age and record type, med spas should have a clear, written policy covering:

How long medical records, consent forms, and PSOs are stored
Secure storage methods for both digital and paper files
Procedures for record access, release, and disposal

Maintaining organized, accessible records protects your practice long after treatment is complete – and ensures you’re prepared if records are requested by regulators, insurers, or legal counsel.

HIPAA & Patient Privacy Compliance

Patient trust is foundational in any medical spa, and in California, privacy protection is both an ethical obligation and a legal requirement. Because med spas provide medical services, they are fully subject to HIPAA regulations, regardless of whether they also offer non-medical aesthetic treatments. In 2026, privacy compliance continues to be an area of increased enforcement, making it critical to have strong systems and staff training in place.

HIPAA Rules for Med Spas

California med spas must apply HIPAA safeguards across all areas where patient information is created, stored, accessed, or shared. This includes both digital and physical environments.

To stay compliant, your practice should ensure:

Electronic Health Records (EHRs) are password-protected, access-controlled, and only available to authorized staff
Paper records are stored securely and never left unattended in treatment rooms or public areas
Patient communications, including emails, texts, and appointment reminders, use HIPAA-compliant platforms
Staff training is conducted regularly, with clear protocols for handling Protected Health Information (PHI)
Business Associate Agreements (BAAs) are in place with any vendors that access patient data (e.g., software providers, billing partners)

Even seemingly small lapses, such as discussing treatments within earshot of other clients, can result in privacy violations. Establishing consistent workflows helps ensure your clinic meets California med spa HIPAA compliance standards every day, not just during audits.

Photos, Marketing & Protected Health Information (PHI)

Marketing is a major growth driver for med spas, but it’s also one of the most common sources of HIPAA violations. Any image, video, testimonial, or case study that could identify a patient is considered PHI, and must be handled accordingly.

Before using patient photos or treatment results in marketing, you must:

Obtain explicit, written authorization that clearly states how and where the content will be used
Ensure consent is separate from clinical treatment consent, not bundled into intake paperwork
Avoid using identifying details such as names, dates, tattoos, or unique features unless expressly approved
Store signed photo consent forms securely in the patient’s medical record

Importantly, verbal permission or “implied consent” is not sufficient under HIPAA. Clear documentation protects both your patients and your brand, while allowing you to market confidently and ethically.

Advertising & Marketing Compliance

Marketing is a powerful growth lever for med spas, but in California, it’s also a highly regulated area. Every claim you make – whether in your website copy, or in your social media captions – must be accurate, defensible, and clearly presented. In 2026, regulators continue to scrutinize how med spas represent their services, credentials, and results, making advertising compliance a critical part of your overall California med spa compliance checklist.

Truthful Advertising Standards

California requires all medical advertising to be truthful, verifiable, and non-misleading. This applies across every channel, including your website, paid ads, email campaigns, and social media. To stay compliant, avoid:

Claims that imply guaranteed outcomes or “perfect” results
Language suggesting treatments are risk-free or suitable for everyone
Before-and-after comparisons that exaggerate results or omit relevant context
Statements that blur the line between medical facts and marketing promises

All advertising should reflect realistic outcomes and acknowledge that results vary by patient. When in doubt, lead with education rather than persuasion. This approach builds trust while keeping your messaging aligned with California med spa advertising regulations.

Required Disclosures & Credential Transparency

Transparency is essential when advertising medical services. California med spas must ensure that patients clearly understand who is providing care and under what level of medical oversight.

Best practices include:

Clearly identifying the supervising physician or Medical Director, where required
Accurately listing provider credentials (MD, DO, NP, PA, RN) without exaggeration or ambiguity
Avoiding titles or descriptions that could confuse patients about a provider’s licensure or scope

Any reference to medical expertise should be precise and current. Misrepresenting credentials (whether or not intentionally) can trigger regulatory action and erode patient trust.

Digital & Social Media Best Practices

Social media plays a central role in med spa marketing, but it also carries unique compliance risks. In California, the same advertising rules apply to Instagram posts, TikTok videos, influencer partnerships, and paid promotions.

To reduce risk:

Ensure influencers or brand partners do not make medical claims on your behalf
Require clear disclaimers when content is promotional or sponsored
Avoid reposting patient stories or DMs without written authorization
Monitor comments and captions for unverified claims, even if posted by third parties

Ultimately, your med spa is responsible for the messaging associated with your brand, regardless of who creates the content. Establishing internal review guidelines for digital marketing helps ensure consistency, credibility, and compliance across every platform.

