What regulations apply to a Florida med spa?

Six overlapping frameworks: Florida Medical Practice Act (Chapter 458), Florida Health Care Clinic Act (Chapter 400, Part X), Florida Drug and Cosmetic Act / § 893.03 controlled substances, Florida Board of Medicine rules (64B8), federal OSHA Bloodborne Pathogens Standard (29 CFR 1910.1030), and federal HIPAA. Several practice-specific provisions add overlay (telehealth § 456.47, ARNP supervision § 464.012, FDA DSCSA, FTC advertising).

Is botulinum toxin a controlled substance in Florida?

Yes. Florida Statute § 893.03 lists botulinum toxin under Schedule III. That status raises documentation expectations for the prescribing practitioner, the GFE record, and the clinic's controlled substance handling logs.

What is the 25-mile rule in Florida?

Florida § 458.348(1)(f) requires a supervising physician's primary practice location be within 25 statutory miles of the supervised practitioner's primary practice location, or in the same or contiguous county. The geography requirement combined with the written supervisory protocol determines whether supervision is real or 'paper.'

No. SB 1728 / HB 1429 (the Medical Spa Prescription Drug Oversight Act) died in House subcommittee on March 13, 2026. A similar bill is widely expected in 2027. The documentation expectations SB 1728 named are already enforceable under existing Florida law.

The Florida Med Spa Compliance Guide (2026)

Quick read. A Florida med spa in 2026 lives inside six overlapping frameworks: the Medical Practice Act (Chapter 458), the Health Care Clinic Act (Chapter 400, Part X), Florida's controlled substance schedule (§ 893.03), the Board of Medicine rules (64B8), the federal OSHA Bloodborne Pathogens Standard, and HIPAA. SB 1728 / HB 1429, which would have consolidated several of these, died in subcommittee on March 13, 2026. The defensible path forward is not to wait for consolidation — it's to organize the documentation each framework already requires into one file you can hand to an inspector, an insurer, or your own future self.

1 · The Florida med spa regulatory stack

Med-spa regulation in Florida is layered, and that layering trips owners up. There is no single "med spa license" issued by a single agency. Instead, six overlapping authorities apply, and a clinic that fully complies with one while ignoring another is still exposed:

Florida Department of Health (DOH) — Boards. The Florida Board of Medicine regulates physicians under Chapter 458; the Board of Osteopathic Medicine under 459; the Board of Nursing under 464; the Board of Pharmacy under 465. Each board investigates complaints against its licensees and disciplines the practitioner — not the clinic — but the clinic's records become exhibits in those investigations.
Agency for Health Care Administration (AHCA). Licenses Health Care Clinics under § 400.9905 and Rule 59A-33; conducts inspections; processes exemption letter requests.
Federal OSHA. Enforces the Bloodborne Pathogens Standard (29 CFR 1910.1030), hazard communication, and other workplace safety standards. State OSHA does not exist in Florida — federal OSHA is the inspecting authority.
HHS Office for Civil Rights. Enforces HIPAA Privacy, Security, and Breach Notification rules.
FDA. Regulates prescription drug supply chain (DSCSA), product manufacturing, and certain device categories. The 2026 enforcement profile is increasingly focused on injectable product source documentation.
FTC and Florida Department of Agriculture and Consumer Services. Advertising and endorsement rules apply to med-spa promotion, particularly social-media-driven campaigns and before-and-after content.

None of these agencies coordinate proactively. A complaint to one may surface a record an inspector at another agency hadn't seen. The defensive posture is a single integrated file — which is what ProofOps maintains — that satisfies all six.

2 · § 458.348 supervision and the 25-mile rule

Florida Statute § 458.348 governs the supervision of mid-level practitioners (ARNPs, PAs) by Florida-licensed physicians. For a med spa, this is the operative statute behind every botulinum toxin injection an ARNP performs, every IV initiation a PA delegates, and every laser procedure supervised remotely.

