The Florida Med Spa Compliance Guide (2026).

1 · The Florida med spa regulatory stack

Med-spa regulation in Florida is layered, and that layering trips owners up. There is no single "med spa license" issued by a single agency. Instead, six overlapping authorities apply, and a clinic that fully complies with one while ignoring another is still exposed:

• Florida Department of Health (DOH) — Boards. The Florida Board of Medicine regulates physicians under Chapter 458; the Board of Osteopathic Medicine under 459; the Board of Nursing under 464; the Board of Pharmacy under 465. Each board investigates complaints against its licensees and disciplines the practitioner — not the clinic — but the clinic's records become exhibits in those investigations.
• Agency for Health Care Administration (AHCA). Licenses Health Care Clinics under § 400.9905 and Rule 59A-33; conducts inspections; processes exemption letter requests.
• Federal OSHA. Enforces the Bloodborne Pathogens Standard (29 CFR 1910.1030), hazard communication, and other workplace safety standards. State OSHA does not exist in Florida — federal OSHA is the inspecting authority.
• HHS Office for Civil Rights. Enforces HIPAA Privacy, Security, and Breach Notification rules.
• FDA. Regulates prescription drug supply chain (DSCSA), product manufacturing, and certain device categories. The 2026 enforcement profile is increasingly focused on injectable product source documentation.
• FTC and Florida Department of Agriculture and Consumer Services. Advertising and endorsement rules apply to med-spa promotion, particularly social-media-driven campaigns and before-and-after content.

None of these agencies coordinate proactively. A complaint to one may surface a record an inspector at another agency hadn't seen. The defensive posture is a single integrated file — which is what ProofOps maintains — that satisfies all six.

2 · § 458.348 supervision and the 25-mile rule

Florida Statute § 458.348 governs the supervision of mid-level practitioners (ARNPs, PAs) by Florida-licensed physicians. For a med spa, this is the operative statute behind every botulinum toxin injection an ARNP performs, every IV initiation a PA delegates, and every laser procedure supervised remotely.

The four operative requirements are: a written supervisory protocol; a primary practice location within 25 statutory miles or in the same / contiguous county; a maximum of four mid-level supervisees per supervising physician; and documented manner-and-frequency of supervision. Failure on any one is a § 458.348 deficiency. The "paper MD" pattern — a clinic with a contract but no operational presence by the medical director — is the most-cited issue in 2024–2026 Florida med-spa investigations. ProofOps tracks each of the four requirements per supervising physician on file and re-runs the geography check whenever a clinic location or primary practice address changes.

The full pillar on this is the § 458.348 explainer.

3 · AHCA Health Care Clinic licensure or exemption

Most Florida med spas need either an HCC license or a written AHCA exemption determination on file. The default presumption is that a clinic providing health services for compensation, not wholly physician-owned, requires the license. The wholly-physician-owned exemption under § 400.9905(4) is self-executing but the defensible practice is to request a written exemption letter from AHCA's Bureau of Health Facility Regulation. Operating an unlicensed clinic when one is required is a third-degree felony under § 400.9935.

AHCA inspections sample medical-director designations, supervisory protocols, OSHA records, sharps manifests, infection control policies, employee files, GFE records, and the AHCA license posted on the premises. The full pillar is the AHCA HCC explainer.

4 · The Good Faith Exam, end to end

A Good Faith Exam is the patient encounter that establishes the practitioner-patient relationship, documents the medical history, evaluates the patient for the specific procedure, and authorizes the delegated medical act. In Florida, the GFE must be performed by a Florida-licensed physician, an ARNP operating under a written supervisory protocol that covers the procedure, or a PA operating under § 458.347 / § 458.348. An RN may not independently perform a GFE for a prescription injectable; an esthetician or LMA cannot perform a GFE under any configuration.

The defensible GFE contains: patient identification, chief concern, past medical history, current medications, allergies, targeted physical exam, risk-benefit discussion, authorization to proceed (the prescription or standing order), and the practitioner's identification and signature. Vague, template-only, or copy-pasted GFEs routinely fail Board of Medicine review. Telemedicine is generally permitted for the initial exam under § 456.47, subject to specific conditions — telephone or text-only encounters do not qualify.

