Ensuring OSHA compliance is critical for med spas to protect employees, avoid fines, and maintain a safe environment. Med spas face unique risks, including exposure to bloodborne pathogens and hazardous materials, making adherence to OSHA standards essential. Here's a quick summary of what you need to know:
- Key OSHA Standards: Bloodborne Pathogens, PPE, Hazard Communication, and the General Duty Clause.
- Documentation: Maintain an Exposure Control Plan, OSHA Logs (300, 300A, 301), Sharps Injury Logs, and Hazard Communication Program.
- Training: Bloodborne Pathogen training (initial and annual), facility-specific procedures, and Hepatitis B vaccine offers.
- Facility Safety: Proper cleaning schedules, sharps disposal, biohazard labeling, and ventilation systems.
- Incident Protocols: Post-exposure care, confidential medical evaluations, and detailed incident reporting.
Compliance isn't just about avoiding penalties - it’s about creating a safe space for staff and clients. Keep records organized, update plans annually, and ensure all training is documented. Using digital tools can streamline these processes and help you stay audit-ready.
Written Plans, Documentation, and Policies
Having clear, written documentation is essential for staying compliant with OSHA standards and ensuring a smooth inspection process. Key areas to focus on include your Exposure Control Plan, detailed infection control logs, and proper workplace signage.
Exposure Control Plan (ECP)
The ECP is arguably the cornerstone of OSHA compliance. OSHA mandates that any employer with occupational exposure risks must have this plan in place:
"Each employer having an employee(s) with occupational exposure... shall establish a written Exposure Control Plan designed to eliminate or minimize employee exposure." - OSHA
This document should include a written exposure determination that identifies job roles and tasks with potential exposure to blood or Other Potentially Infectious Materials (OPIM). Importantly, this determination should not rely on the use of personal protective equipment (PPE) and must outline compliance strategies, such as PPE usage, engineering controls, housekeeping protocols, Hepatitis B vaccination procedures, and steps for post-exposure incidents.
Two often-overlooked requirements for the ECP:
- It must be accessible to all employees during every work shift.
- It requires an annual review and update, including documentation of any evaluation of safer medical devices, like self-sheathing needles. The process must also include input from non-managerial staff directly involved in patient care.
Once your ECP is established, the next step is to ensure your infection control policies and logs are equally thorough.
Infection Control Policies and Logs
Your infection control policies should work hand-in-hand with your ECP, supported by detailed records that confirm compliance.
OSHA requires specific documentation for med spas with 10 or more employees. These include:
- The OSHA 300 Log for recording work-related injuries and illnesses.
- The OSHA 300A Summary, summarizing the year’s incidents.
- The OSHA 301 Incident Report, providing detailed accounts of individual cases. All these records must be kept for at least five years.
Additionally, a Sharps Injury Log is mandatory and must remain confidential. This log tracks every instance of needlestick or sharps injuries that could involve exposure to bloodborne pathogens.
Your Hazard Communication (HazCom) program also needs to be in writing. It should include a complete inventory of hazardous chemicals and Safety Data Sheets (SDS) in the standardized 16-section GHS format. This applies to all chemicals in your facility, from disinfectants to sterilants. A written cleaning and decontamination schedule is another requirement, specifying methods based on surface type, location, and tasks performed.
| Document/Log | Key Requirement |
|---|---|
| Exposure Control Plan | Written; annual review with safer device documentation |
| Sharps Injury Log | Confidential; separate from general injury log |
| OSHA 300 Log & 300A | Required for 10+ employees; retained for 5 years |
| HazCom Program | Written inventory + GHS-format SDS for all chemicals |
| Cleaning Schedule | Written; location- and surface-specific |
Workplace Signage and Labels
Written plans are essential, but clear workplace signage plays a major role in maintaining a compliant environment.
Biohazard labels must meet OSHA standards: fluorescent orange or orange-red with a biohazard symbol and contrasting lettering. These labels are required on all containers holding regulated waste, blood, or OPIM, including refrigerators and freezers. In some cases, red bags or red containers can replace labels.
All hazardous chemical containers must have GHS-compliant HazCom labels. These labels should include hazard pictograms, a signal word, hazard statements, and supplier information. Contaminated equipment sent out for servicing or shipping must also be clearly labeled to identify which parts remain contaminated.
Finally, don’t forget the OSHA 300A Summary, which must be displayed in a visible employee area (like a break room) from February 1 through April 30 every year. Emergency action plans, evacuation maps, and related signage should also be posted throughout your facility as part of your safety protocols.
sbb-itb-02f5876
Staff Training and Immunization Requirements
Once your written plans and documentation are set, the next step is ensuring every team member understands their responsibilities and can demonstrate compliance. OSHA mandates more than just having policies on paper - employees must complete documented training before facing any occupational hazards.