The four operative requirements are: a written supervisory protocol; a primary practice location within 25 statutory miles or in the same / contiguous county; a maximum of four mid-level supervisees per supervising physician; and documented manner-and-frequency of supervision. Failure on any one is a § 458.348 deficiency. The "paper MD" pattern — a clinic with a contract but no operational presence by the medical director — is the most-cited issue in 2024–2026 Florida med-spa investigations. ProofOps tracks each of the four requirements per supervising physician on file and re-runs the geography check whenever a clinic location or primary practice address changes.

The full pillar on this is the § 458.348 explainer.

3 · AHCA Health Care Clinic licensure or exemption

Most Florida med spas need either an HCC license or a written AHCA exemption determination on file. The default presumption is that a clinic providing health services for compensation, not wholly physician-owned, requires the license. The wholly-physician-owned exemption under § 400.9905(4) is self-executing but the defensible practice is to request a written exemption letter from AHCA's Bureau of Health Facility Regulation. Operating an unlicensed clinic when one is required is a third-degree felony under § 400.9935.

AHCA inspections sample medical-director designations, supervisory protocols, OSHA records, sharps manifests, infection control policies, employee files, GFE records, and the AHCA license posted on the premises. The full pillar is the AHCA HCC explainer.

4 · The Good Faith Exam, end to end

A Good Faith Exam is the patient encounter that establishes the practitioner-patient relationship, documents the medical history, evaluates the patient for the specific procedure, and authorizes the delegated medical act. In Florida, the GFE must be performed by a Florida-licensed physician, an ARNP operating under a written supervisory protocol that covers the procedure, or a PA operating under § 458.347 / § 458.348. An RN may not perform a GFE for a Schedule III injectable; an esthetician or LMA cannot perform a GFE under any configuration.

The defensible GFE contains: patient identification, chief concern, past medical history, current medications, allergies, targeted physical exam, risk-benefit discussion, authorization to proceed (the prescription or standing order), and the practitioner's identification and signature. Vague, template-only, or copy-pasted GFEs routinely fail Board of Medicine review. Telemedicine is generally permitted for the initial exam under § 456.47, subject to specific conditions — telephone or text-only encounters do not qualify.

The full pillar is the Florida GFE explainer.

5 · Schedule III Botox and controlled substance handling

Florida § 893.03 places botulinum toxin (Botox, Dysport, Xeomin, Jeuveau and others) under Schedule III of the Florida controlled substance schedule. That status has practical consequences:

The prescribing practitioner must have authority to prescribe Schedule III drugs in Florida — DEA registration for the prescriber, ARNP controlled-substance authority where applicable, PA authority under § 458.347.
The prescription or standing order must comply with Schedule III prescribing rules.
The clinic must maintain a perpetual log of receipt, storage, dispensing, and reconciliation of Schedule III product on the premises.
The clinic must store the drug source documentation: wholesaler invoice, lot number, acquisition date, and any compounding pharmacy records (503A or 503B).
Dispensing or administering a Schedule III drug without proper documentation is a serious violation, separate from any GFE deficiency.

Compounded weight-loss products (semaglutide, tirzepatide, B-12 cocktails) sit in a related but distinct framework — pharmacy compounding rules, FDA enforcement on compounded products, and any Florida-specific dispensing rules. The defensible record-keeping is the same: source, lot, date, practitioner authorization, patient record. Compounded GLP-1s have been a recurring inspection focus in 2025–2026.

6 · OSHA Bloodborne Pathogens (federal)

The federal OSHA Bloodborne Pathogens Standard (29 CFR 1910.1030) applies to every Florida med spa with employees who could reasonably be expected to have occupational exposure to blood or other potentially infectious materials. That is, in practice, every clinic with an injection room.