The full pillar is the Florida GFE explainer.

5 · Prescription drug handling — botulinum toxin, fillers, controlled substances

A common myth in industry coverage is that Florida § 893.03 places botulinum toxin (Botox, Dysport, Xeomin, Jeuveau) on Schedule III. It does not. Botulinum toxin is an FDA-approved prescription-only legend drug — a biologic. It is not on any DEA schedule (II–V) and is not listed in Florida § 893.03. Confirm with your healthcare attorney before relying on any source that claims otherwise.

What is required when handling botulinum toxin and other prescription injectables (fillers, GLP-1s, BHRT):

• The prescribing practitioner must have authority to prescribe prescription drugs in Florida — Florida MD/DO license, ARNP under Chapter 464, or PA under § 458.347.
• The prescription or standing order must comply with Florida prescribing rules and Board of Medicine standard of care (Rule 64B8-9.009).
• The clinic must store drug source documentation: wholesaler invoice, lot number, acquisition date, and any compounding pharmacy records (503A or 503B). FDA Drug Supply Chain Security Act (DSCSA) T3 records apply to every prescription drug.
• A documented per-patient Good Faith Exam must precede each procedure (see § 4 above).

For clinics that do handle actual DEA-scheduled drugs — testosterone (Schedule III) for TRT, ketamine (Schedule III) for therapy clinics, anabolic steroids — the additional requirements do apply: DEA registration (Form 224, $888 for 3 years), § 893 prescribing rules, § 893.07 perpetual administration log, secure DEA-compliant storage, and inventory reconciliation. That's a separate, stricter overlay on top of the prescription-drug rules above.

Compounded weight-loss products (semaglutide, tirzepatide, B-12 cocktails) sit in a related but distinct framework — pharmacy compounding rules, FDA enforcement on compounded products, and any Florida-specific dispensing rules. The defensible record-keeping is the same: source, lot, date, practitioner authorization, patient record. Compounded GLP-1s have been a recurring inspection focus in 2025–2026.

6 · OSHA Bloodborne Pathogens (federal)

The federal OSHA Bloodborne Pathogens Standard (29 CFR 1910.1030) applies to every Florida med spa with employees who could reasonably be expected to have occupational exposure to blood or other potentially infectious materials. That is, in practice, every clinic with an injection room.

The standard requires: a written exposure-control plan reviewed at least annually, free hepatitis B vaccination offered to all at-risk employees within 10 days of assignment (with declination forms on file when refused), annual training documented and signed by each employee, a sharps log, appropriate engineering controls (sharps containers, work practice controls), personal protective equipment, post-exposure procedures with named follow-up provider, and recordkeeping retained for the duration of employment plus 30 years for medical records.

OSHA penalties in 2026 reach $165,514 per willful or repeated violation. Failure to document training is the most common citation in the small-clinic segment. The full checklist is the OSHA BBP checklist.

7 · HIPAA — Privacy, Security, BAAs

HIPAA applies to Florida med spas that transmit any health information in electronic form for transactions for which the Department of Health and Human Services has adopted standards (claims, eligibility checks, similar). In practice, virtually every clinic with an EMR is a covered entity. HIPAA obligations include:

• Privacy Rule — Notice of Privacy Practices posted and provided to patients, patient access rights, minimum necessary use, restrictions on disclosure;
• Security Rule — administrative, physical, and technical safeguards for electronic PHI; risk analysis; access controls; audit controls; encryption where reasonable;
• Breach Notification Rule — patient and HHS notification within 60 days of a breach affecting more than 500 individuals; smaller breaches reported annually;
• Business Associate Agreements (BAAs) — required with every vendor that receives, creates, maintains, or transmits PHI on the clinic's behalf, including the EMR vendor, the cloud storage provider, the IT consultant, the marketing CRM if it touches patient data, and yes — including ProofOps. ProofOps signs a BAA before any PHI is moved.

HIPAA enforcement is by the HHS Office for Civil Rights. Penalties scale with culpability and reach seven figures for willful neglect. Med spas with weight-loss programs marketed by SMS or with aggressive social-media practices have an outsized HIPAA risk profile that owners frequently underestimate.