Bloodborne Pathogen and Hazard Communication Training
Employees at risk of exposure to blood or Other Potentially Infectious Materials (OPIM) must undergo Bloodborne Pathogen (BBP) training when they start their role and then annually, within 12 months of their last session. If new procedures or equipment change the exposure risks, additional training must happen immediately.
A common pitfall for med spas is relying on generic online courses. According to HipaaKit, "OSHA has cited employers for using off-the-shelf online BBP training that does not address facility-specific procedures". Training must be tailored to your facility, referencing your Exposure Control Plan, your engineering controls, and the specific PPE used by your team. The trainer must also be knowledgeable in the topic and allow time for live questions.
"Training must include information about how to recognize tasks that may involve exposure and the methods to reduce exposure, including appropriate engineering controls, work practices, and personal protective equipment." - OSHA
Training must be provided free of charge and during work hours. Records of each session must be kept for three years and should include the training date, a summary of the content, the trainer’s credentials, and the names and job titles of attendees.
Hepatitis B Vaccination and Declination
After BBP training, employees with potential exposure must be offered the Hepatitis B vaccine series at no cost within 10 working days of starting their role. Employers cannot waive this requirement.
If an employee declines the vaccine, they must sign an OSHA-required declination form, which must be kept on file. Even after declining, employees can request the vaccine later at no cost. For new hires who were previously vaccinated, the CDC accepts written, dated records of the three-dose series as proof of vaccination. If no records are available, document your efforts to retrieve them and obtain a written statement from the employee.
For staff frequently at risk of needlestick injuries, antibody titer testing is recommended one to two months after completing the vaccine series to confirm immunity. Vaccination records and declination forms are classified as confidential medical records and must be retained for the duration of employment plus 30 years.
Competency Checks and Ongoing Education
Annual training is just the starting point. It's equally important to confirm that employees can apply what they've learned in real-life situations.
Christie Hutchinson, CEO of QCC Healthcare Consultants, explains:
"Education includes providing access to the information, and ensuring understanding and retention of the information. Creating an educational module and then providing a post-module quiz to assess for understanding is a simple way to accomplish this."
Competency checks, such as direct observation during procedures, can reveal gaps in knowledge or technique. For example, watching how a staff member disposes of sharps or removes gloves can provide more insight than a quiz score. Addressing unsafe practices promptly is crucial to maintaining high standards. Keep records of attendance, quiz results, and continuing education certificates in each employee’s HR file to ensure compliance.
| Training/Requirement | Timing | Record Retention |
|---|---|---|
| BBP Initial Training | Before first exposure task | 3 years from training date |
| BBP Annual Refresher | Within 12 months of prior training | 3 years from training date |
| Hepatitis B Vaccine Offer | Within 10 working days of hire | Employment + 30 years |
| Declination Form | At time of refusal | Employment + 30 years |
| Post-Exposure Evaluation | Immediately after incident | Employment + 30 years (confidential) |
Facility Infection Prevention and Workflow Safety
Once you've got training and documentation covered, the next step is ensuring your facility's layout and protocols meet compliance standards. How your team handles cleaning, sharps, and airflow directly impacts patient safety and your OSHA inspection results. By combining well-documented protocols with practical steps, you can align your facility's workflow with OSHA requirements.
Treatment Room Cleaning and Disinfection
OSHA sets clear expectations for cleaning and decontamination:
"The employer shall determine and implement an appropriate written schedule for cleaning and method of decontamination based upon the location within the facility, type of surface to be cleaned, type of soil present, and tasks or procedures being performed in the area." - OSHA 29 CFR 1910.1030(d)(15)(i)
Here's what that means for your facility: create a written cleaning schedule that specifies when and how surfaces are cleaned. Surfaces should be decontaminated after procedures, immediately following spills or contamination, and at the end of each shift if contamination is possible. Use EPA-registered antimicrobial products or a freshly prepared bleach solution daily. Pay attention to contact times - disinfectants need to stay wet for 30 seconds (HIV-1) or 10 minutes (HBV), as indicated on the product label. For heavily soiled areas, pre-clean with soap and water to ensure the disinfectant works effectively.