The standard requires: a written exposure-control plan reviewed at least annually, free hepatitis B vaccination offered to all at-risk employees within 10 days of assignment (with declination forms on file when refused), annual training documented and signed by each employee, a sharps log, appropriate engineering controls (sharps containers, work practice controls), personal protective equipment, post-exposure procedures with named follow-up provider, and recordkeeping retained for the duration of employment plus 30 years for medical records.

OSHA penalties in 2026 reach $165,514 per willful or repeated violation. Failure to document training is the most common citation in the small-clinic segment. The full checklist is the OSHA BBP checklist.

7 · HIPAA — Privacy, Security, BAAs

HIPAA applies to Florida med spas that transmit any health information in electronic form for transactions for which the Department of Health and Human Services has adopted standards (claims, eligibility checks, similar). In practice, virtually every clinic with an EMR is a covered entity. HIPAA obligations include:

Privacy Rule — Notice of Privacy Practices posted and provided to patients, patient access rights, minimum necessary use, restrictions on disclosure;
Security Rule — administrative, physical, and technical safeguards for electronic PHI; risk analysis; access controls; audit controls; encryption where reasonable;
Breach Notification Rule — patient and HHS notification within 60 days of a breach affecting more than 500 individuals; smaller breaches reported annually;
Business Associate Agreements (BAAs) — required with every vendor that receives, creates, maintains, or transmits PHI on the clinic's behalf, including the EMR vendor, the cloud storage provider, the IT consultant, the marketing CRM if it touches patient data, and yes — including ProofOps. ProofOps signs a BAA before any PHI is moved.

HIPAA enforcement is by the HHS Office for Civil Rights. Penalties scale with culpability and reach seven figures for willful neglect. Med spas with weight-loss programs marketed by SMS or with aggressive social-media practices have an outsized HIPAA risk profile that owners frequently underestimate.

8 · FDA DSCSA, drug source records, and weight-loss compounds

The federal Drug Supply Chain Security Act (DSCSA), codified at 21 USC § 360eee et seq., requires dispensers (which includes clinics dispensing prescription drugs) to maintain transaction information, history, and statements for prescription product. As of 2024–2026, FDA enforcement on DSCSA dispensers has expanded into the small-clinic segment — the agency has made clear that aesthetic and weight-loss clinics dispensing prescription product are within scope.

Practical implications:

Every dose of botulinum toxin, dermal filler (where prescription-only), and prescription weight-loss compound on the premises must be traceable to a registered wholesaler or pharmacy.
Receipt documentation — invoice, lot number, expiration date, transfer documentation if any — is maintained for not less than six years per DSCSA.
Counterfeit product is treated as the clinic's risk: a clinic that bought "grey market" Botox from an unverified source and administered it to patients faces stacked exposure under DSCSA, the Florida Pharmacy Act, and the standard of care.
503A compounded products carry a different documentary set than 503B compounded products. Both must be on file.

9 · Advertising, FTC endorsements, and Florida-specific ad rules

Med-spa marketing has a regulatory shadow. The FTC Endorsement Guides apply to social-media promotion, before-and-after content, influencer partnerships, and patient testimonials. Florida's deceptive trade practice rules and Board of Medicine rules on physician advertising layer on top. Common pitfalls:

Influencer endorsements without "#ad" or comparable disclosure;
Before-and-after photos without disclosed result variability;
Claims that imply outcomes ("permanent results," "no risk") that the standard of care does not support;
Patient testimonials without proper consent, especially when the testimonial includes any PHI;
Pricing promotions that violate state-specific rules on "free" services tied to medical consultations.

Advertising compliance is a documentation problem at the back end: signed model releases, signed influencer agreements, an ad-archive of every promotion run with its disclosure language, and a consent-on-file record for every patient image. ProofOps catalogs these alongside the clinical file.

10 · § 456.073 — the 20-day complaint response

When the Florida Department of Health receives a complaint against a licensed practitioner, § 456.073 sets a 20-day window for the licensee to submit a written response. The clock runs from the practitioner's receipt of the notice. Twenty days is short. Twenty days when your supervisory protocol is in a Drive folder, your GFE for the named patient is in a paper chart in the back, and your sharps log is in three different binders — that twenty days is panic.