7b · FIPA — Florida Information Protection Act (§ 501.171)

The federal HIPAA Breach Notification Rule is not the only breach-notification statute a Florida med spa must comply with. Florida's own information-protection statute, the Florida Information Protection Act (FIPA), codified at Florida Statute § 501.171, runs on a tighter clock than HIPAA and applies to a broader category of data (any "personal information" of a Florida resident, not only PHI). The two statutes are cumulative — a Florida med spa breached on a Tuesday is on both clocks simultaneously, and the shorter one controls.

• 30-day notification to affected individuals — running from the date the breach was determined to have occurred. HIPAA gives 60 days; FIPA gives 30. The shorter window controls (§ 501.171(4)).
• Florida Attorney General notification — required within 30 days if the breach affects more than 500 Florida residents. Notice is filed with the AG's Consumer Protection Division (§ 501.171(3)).
• Consumer reporting agencies (Equifax, Experian, TransUnion) — must be notified without unreasonable delay if the breach affects more than 1,000 individuals nationwide (§ 501.171(5)).
• Third-party vendor obligation — vendors who handle personal information on the clinic's behalf must notify the clinic within 10 days of discovering a breach (§ 501.171(6)).
• Encrypted-data carve-out — FIPA notification is not triggered by exposure of encrypted data, provided the encryption key was not also compromised (§ 501.171(1)(g)).
• Penalties — up to $1,000 per day for the first 30 days of non-compliance, then up to $50,000 per subsequent 30-day period, capped at $500,000 per breach (§ 501.171(9)).

The practical reality for a Florida med spa: HIPAA and FIPA are not interchangeable. A clinic that handles a breach response strictly under HIPAA's 60-day window will blow the FIPA 30-day window for individual notice and, if 500+ Floridians are affected, will also miss the FIPA AG notice. Both are discrete violations. ProofOps Medical tracks both clocks per incident on the incident record, flags the file when the 30-day FIPA window approaches, and prepares the three FIPA letter scaffolds (individual, FL AG, consumer reporting agency) for attorney finalization the moment an incident is classified as a confirmed breach.

8 · FDA DSCSA, drug source records, and weight-loss compounds

The federal Drug Supply Chain Security Act (DSCSA), codified at 21 USC § 360eee et seq., requires dispensers (which includes clinics dispensing prescription drugs) to maintain transaction information, history, and statements for prescription product. As of 2024–2026, FDA enforcement on DSCSA dispensers has expanded into the small-clinic segment — the agency has made clear that aesthetic and weight-loss clinics dispensing prescription product are within scope.

Practical implications:

• Every dose of botulinum toxin, dermal filler (where prescription-only), and prescription weight-loss compound on the premises must be traceable to a registered wholesaler or pharmacy.
• Receipt documentation — invoice, lot number, expiration date, transfer documentation if any — is maintained for not less than six years per DSCSA.
• Counterfeit product is treated as the clinic's risk: a clinic that bought "grey market" Botox from an unverified source and administered it to patients faces stacked exposure under DSCSA, the Florida Pharmacy Act, and the standard of care.
• 503A compounded products carry a different documentary set than 503B compounded products. Both must be on file.

9 · Advertising, FTC endorsements, and Florida-specific ad rules

Med-spa marketing has a regulatory shadow. The FTC Endorsement Guides apply to social-media promotion, before-and-after content, influencer partnerships, and patient testimonials. Florida's deceptive trade practice rules and Board of Medicine rules on physician advertising layer on top. Common pitfalls:

• Influencer endorsements without "#ad" or comparable disclosure;
• Before-and-after photos without disclosed result variability;
• Claims that imply outcomes ("permanent results," "no risk") that the standard of care does not support;
• Patient testimonials without proper consent, especially when the testimonial includes any PHI;
• Pricing promotions that violate state-specific rules on "free" services tied to medical consultations.

Advertising compliance is a documentation problem at the back end: signed model releases, signed influencer agreements, an ad-archive of every promotion run with its disclosure language, and a consent-on-file record for every patient image. ProofOps catalogs these alongside the clinical file.