OSHA & Workplace Safety Policies

A safe workplace is a compliant workplace. Because California med spas operate in a medical setting, they are subject to OSHA regulations designed to protect both staff and patients from preventable risk. In 2026, inspectors will continue to focus on whether clinics have documented safety plans and can demonstrate that they are actively followed.

OSHA Requirements for Med Spas

California med spas must meet general OSHA standards applicable to healthcare environments. This includes having written policies that address common risks associated with medical and aesthetic treatments.

At a minimum, your practice should maintain:

A Bloodbourne Pathogens Exposure Control Plan, outlining how staff are protected from exposure to blood and bodily fluids
Hazard Communication policies, including proper labeling, Safety Data Sheets (SDS), and chemical handling procedures
Laser and device safety protocols, covering eye protection, room signage, maintenance logs, and emergency shutdown procedures
Access to appropriate personal protective equipment (PPE), such as gloves, masks, and eye protection

These policies should be reviewed regularly and easy for staff to access, especially when introducing new devices, products, or treatment types. Maintaining this documentation is a core part of meeting CA med spa OSHA requirements.

Staff Safety Training & Reporting

Policies alone aren’t enough. OSHA expects med spas to actively train staff and document safety-related activities.

Best practices include:

Conducting regular safety training for all clinical and non-clinical staff
Providing role-specific instruction for procedures involving sharps, lasers, or hazardous materials
Maintaining incident and injury logs, even for minor events or near-misses
Establishing a clear process for staff to report concerns or exposures without fear of retaliation

Ongoing training reinforces a culture of safety while ensuring your practice can demonstrate compliance during inspections or audits. When staff understand the “why” behind workplace safety policies, adherence becomes second nature.

Compliance Maintenance & Audit Prep

Med spa compliance in California is a constantly evolving process. Regulations change, staff roles shift, and treatment offerings expand. In 2026, the most resilient med spas are those that build compliance into their day-to-day operations, rather than reacting when an issue arises. Regular reviews and thoughtful preparation can make audits far less stressful, and far more manageable.

Internal Compliance Audits

Internal audits help you catch small issues before they become costly problems. These reviews don’t need to be complicated, but they should be consistent and well-documented.

A strong internal compliance audit typically includes:

Licensing verification, ensuring business registrations, physician licenses, and provider credentials are current
Review of Medical Director agreements and delegation logs to confirm roles, scope, and supervision remain accurate
Spot checks of patient consent forms, making sure they are procedure-specific, signed, and up to date
Audits of patient-specific orders (PSOs) to confirm treatments are properly authorized and documented
A review of advertising and marketing materials (including social posts, website copy, and promotions) to ensure claims are accurate and compliant

Scheduling these audits quarterly or biannually helps create a rhythm of accountability and keeps compliance aligned with how your med spa actually operates.

Preparing for State Board Audits

While not every med spa will be audited, California regulators expect practices to be inspection-ready at all times. Being prepared reduces disruption, and demonstrates professionalism and good faith.

Keep the following documentation organized and easily accessible:

Business licenses and Medical Board registration
Medical Director contracts and supervision agreements
Provider licenses, certifications, and training records
Written clinical protocols and safety policies
OSHA documentation, including exposure control and safety training tips
HIPAA policies, privacy notices, and staff training records
Sample patient charts showing compliant charting, PSOs, and consent forms

Designating a single point of contact – often the Medical Director or practice manager – can also streamline communication during an inspection. The goal isn’t perfection; it’s demonstrating that your med spa operates thoughtfully, transparently, and in alignment with California med spa regulations.

Navigating California Med Spa Compliance in 2026

In 2026, navigating California med spa compliance requires more than a surface-level understanding of the rules. From ownership structure and physician oversight, to documentation, privacy, advertising, and workplace safety, compliance touches every part of your operation. When these pillars work together, they don’t just protect your license – but also your patients, your team, and your brand.

The most successful California med spas don’t treat compliance as a hurdle. They build it into daily workflows, staff training, and long-term planning. Clear delegation, consistent documentation, and proactive reviews help ensure your practice stays aligned with evolving expectations under California med spa laws in 2026, while allowing you to grow with confidence.

To make this easier, we’ve designed this guide as a practical, downloadable California med spa compliance checklist – one you can revisit throughout the year as regulations shift and your business evolves. For a simplified, ready-to-use version, you can also download our full compliance checklist, and keep it on hand as a reference for audits, onboarding, and internal reviews.

Compliance goes beyond simply avoiding risk. Done well, it becomes a foundation for trust, credibility, and sustainable growth – today, and well beyond 2026.