A defensible response pack is built before any complaint arrives. ProofOps' Complaint Response feature pre-stages the typical exhibits: supervisory contract, named-patient GFE, training records for the named staff member, sharps log entries for the date in question, the clinic's policies, and the medical director's chart-review log. The owner's healthcare attorney drafts the cover letter; ProofOps supplies the bookmarked exhibit set.

11 · SB 1728 and the 2027 outlook

SB 1728 / HB 1429 — the Medical Spa Prescription Drug Oversight Act — would have consolidated most of the items in this guide into a single med-spa-specific licensure regime under Florida Department of Health. It died in House Health Professions & Programs Subcommittee on March 13, 2026. A similar bill is widely expected in the 2027 session. Whatever the 2027 vehicle looks like, every documentation category it touches is already enforceable today.

Senator Joe Gruters, the lead Senate sponsor, has signaled continued interest. Industry observers expect a 2027 bill that softens the Board of Pharmacy oversight clause that drove the 2026 industry pushback, narrows the medical-spa definition, and may split into smaller stand-alone bills (adverse event reporting; drug source documentation; supervisory tightening). The full bill history is in the SB 1728 explainer.

What changed July 1, 2026 (and what didn't)

Owners often hear "something new takes effect July 1" and assume it applies to them. For 2026, it doesn't. The 2026 legislative session adjourned sine die without passing a single med-spa-, cosmetic-procedure-, or office-surgery-specific bill. The four health-related bills with a July 1, 2026 effective date are narrow and don't change anything in this guide:

HB 1347 — Clinical Laboratory Personnel. Aligns Florida lab-personnel licensure with federal CLIA. Affects clinical labs, not med spas.
HB 867 — Dry Needling by Occupational Therapists. Lets OTs perform dry needling under board-set standards. Only relevant if you employ an OT for that scope.
SB 192 — Patient Funds Held in Trust by Chiropractic Physicians. Removes the $1,500 cap on advance payments. Chiropractic-only.
HB 375 — Autonomous CRNAs. Expands autonomous practice for certified registered nurse anesthetists. Touches you only if a CRNA provides sedation at your office-surgery facility.

The two bills that would have changed med spa requirements — SB 1728 / HB 1429 (Medical Spa Prescription Drug Oversight Act) and HB 309 / SB 424 (Hillary's Law on office surgery) — both died in committee. The enforcement framework for med spas in 2026 is the same as it was in late 2025: § 458.348, AHCA Chapter 400 Part X, § 893.03 Schedule III, OSHA 1910.1030, Florida 64E-16 biomedical waste, Board of Medicine 64B8, and HIPAA. That's what regulators already use today, and it's what every section of this guide is organized around.

Sources: FL Senate SB 1728, FL Senate HB 309, Gunster 2026 session health-care summary, FL Board of Medicine 2025 bill tracker.

12 · The audit-ready file: what to keep, where

A Florida med spa that wants to be defensible in 2026 keeps one organized file. ProofOps maintains it on your behalf; clinics that build it themselves typically organize it like this:

Section A — Clinic licensure. AHCA HCC license or exemption letter; certificate of occupancy; liability insurance certificate; business license.
Section B — Medical director and supervision. Medical director designation; Florida DOH license verification; § 458.348 supervisory protocol; primary practice address with verification; supervisee roster; chart review log.
Section C — Staff credentials. For each clinical staff member: license, DEA where applicable, malpractice coverage, BLS/ACLS as relevant, BBP training acknowledgment, hepatitis B offer letter or declination, HIPAA training acknowledgment.
Section D — Protocols and policies. Standing orders; emergency consultation and transfer-of-care procedure; OSHA exposure-control plan; HIPAA Privacy and Security policies; infection control policy; QA program with quarterly meeting minutes.
Section E — Drug source and inventory. Wholesaler invoices for Schedule III product; compounding pharmacy records; perpetual inventory log; reconciliation logs; destruction records.
Section F — Patient records sample. Recent GFE samples; consent forms; procedure notes; before-and-after photo consent.
Section G — Vendor records. Sharps and biohazard waste manifests for prior 12 months; training provider certificates; SDS for chemicals on premises; BAA confirmations from every vendor that handles PHI.
Section H — Incident and complaint log. Adverse event records; patient complaints with responses; any Board or AHCA correspondence.
Section I — Marketing and advertising compliance. Model releases; influencer agreements; ad archive with disclosure language; FTC-relevant documentation.
Section J — Open items. Anything not yet resolved, with owner-assigned target dates.