10 · § 456.073 — the 20-day complaint response

When the Florida Department of Health receives a complaint against a licensed practitioner, § 456.073 sets a 20-day window for the licensee to submit a written response. The clock runs from the practitioner's receipt of the notice. Twenty days is short. Twenty days when your supervisory protocol is in a Drive folder, your GFE for the named patient is in a paper chart in the back, and your sharps log is in three different binders — that twenty days is panic.

A defensible response pack is built before any complaint arrives. ProofOps' Complaint Response feature pre-stages the typical exhibits: supervisory contract, named-patient GFE, training records for the named staff member, sharps log entries for the date in question, the clinic's policies, and the medical director's chart-review log. The owner's healthcare attorney drafts the cover letter; ProofOps supplies the bookmarked exhibit set.

11 · SB 1728 and the 2027 outlook

SB 1728 / HB 1429 — the Medical Spa Prescription Drug Oversight Act — would have consolidated most of the items in this guide into a single med-spa-specific licensure regime under Florida Department of Health. It died in House Health Professions & Programs Subcommittee on March 13, 2026. A similar bill is widely expected in the 2027 session. Whatever the 2027 vehicle looks like, every documentation category it touches is already enforceable today.

Senator Joe Gruters, the lead Senate sponsor, has signaled continued interest. Industry observers expect a 2027 bill that softens the Board of Pharmacy oversight clause that drove the 2026 industry pushback, narrows the medical-spa definition, and may split into smaller stand-alone bills (adverse event reporting; drug source documentation; supervisory tightening). The full bill history is in the SB 1728 explainer.

11b · Florida vertical-specific compliance guides

The core regulatory stack above applies to every Florida medspa. Each clinical vertical layers additional rules on top — sterile compounding for IV, post-shortage compounding for GLP-1, DEA Schedule III handling for hormone / TRT, FDA enforcement positions for regenerative. Each guide below is the primary-source-cited explainer for that vertical.

• Florida IV clinic compliance — USP <797> sterile compounding, 503A vs 503B sourcing, lot tracking, GFE for IV indications, FAC 64E-16 biomedical waste.
• Florida GLP-1 clinic compliance — post-shortage compounding landscape (FDA removed semaglutide / tirzepatide shortage status late 2024), § 456.47 telehealth, documented clinical justification per patient.
• Florida hormone & TRT clinic compliance — testosterone as a Schedule III controlled substance, DEA registration under 21 CFR 1301.11, DEA recordkeeping under 21 CFR 1304, pellet protocols.
• Florida regenerative medicine compliance — PRP, exosomes, peptides, stem-cell HCT/Ps under 21 CFR 1271, FDA warning-letter watch, off-label / experimental consent.

11c · 2026 enforcement signals and operational responses

Three pages we keep updated as the regulatory and media picture moves through 2026:

• Florida med spa enforcement tracker 2026 — dated tracker covering the Sun Sentinel "Med spas unmasked" investigation (Feb 19, 2026), the SB 1728 death (Mar 13, 2026), the NYC Council OID inspection (Dec 2025, n=15), and the peer-reviewed Plast Reconstr Surg systematic survey (Jan 2025). Updated monthly.
• Sun Sentinel "Med spas unmasked" — operational response — the 8-point checklist Florida medspa owners should run this week in response to the investigation.
• AHCA inspection preparation for Florida med spas — 9-step HowTo checklist of exactly what AHCA inspectors ask for, in the order they ask, with statute citations and inspector-preferred formats.

12 · The audit-ready file: what to keep, where

A Florida med spa that wants to be defensible in 2026 keeps one organized file. ProofOps maintains it on your behalf; clinics that build it themselves typically organize it like this:

