Med Spas Are Under the Microscope: What Every Operator Needs to Know About Medical Director Oversight and Compliance

In late 2024, New York State sent a message to the entire med spa compliance landscape, and it wasn’t subtle.

A coordinated, multi-agency investigation led by the New York Department of State’s Division of Licensing Services, alongside the Department of Health and the State Education Department, resulted in 223 businesses inspected and 87 cited for possible violations — nearly 39%, or close to 2 in 5 operators inspected — including the unlawful practice of medicine. According to the New York Department of State’s official consumer alert, the consequences were real: monetary fines, license suspensions, full revocations.

This was not a handful of bad actors getting caught. This was a statewide sweep. And operators across the country would be wise to pay attention, because New York is a case study, not an outlier.

The industry has a compliance problem.

As demand for cosmetic and wellness services has grown, so has the number of businesses quietly crossing into medical territory without the structure, oversight, or licensure to back it up. The math on this is straightforward: if your business offers Botox or filler injections, IV therapy, microneedling, laser procedures beyond hair removal, GLP-1 prescriptions, or hormone replacement therapy — you are providing medical services. Full stop.

Medical services require medical licensing. For the entity. For the individuals performing the procedures. That’s not a technicality. That’s the law in New York and virtually every state.

Med Spa Compliance: Where Operators Most Commonly Fall Short

Business structure. In New York, a business providing medical services must be organized as a physician-owned Professional Corporation (PC) and obtain a Certificate of Authority from the State Education Department. Having the right entity type on paper isn’t enough if your operations don’t reflect that structure. Having the word “spa” in your entity name can itself flag a problem with regulators. Other states have analogous — and equally unforgiving — requirements.

Medical director oversight. Regulators are not asking whether you have a medical director. They are asking whether that person is actually doing the job — reviewing protocols, signing off on treatment plans, engaging meaningfully with patient care. A nominal medical director who lends a license without genuine involvement is a liability, not a safeguard. When something goes wrong, that arrangement will not protect you. A compliant practice has a medical director who is present, documented, and engaged.

Scope of practice. This was one of the most common findings in the New York investigation, and it is one of the most serious. Estheticians, cosmetologists, and medical assistants have clearly defined scopes of practice — and injectable treatments, IV infusions, laser procedures, and microneedling fall outside those scopes in virtually every state. Before any staff member performs a procedure, the question is simple: does their license actually authorize this? If you cannot answer that without hesitation, that is your answer.

What Regulators Actually Check in a Med Spa Compliance Inspection

When state agencies investigate a med spa, they are looking for documented evidence across several areas. Medical director engagement records — protocols reviewed, treatment plans signed, involvement that can be demonstrated on paper. Entity structure — whether the business is properly organized as a Professional Corporation (or state equivalent) with the required Certificate of Authority. Staff credentials matched to scope of practice — not just licensure on file, but whether each license actually authorizes the procedures being performed. And current, signed treatment protocols — not a binder that hasn’t been touched since opening day.

This is what the New York investigation surfaced across 223 businesses. The operators cited weren’t necessarily uninformed — many simply hadn’t built systems to demonstrate compliance in a way that holds up under scrutiny.

Compliance Is Not a Moment. It’s a Practice.

The operators who come through this environment in the strongest position are not the ones who passed their last inspection. They are the ones who are not waiting for an inspection to get their house in order.

That means mapping every service you offer against your state’s licensing requirements and resolving ambiguities before a regulator does. It means verifying credentials regularly, not once at hire. It means documenting your medical director’s involvement in a way that holds up under scrutiny. It means training your staff on scope of practice, not just technique.

Regulators are not slowing down. If anything, the New York investigation signals a new phase of enforcement — multi-agency coordination, statewide sweeps, and real consequences as the standard, not the exception.

That is not a reason to panic. It is a reason to be prepared.

At MedSpire Health, we work with med spa operators to build compliance infrastructure that protects their businesses, their patients, and their licenses — not as a one-time audit, but as an ongoing practice. Because in this industry, the patient is always at the center. Everything else is built around that.

Questions about your compliance posture? Contact us

By Paula Kokko, Founder & CEO, MedSpire Health

This post is for informational purposes only and does not constitute legal advice. Consult with a qualified healthcare attorney for guidance specific to your practice.

Primary source: New York Department of State, Division of Licensing Services — Med Spa Consumer Alert and Investigation Summary