Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Checklist of Legal Considerations for a Med Spa

Client Alert

This checklist is intended to serve as a helpful tool for med spas by providing a broad overview of certain state and federal legal requirements.[1]

For purposes of this checklist, a med spa is a business that provides minimally invasive cosmetic medical and wellness services. Such services include, for example, skin rejuvenation treatments, body contouring, dermal fillers and injectables, hair restoration, laser hair removal and hormone therapy.  This article assumes that the services do not include liposuction or any surgical procedures.  Although the med spa may utilize local or topical anesthesia or minimal sedation during the performance of procedures, it will not utilize general anesthesia or deep or moderate sedation. 

This summary also assumes that all services are cash-based and that no commercial insurer, federal or state health care program (e.g., Medicare or Medicaid) or other third-party payor is involved.  Please also note that a discussion of applicable opioid prescribing requirements is beyond the scope of this article. 

CHECKLIST

Checklist of Certain Key Legal Considerations for a Med Spa

  • Organize Business Entities
  • Understand Applicable Tax, Licensure and Related Requirements
  • Ensure Health and Safety at Each Location
  • Confirm that Workforce Members are Qualified and Acting Within Scope of Practice
  • Implement a Workforce Member Onboarding Process
  • Adopt An Active and Robust Compliance Program
  • Be Careful When Developing Business
  • Adopt Patient Intake and Informed Consent Forms
  • Obtain Appropriate Insurance Coverage

DISCUSSION OF CHECKLIST ITEMS

Organize Business Entities

Corporate Practice of Medicine Considerations

Some but not all states have adopted the corporate practice of medicine.[2]  In corporate practice of medicine states, generally only licensed physicians, have the authority to own a medical spa.[3]  Individuals who are unlicensed generally do not have the ability to own an entity that provides professional medical services (including those provided at med spas).  The doctrine is intended to protect the independent medical judgment of licensed professionals--to protect the sanctity of the physician-provider relationship.

Common Management Services Organization (MSO) Model Characteristics

In corporate practice of medicine estates, entrepreneurs who are unlicensed individuals and desire to organize a med spa typically do so through a corporate structure that is often referred to as a “friendly physician,” “friendly PC,” “captive PC” or “MSO” model. This model permits non-physicians to indirectly invest in physician practices when the state law prohibits non-physicians from directly investing. In general, this model involves at least two entities: (a) a professional entity that is owned by one or more licensed physicians, and (b) a management services organization (or “MSO”) owned in whole or in part by non-physicians. 

In such an MSO model, the professional entity employs or contracts with physicians and other licensed healthcare professionals and is the direct provider of medical services to patients. The patients pay the professional entity for the services rendered.  The management entity may have both physician and non-physician owners. The management entity often provides a turn-key operation to the professional entity. Typical management services provided by the management entity to the professional entity include for example the following: (1) development services; (2) provision of real property; (3) provision of information technology and other equipment; (4) provision of office and medical supplies; (5) purchasing and contracting guidance; (6) provision of support personnel; (7) human resource services; (8) patient and case scheduling services; (9) training; (10) credentialing guidance and payor contracting; (11) billing and coding services or advice; (12) financial management, cash management, accounting, and related reporting; (13) compliance, quality, and risk management activities; (14) intellectual property; and (15) marketing services. 

In exchange for the management services provided, the professional entity pays the management entity a management fee. The management fee must be carefully structured in accordance with applicable rebate, fee-splitting and kickback prohibitions (see further discussion below).   Common safeguards to mitigate regulatory risk include ensuring that the management fee is (a) within the range of fair market value for bona fide services actually provided, (b) is not a percentage-based fee or other fee that varies based upon the volume or value of services provided to patients, and (c) is set in advance and not changed more than once a year. In general, it is advisable to have the management fee be a flat fee or based upon a cost-plus structure.

In any MSO arrangement, non-physician owners of the management entity will want to protect their investment.  One way to do that is through buy-sell provisions providing that non-physician investors can essentially replace the friendly physician owner of the professional entity with another licensed physician in various circumstances. These agreements are often called nominee agreements or transfer restriction agreements.   

State Corporate Filings and Governing Documents

Med spas are most commonly formed as a professional limited liability company (“PLLC”) or a professional corporation (“PC”) in corporate practice of medicine states. In non-corporate practice of medicine states, they are often formed as limited liability companies or corporations.  Each state has its own process for forming the entity. 

Owners (i.e., members) of LLCs and PLLCs will also typically prepare an operating agreement to govern the rights and obligations of members and set forth other governance provisions.  It is essential for PLLCs to document corporate decision making appropriately, including through written consent resolutions regarding various organizational decisions.

The owners (i.e., shareholders) of a corporation or PC will also typically prepare Bylaws, a Shareholder Agreement and organizational resolutions. 

