The letter from the state board does not give you weeks to prepare. It gives you days. Sometimes a phone call shows up first, perhaps from an investigator who has already pulled your filings and wants to see records. That is when the medical director for the med spa setup either holds together or falls apart.
Most owners think about audits as something that happens to other clinics. The competitor up the road. The franchise that grew too fast. Not them. Then a patient complaint, a disgruntled former employee, or a routine sweep brings an investigator to the front desk. What the investigator looks at first is the relationship between the spa and the supervising physician. The medical director for med spa setup is the first file pulled, and everything else flows from there.
Start with What an Auditor Actually Asks For
Auditors do not ask if you have a medical director. They ask for proof of what that medical director does. Two very different questions.
Common document requests during a state board investigation include:
- The written agreement between the spa and the medical director
- Records of physical site visits, dated and signed
- Chart reviews are completed by the director with documented frequency.
- Standing orders signed and dated by the director.
- Protocols for each service the spa performs
- Training records for injectors, laser techs, and other clinical staff
- Adverse event logs and the director’s involvement in each
- Communication records between staff and the director
If any of these come back thin or missing, the investigation widens. So the goal is to build the file before anyone asks for it.
The Agreement Has to Match Reality
Most spa owners I have heard from sign an agreement once and never look at it again. Two years later, the spa offers services the contract never mentioned. The director signs paperwork for treatments they have never seen performed.
That mismatch is one of the easier things for an investigator to spot.
Here is what to check.
Pull the agreement. Read the services list. Compare it to what the spa actually performs today. If the spa added GLP-1 weight loss, hormone pellets, RF microneedling, or PDO threads since the original signing, the agreement needs an amendment.
The same goes for the staff roster. A director who agreed to supervise two injectors and now technically supervises seven is in trouble during an audit. So is the owner.
Standing orders deserve the same review. A standing order for a device the spa replaced last year is not just outdated. It is evidence that the director has not been paying attention.
Document the Site Visits
State boards differ on how often a medical director should visit. Some name a frequency. Others use language like reasonable presence or regular review.
Whichever standard applies in your state, the goal is the same. Build a paper trail.
A site visit log should include:
- Date of the visit
- Duration
- Areas reviewed (treatment rooms, medication storage, charts, staff interactions)
- Issues identified
- Corrective actions assigned
- Follow-up dates
- The director’s signature
A spa with monthly visit logs covering two years has a defense. A spa with no visit logs has a problem.
Chart Reviews That Hold Up Under Scrutiny
Auditors look at chart review documentation the way a CPA looks at receipts. Either it exists in the right format, or it does not.
Random chart sampling during a review should produce evidence of physician involvement. Not just a signature on the consent form. Real review notes. Questions asked. Recommendations made. Treatment plan adjustments.
Spas that review one chart a quarter to check the box are setting themselves up for findings. The volume should match the activity. A spa running 200 patient visits a month and producing two chart reviews looks negligent on paper. Because it is.
Adverse Event Documentation Is Not Optional
Every spa has adverse events. Bruising that lasted too long. A vascular event that resolved with hyaluronidase. A laser burn. A nodule from filler.
What separates compliant spas from non-compliant ones is documentation.
Each adverse event should produce a written record that includes the date, the patient, the treatment, the outcome, the director’s involvement in the response, and any protocol changes made afterward. Investigators look for these records because they show whether the oversight relationship was working when it mattered.
A spa that cannot produce adverse event records is in worse shape than one with several documented events handled properly.
What Owners Sometimes Miss
The medical director for med spa relationships that fail audits usually fails for the same reasons. The agreement and the operation drifted apart. The site visits stopped happening. The chart reviews became signatures. The filings expired quietly.
None of these is dramatic. They happen slowly, perhaps over a year or two, while the spa is busy growing.
A relationship that survives an audit is one that gets reviewed quarterly by someone who is paid to find problems before the state does. Some owners handle that themselves. Some bring in outside help. Either approach works as long as someone is doing it.
The spa that wins an audit looks boring on paper. Consistent records. Current filings. Documented oversight. Boring is the goal.
