Texas med-spa compliance guide — every documentation framework owners need to know in 2026.

1. Texas Medical Board — Chapter 169 (§§169.25–169.28)

Effective January 9, 2025, the TMB reorganized how Texas regulates nonsurgical cosmetic procedures. Botox, dermal fillers, IV therapy, lasers, and similar are now treated as the practice of medicine, triggering a list of named documents: medical-director agreement, written delegation orders, standing protocols, named-credential staff IDs, supervision logs, and patient-specific Good Faith Exams.

→ Full TMB §169.25 explainer

2. HB 3749 / Jenifer's Law

Effective September 1, 2025, HB 3749 restricts the initiation of elective IV therapy in Texas to MD/DO, APRN, PA, or RN — under documented physician supervision. Phlebotomists, medical assistants, and aestheticians cannot initiate IV. The supervising physician's identity, signed delegation order, standing protocol, and supervision log must exist before each infusion.

→ Full HB 3749 explainer

3. Texas Board of Nursing — Chapter 224

The Texas Board of Nursing (BON) governs RN, LVN, and APRN scopes of practice — including supervision and delegation rules. RNs may perform many delegated procedures in a Texas med spa, but the delegation must be documented and the procedures must be within scope.

Key BON-side records: each RN/LVN/APRN's active license verification, the delegation orders specifying procedures, and the supervision arrangement. The BON will pursue disciplinary action against an individual nurse's license — independent of any TMB action against the medical director — when these records are missing or the practice exceeds scope.

4. OSHA — 29 CFR 1910.1030 (Bloodborne Pathogens)

Every Texas clinic that handles sharps or biohazard materials is governed by OSHA's BBP Standard. OSHA cites small clinics most often for documentation findings: missing exposure-control plan reviews, undated training logs, incomplete sharps-container records. Penalties start at $16,550 per instance and can reach $165,514 for willful or repeated findings.

→ Full OSHA BBP checklist

5. HIPAA — Privacy Rule and Security Rule

The HIPAA Privacy Rule (45 CFR Part 164 Subpart E) governs how patient information is used and disclosed. The Security Rule (45 CFR Part 164 Subpart C) governs administrative, physical, and technical safeguards for electronic PHI.

Required Texas-clinic records include: a published Notice of Privacy Practices, signed Business Associate Agreements with every vendor that touches PHI, a current risk analysis, breach-response procedure, and audit logs of access to electronic PHI. Penalties scale by tier of culpability — from "did not know" violations starting at ~$137 to "willful neglect not corrected" at up to ~$2.07M per violation type per year.

6. FDA DSCSA — Drug Supply Chain Security Act

The DSCSA (21 USC § 360eee et seq.) requires every dispenser of prescription drugs — including Botox, Dysport, Xeomin, and similar injectables — to maintain transaction records of receipt and use, with serial-number tracking down to the unit level.

The April 2026 FDA warning letter to Pure Indulgence Aesthetics in Southlake, Texas — the FDA's first-ever DSCSA warning to a dispenser-tier facility — was issued for unit-count discrepancies. Required records: transaction history (T2/T3 partner identity), lot numbers, dates received, storage location, patient/chart number where used, and date administered.

7. FTC + Texas advertising rules

The Federal Trade Commission's Endorsement Guides and Texas state advertising rules govern what a med-spa can claim in marketing — including before/after photos, treatment-result claims, and patient testimonials. Required: clear disclaimer language ("results may vary"), original (not stock) before/after photos, consent forms for any patient images used, and substantiation for treatment claims.

The FTC's Endorsement Guides (16 CFR Part 255) and the new fake-review rule (16 CFR Part 465, effective August 2024) add specific prohibitions on fabricated reviews, undisclosed paid endorsements, and AI-generated content that doesn't represent real customers.

Texas inspector and underwriter expectations in 2026

Across the seven frameworks, the expectation that has changed most in 2026 is retrievability. Inspectors and insurance underwriters increasingly expect that the clinic can produce evidence in minutes, not weeks. The questions that come up first:

1. Show me your medical-director agreement and the delegation orders for the procedures observed today.
2. Show me the GFE for the patient on the schedule at 2:30 today.
3. Show me the BBP training records for the staff in the back room.
4. Show me the manifests from your last three medical-waste pickups.
5. Show me the privacy policy on your website and the Notice of Privacy Practices in your intake flow.
6. Show me the lot number and source for the Botox in your treatment room.
7. Show me the consent and disclaimer for the before/after photos on your Instagram.

The five gaps that show up most often

1. Medical-director agreement is current on paper but the relationship has changed. The MD has moved, retired, or stopped responding — but the agreement on file is from 18 months ago.
2. Delegation orders are generic, not procedure-specific. A blanket "the medical director delegates all delegable acts" is not §169.25-defensible.
3. GFEs are stored in the EMR but not consistently dated or signed. The clinical authorization is there but the audit trail is incomplete.
4. OSHA training records are siloed in a vendor portal nobody checks. Stericycle's portal is doing its job but no one in the clinic is verifying records before the OSHA-cycle review.
5. DSCSA records are in supplier emails, not in a transaction log. The clinic has the pieces but cannot reconcile receipt against use without a multi-week effort.

How to organize the evidence

A workable file structure looks like:

• /medical-director/ — agreement, delegation orders, standing protocols, MD license verification (re-verified annually)
• /staff/[name]/ — license, BLS, BBP training, IV authorization, injectable authorization, protocol acknowledgment
• /gfe/[YYYY]/[patient-id]/ — exam record, signed consent, authorized procedure(s)
• /products/[lot-number]/ — supplier transaction record, receipt, expiry, patient/chart usage log
• /osha/ — current ECP, training logs, sharps log, incident records, vaccination records, SDS sheets
• /hipaa/ — Notice of Privacy Practices version history, risk analysis, BAAs, breach log
• /insurance/ — current malpractice policy, broker contact, last renewal pack
• /inspections/ — past TMB, OSHA, or board interactions and their resolutions

The structure can be paper, network drive, EMR-attached, or purpose-built (which is what ProofOps does). What matters is that any one of the documents above can be produced within minutes when asked.

Where to start

If you're starting from a scattered baseline, fix in this order:

1. Verify the medical-director agreement is current and the MD's TMB license is active. Re-sign with current dates if the relationship has changed.
2. Update or create procedure-specific delegation orders for every covered procedure on your menu.
3. Make sure every clinical staff member has a current GFE-authorization workflow and that GFEs are dated and signed.
4. Centralize OSHA records (ECP, training logs, sharps log) in one location.
5. Run a DSCSA reconciliation: pull supplier records for the last 90 days and confirm every product can be traced from receipt to patient.
6. Audit your website and intake flow against HIPAA + FTC requirements.

How ProofOps Medical helps

ProofOps centralizes all seven frameworks' required documentation into one digital file, runs AI agents that chase missing records, surfaces gaps before they become urgent, and produces a monthly readiness report covering each framework. We don't replace your medical director, attorney, or OSHA consultant — we organize their work so it's retrievable on demand.

Get a free Texas documentation audit — we'll review what's publicly visible plus a brief intake on your clinic and send a one-page PDF showing where your gaps are. No card. 24-hour turnaround.

Informational, not legal advice. For interpretation specific to your clinic, consult your healthcare attorney, OSHA consultant, and medical director. Cite/source: TMB Chapter 169, HB 3749, BON Chapter 224, 29 CFR 1910.1030, 45 CFR Parts 160 & 164, 21 USC § 360eee et seq., 16 CFR Parts 255 & 465.