If you can produce that file in 24 hours when AHCA, DOH, OCR, OSHA, FDA, FTC, or your insurer asks, you are operating in a fundamentally different posture than 90% of Florida med spas. The work isn't complicated; it's just consistent.

13 · Frequently asked questions

Do I need an attorney to operate a Florida med spa?

Practically, yes — you need a Florida healthcare attorney for case-specific decisions: ownership structure, AHCA exemption letter, supervisory protocol drafting, complaint response, and any regulatory inquiry. ProofOps does not provide legal advice. The attorney's work is dramatically cheaper and faster when the documentation is organized.

Can I run a Florida med spa with an out-of-state medical director?

No. § 458.348 requires a Florida-licensed supervising physician with a primary practice within 25 miles or the same / contiguous county.

Is there a Florida law that explicitly says "medical spas must do X"?

Not yet. Most Florida med-spa obligations come from statutes that are not med-spa-specific — Chapter 458, Chapter 400 Part X, § 893.03, OSHA, HIPAA — applied to the med-spa setting. SB 1728 would have created a med-spa-specific framework. It died in 2026.

How often should I refresh this whole file?

Sections A, B, C, and D should be reviewed annually with formal sign-off. Section E (drug source and inventory) is updated as product is received. Section F (patient records) is current daily. Section G (vendors) is updated as documents arrive. Section H (incidents) is updated whenever an incident occurs. ProofOps automates the cadence.

What's the single most-cited deficiency in Florida med-spa inspections?

In 2024–2026, the most-cited single deficiency is missing or outdated supervisory documentation — either the § 458.348 protocol itself, the medical director's primary practice verification, or the chart review log. Second is missing OSHA training records. Third is GFE templates without individualization.

Does ProofOps work outside Florida?

No. ProofOps is Florida-only software for the Florida-only problem — built around the specific statutes, agencies, and timelines that actually trigger enforcement in this state. We'd rather not be a fit for clinics outside Florida than be a generic, lukewarm fit. The free audit and the full service are both for clinics with a Florida-licensed location.

How ProofOps Medical helps

Everything in this guide is what ProofOps maintains on your behalf. Your dedicated documentation inbox — at the email address you pick (proof@, docs@, compliance@, whatever fits) — catches vendor and license records. Our agents classify, file, and track expirations. Each month you get a bookmarked inspection-ready PDF organized exactly like the audit-ready file in section 12. When a complaint arrives, the response pack is 80% built before your attorney drafts the cover letter.

Get a free audit — see your specific FL gaps before you commit. Or watch the 6-minute demo.

This guide is informational. It is not legal or medical advice and should not be relied upon as the basis for compliance decisions. For interpretation of any Florida statute, regulation, or rule specific to your clinic, consult your Florida healthcare attorney and your medical director. Sources: Florida Statutes Chapters 458, 459, 464, 465, 400 Part X, 893; Florida Administrative Code Title 64B; AHCA Rule 59A-33; 29 CFR 1910.1030; 45 CFR Parts 160 & 164; 21 USC § 360eee et seq.; FTC Endorsement Guides; Florida Senate / House bill tracking. As of May 2026.

The Florida Med Spa Compliance Guide (2026).