1. Section A — Clinic licensure. AHCA HCC license or exemption letter; certificate of occupancy; liability insurance certificate; business license.
2. Section B — Medical director and supervision. Medical director designation; Florida DOH license verification; § 458.348 supervisory protocol; primary practice address with verification; supervisee roster; chart review log.
3. Section C — Staff credentials. For each clinical staff member: license, DEA where applicable, malpractice coverage, BLS/ACLS as relevant, BBP training acknowledgment, hepatitis B offer letter or declination, HIPAA training acknowledgment.
4. Section D — Protocols and policies. Standing orders; emergency consultation and transfer-of-care procedure; OSHA exposure-control plan; HIPAA Privacy and Security policies; infection control policy; QA program with quarterly meeting minutes.
5. Section E — Drug source and inventory. Wholesaler invoices for Schedule III product; compounding pharmacy records; perpetual inventory log; reconciliation logs; destruction records.
6. Section F — Patient records sample. Recent GFE samples; consent forms; procedure notes; before-and-after photo consent.
7. Section G — Vendor records. Sharps and biohazard waste manifests for prior 12 months; training provider certificates; SDS for chemicals on premises; BAA confirmations from every vendor that handles PHI.
8. Section H — Incident and complaint log. Adverse event records; patient complaints with responses; any Board or AHCA correspondence.
9. Section I — Marketing and advertising compliance. Model releases; influencer agreements; ad archive with disclosure language; FTC-relevant documentation.
10. Section J — Open items. Anything not yet resolved, with owner-assigned target dates.

If you can produce that file in 24 hours when AHCA, DOH, OCR, OSHA, FDA, FTC, or your insurer asks, you are operating in a fundamentally different posture than 90% of Florida med spas. The work isn't complicated; it's just consistent.

13 · Frequently asked questions

Do I need an attorney to operate a Florida med spa?

Practically, yes — you need a Florida healthcare attorney for case-specific decisions: ownership structure, AHCA exemption letter, supervisory protocol drafting, complaint response, and any regulatory inquiry. ProofOps does not provide legal advice. The attorney's work is dramatically cheaper and faster when the documentation is organized.

Can I run a Florida med spa with an out-of-state medical director?

No. § 458.348 requires a Florida-licensed supervising physician with a primary practice within 25 miles or the same / contiguous county.

Is there a Florida law that explicitly says "medical spas must do X"?

Not yet. Most Florida med-spa obligations come from statutes that are not med-spa-specific — Chapter 458, Chapter 400 Part X, § 893.03, OSHA, HIPAA — applied to the med-spa setting. SB 1728 would have created a med-spa-specific framework. It died in 2026.

How often should I refresh this whole file?

Sections A, B, C, and D should be reviewed annually with formal sign-off. Section E (drug source and inventory) is updated as product is received. Section F (patient records) is current daily. Section G (vendors) is updated as documents arrive. Section H (incidents) is updated whenever an incident occurs. ProofOps manages the cadence on your behalf — we handle it for you.

What's the single most-cited deficiency in Florida med-spa inspections?

In 2024–2026, the most-cited single deficiency is missing or outdated supervisory documentation — either the § 458.348 protocol itself, the medical director's primary practice verification, or the chart review log. Second is missing OSHA training records. Third is GFE templates without individualization.

Does ProofOps work outside Florida?

No. ProofOps is a Florida-only done-for-you compliance service for the Florida-only problem — built around the specific statutes, agencies, and timelines that actually trigger enforcement in this state. We'd rather not be a fit for clinics outside Florida than be a generic, lukewarm fit. The free audit and the full service are both for clinics with a Florida-licensed location.

How ProofOps Medical helps

Everything in this guide is what ProofOps maintains on your behalf. Your dedicated documentation inbox — at the email address you pick (proof@, docs@, compliance@, whatever fits) — catches vendor and license records. Your dedicated compliance team classifies, files, and tracks expirations — reviewed and signed off by a real person before it reaches you. Each month you get a bookmarked inspection-ready PDF organized exactly like the audit-ready file in section 12. When a complaint arrives, the response pack is 80% built before your attorney drafts the cover letter.

Take the 2-minute Florida audit — see your specific FL gaps before you commit. Or apply for cohort access.

This guide is informational. It is not legal or medical advice and should not be relied upon as the basis for compliance decisions. For interpretation of any Florida statute, regulation, or rule specific to your clinic, consult your Florida healthcare attorney and your medical director. Sources: Florida Statutes Chapters 458, 459, 464, 465, 400 Part X, 893; Florida Administrative Code Title 64B; AHCA Rule 59A-33; 29 CFR 1910.1030; 45 CFR Parts 160 & 164; 21 USC § 360eee et seq.; FTC Endorsement Guides; Florida Senate / House bill tracking. As of May 2026.