Understand Applicable Tax, Licensure and Related Requirements

Below is a summary of certain common tax considerations for newly formed med spas.  Med spas should consult with their tax attorneys and advisors for recommendations particular to their individual circumstances.  Local, state and federal tax laws should all be considered.   

Employee Identification Number (EIN)

Once an entity is formed, an EIN can be obtained from the Internal Revenue Service (IRS) through the completion of an IRS SS-4 (Application for Employer Identification Number), which can be filed online.  An EIN will establish the business tax account and is for use in connection with business activities.

Entity Tax Status Election Filing

Depending upon the form of entity that has been selected, the potential tax election filing options may include, for example, a disregarded entity, partnership, S Corp or C Corp.  The IRS does not recognize LLCs as a classification for tax purposes. Many med spas elect to be taxed as a S corporation by filing IRS Form 2848. In order to do so, the entity must meet the requirements to qualify as an S corporation.  New med spas should consult with their certified public accountant regarding the appropriate tax status election for the business.

Employer W-2 or 1099 Filings

It is also imperative to ensure that workforce members are properly classified as W-2 employees or 1099 independent contractors. There is an abundance of applicable IRS and state guidance on this issue and the analysis turns on the facts.  Businesses that misclassify workers are often required to pay back taxes, penalties and interest, among other potential consequences.

Sales Tax

Each state has its own unique requirements governing whether med spa services and products are subject to sales or similar taxes. 

Ensure Health and Safety at Each Location

The Occupational Safety and Health Administration, (OSHA), is a federal organization within the Department of Labor that enforces standards promoting safe and healthy working conditions for Americans. OSHA conducts on-site inspections, and provides workplace safety training and education. Medical spas are under OSHA’s jurisdiction and are subject to inspection. A medical spa is responsible to ensure its facility conforms to OSHA’s many standards so please contact your local OSHA office for notifications that must be posted at your medical practice and the exposure control plan to have in place. In general responsibilities include use of medical equipment and tools safely, maintain procedure policies (including a bloodborne pathogen plan and laser safety plan), and provide employee safety training for workplace hazards, injury and illness and injury prevention. If hazardous chemicals exist in the workplace, a detailed written hazard program is required.

There are typically similar workplace safety requirements in each state. 

Confirm that Workforce Members are Qualified and Acting Within Scope of Practice

Each med spa must ensure that its team is properly licensed and authorized, as necessary.  Each type of licensed professional (e.g., a physicians, physician assistant, nurse practitioner, registered nurse, licensed professional nurse, esthetician or medical assistant) will have its own scope of practice dictated by state law. Many states also have specific requirements for cosmetic and aesthetic medical services.  States also differ in terms of their supervision and delegation requirements for various professionals.  It’s important that the procedure specific protocols of each med spa are consistent with the applicable state scope of practice, delegation and supervision requirements.    

Controlled Substances

To the extent applicable, med spas must insure that its prescribers maintain current controlled substances registrations issued by the appropriate federal and state governmental agencies.  Health care practitioners must obtain a DEA registration from the United States Drug Enforcement Administration. Many states also have prescription monitoring programs and other regulations governing the prescription of controlled substances in their states.

Adopt and Implement a Workforce Member Onboarding Process

Med Spas will find an abundance of helpful guidance regarding hiring of employees and engaging contractors on the state website. Additional guidance can also often be found on the applicable state Department of Labor or similar agency website.    

From a legal perspective, the med spa workforce member onboarding process should consider, for example, the following steps when engaging a new employee or independent contractor as part of its workforce:

  • Offer letter or agreement setting forth terms of engagement
  • Confirmation of required licenses for applicable position
  • Review of employee handbook and acknowledgement of receipt
  • Data privacy and security and other compliance training and acknowledgement of completion
  • Restrictive covenant agreement (e.g., confidentiality, non-solicitation, non-compete and non-disparagement, as applicable)
  • Comply with the state specific new hire reporting requirements.
  • Completion of Federal I-9 form for every employee

Med spas should consult with their employment law attorneys and payroll companies to ensure compliance with applicable employment laws.  The federal government, state governments and local governments each have employment laws that are beyond the scope of this article. 

Adopt Active and Robust Compliance Program

It is also important to note that the federal and state governments are increasingly pursuing enforcement actions against healthcare providers, including med spas.  The level of scrutiny and the punitive enforcement environment means it is more important than ever for each healthcare providers, including med spas, to adopt and implement strong compliance programs, including policies and procedures that focus on data privacy and security. [4] In order to be helpful, compliance policies and procedures must be implemented and the workforce must have appropriate training.  The compliance policies and procedures should include state licensure and scope of practice requirements and should also address recordkeeping requirements for medical records and other documents. 

Be Careful When Developing Business

Advertising and business development practices are one of the most significant legal risk areas for med spas.  Here are a few tips for mitigating risk:

  • Use caution on websites, social media and in other communications. Care must be taken before responding to any online reviews or complaints. 
  • Remember that before and after photos are considered part of the medical record and the confidentiality of such images must be respected. No med spa should use a before or after photo of a patient unless there is an appropriate written authorization in place.
  • Medical spas must insure that they do not make any false or misleading claims about themselves or the benefits of their services.
  • Med spas must disclose the qualifications of its practitioners and the risks associated with the procedures they offer.
  • Any text message, telephone or email communications comply with applicable federal laws, including, for example, the Telephone Consumer Protection Act (TCPA) and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act).

Adopt Patient Intake and Informed Consent Forms

Each med spa should have its patient intake and informed consent forms reviewed by health care legal counsel to ensure compliance with applicable state and federal law. 

Obtain Appropriate Insurance Coverage

Like any other business, med spas should obtain appropriate insurance coverage to mitigate the risk of potential liability in connection with its operations.  Med spas should consult with a knowledgeable insurance agent that has experience working for healthcare providers in the relevant state.  Many insurance agents recommend that med spas obtain the following coverage:

  • Professional liability insurance
  • Directors and officers insurance
  • Workers’ compensation insurance or replacement program
  • Automobile liability insurance covering all owned, hired and non-owned vehicles of the Company
  • Commercial general liability insurance covering third-party claims for bodily injury and property damage arising from the premises and operations of Company
  • Cyber-liability insurance

Medical spas selling skin creams under their own private label may wish to consider obtaining product liability insurance. However, product liability insurance will not be necessary for medical spas that do not sell private label products.

In the event that the med spa is affiliated with an MSO as described above, the MSO should also have the forgoing coverage to the extent applicable.  Sometimes its possible for the MSO to rely upon the professional entity’s coverage, or for the professional entity to rely upon the MSO’s coverage, by being named as an additional insured. Please consult with your insurance agent for additional guidance. 

Also, in the event of a patient complaint regarding a med spa service, the med spa should consult with their attorney and/or insurance agent as to whether notice of the issue should be given to the professional liability insurer in order to preserve rights under the applicable policy.  

For additional information on legal considerations for med spas and other healthcare facilities, please contact Kate Hickner at kehickner@bmdllc.com.


[1] Please note that compliance with applicable state and local laws and regulations is also essential. 

[2] Med spas should consult with their health care attorneys to determine whether their particular state has adopted the corporate practice of medicine.   For example, Michigan and New York are corporate practice of medicine states.  Ohio is an example of a state that does not have an active corporate practice of medicine doctrine. 

[3] In the event that there is a desire to have the professional entity owned by a nurse practitioner or physician assistant, it will be important to consult with an attorney regarding the particular circumstances and options.

[4] Although cash based med spas that do not bill commercial payors are generally not technically subject to HIPAA, it is advisable to comply with HIPAA as a best practice.  Additional information can be found here: https://www.hhs.gov/hipaa/for-professionals/index.html.


DEA and HHS Issue its Third Extension of Telemedicine Flexibilities through 2025

The DEA and U.S. Department of Health and Human Services (HHS) have extended telemedicine flexibilities for prescribing controlled medications through December 31, 2025. This extension builds on temporary exceptions made in 2020 due to COVID-19, allowing providers to prescribe Schedule II-V controlled substances based on a telemedicine evaluation alone. The extension ensures continued patient access to necessary prescriptions and provides time for providers to comply with future regulations.

Medicare Making Changes to Improve Behavioral Health Care Access

The Centers for Medicare & Medicaid Services (CMS) has introduced changes to Medicare’s behavioral health coverage, including allowing Marriage and Family Therapists and Mental Health Counselors to enroll independently, increasing reimbursements for crisis psychotherapy and substance use treatment, and expanding services via community health workers. These updates address gaps in care and improve access to mental health services for Medicare beneficiaries.

The Ohio Department of Medicaid Announces Four Next Generation MyCare Plans

On November 1, 2024, the Ohio Department of Medicaid (ODM) announced four managed care organizations that will become ODM’s Next Generation MyCare plans starting January 2026. MyCare Ohio is a managed care program that supports Ohioans across 29 counties enrolled in both Medicare and Medicaid.

Corporate Transparency Act Reporting Deadline: December 31

The Corporate Transparency Act (“CTA”), which became effective January 1, 2024, imposes strict reporting guidelines on small business owners throughout the country.  The deadline for non-exempt businesses to submit reporting is December 31, 2024.

Permanent Injunction of “Heartbeat” Abortion Ban in Ohio

Hamilton County Common Pleas Judge Christian Jenkins has ruled Ohio’s six-week abortion ban unconstitutional, citing the state’s new reproductive rights amendment. This ruling emphasizes that Ohio law must fully reflect the will of voters, offering clarity for medical providers and safeguarding women's health care rights.