When cleaning treatment beds or laser devices, opt for residue-free, non-corrosive wipes to protect surfaces like vinyl and acrylic. Replace protective coverings, such as plastic wrap or imperviously-backed paper, when visibly contaminated or at the end of each shift. Keeping a cleaning log for each treatment room - recording dates, responsible staff, and cleaning products used - can be helpful, as OSHA inspectors often review these logs first. These practices, paired with your cleaning schedules, ensure compliance with OSHA's guidelines.
| Treatment Room Component | Compliance Requirement | Recommended Action |
|---|---|---|
| Treatment Beds & Chairs | Decontaminate after procedures or contact with blood/OPIM | Use EPA-registered, residue-free wipes safe for vinyl |
| Countertops & Sinks | Keep clean and sanitary | Disinfect daily with a hospital-grade cleaner |
| Protective Coverings | Replace when soiled or at shift end | Use plastic wrap or imperviously-backed paper |
| Broken Glassware | Avoid handling by hand | Use tongs, brushes, or dustpans |
| High-Touch Points | Disinfect when contamination is likely | Wipe light switches and drawer handles daily |
Sharps and Medical Waste Management
Sharps like needles, scalpel blades, and syringes are strictly regulated. Always dispose of them in puncture-resistant sharps containers located at the point of use. Never manually alter contaminated sharps.
For medical waste, use sturdy, leak-resistant biohazard bags. If a bag is punctured or contaminated, double-bag it. Waste storage areas should be ventilated, pest-free, and clearly labeled. Regular waste removal prevents buildup, and small amounts of blood or body fluids can be discharged into a utility sink or toilet connected to a sanitary sewer, provided local and state regulations allow it.
Engineering Controls and Ventilation
Beyond cleaning and waste management, physical safeguards and proper ventilation play a big role in reducing exposure risks. OSHA's Bloodborne Pathogens Standard (29 CFR 1910.1030) requires engineering controls like safety-engineered needles, sharps containers, and devices that minimize exposure.
Ventilation is especially important in treatment rooms, particularly for aerosol-generating procedures. The CDC suggests using portable HEPA filter units capable of at least 12 air changes per hour (ACH) with filtration rates between 300 and 800 ft³/min. HVAC filters should be properly maintained - dusty filters should be bagged immediately upon removal to prevent spreading fungal spores. Outdoor air intakes should be at least 6 feet above ground or 3 feet above roof level to avoid drawing in contaminated air.
For facilities using Class IV lasers, additional safety measures are required. In Texas, for example, facilities must register with the Texas Department of State Health Services and appoint a Laser Safety Officer. Even outside Texas, maintaining a documented laser safety program is a smart move. Any energy-based device, whether it's a laser, IPL, or RF microneedling device, should have FDA clearance for its intended clinical use. Incorporating these engineering controls into your protocols strengthens your overall safety approach.
Personal Protective Equipment (PPE) and Safe Practices
OSHA Post-Exposure Protocol for Med Spas: Step-by-Step Guide
Let’s dive into the essentials of staff PPE, hand hygiene, and how to handle incidents effectively.
PPE Availability and Usage Policies
Every treatment room should have a consistent supply of single-use gloves, masks, and eye protection. But having these supplies on hand isn’t enough. It's critical to include PPE usage in written SOPs (Standard Operating Procedures) for all services, from injectables and chemical peels to laser hair removal.
One detail that’s often overlooked? Wavelength-specific laser safety eyewear. Both providers and patients must wear the appropriate eyewear during any laser or IPL procedure. This isn’t just a recommendation - it must be documented. To ensure compliance, your Medical Director should review and approve all PPE-related SOPs, giving them the necessary legal backing.
| PPE Category | Required Items | Relevant Procedures |
|---|---|---|
| Standard Precautions | Gloves, masks, eye protection | Injectables, microneedling, chemical peels |
| Laser Safety | Wavelength-specific eyewear | Laser hair removal, IPL, RF microneedling |
| Infection Control | Biohazard waste receptacles | Used needles, bloody gloves, contaminated materials |
| Emergency Response | Epinephrine, hyaluronidase, AED | Anaphylaxis, vascular occlusion, cardiac arrest |
Beyond PPE, strict hand hygiene and aseptic practices are essential to reduce infection risks.
Hand Hygiene and Aseptic Techniques
Updated OSHA guidance for 2025 mandates more frequent hand hygiene training for staff. This isn’t just a formality - proper handwashing is one of the simplest and most effective ways to prevent infections in healthcare settings.
For procedures like microneedling and injections, aseptic technique is non-negotiable. This includes cleaning all treatment surfaces with EPA-approved disinfectants before and after each patient, using sterile, single-use tools whenever possible, and ensuring reusable instruments are sterilized according to the latest infection control standards. Regular chart reviews by your Medical Director can confirm that these steps are not only performed but also properly documented.
Post-Exposure Protocols and Incident Reporting
Even with the best precautions, incidents like needlestick injuries can occur. U.S. hospitals report over 385,000 needlestick injuries annually, and med spas face similar risks. A clear, well-practiced protocol is critical - and quick action is key.
Here’s what OSHA requires for post-exposure care:
- Immediate care: Wash needlestick wounds thoroughly with soap and water. For mucous membrane splashes, flush the area for 15 minutes. If the eyes are affected, irrigate them with clean water or saline. Avoid squeezing the wound.
- Report the incident: Notify a supervisor during the same shift. Complete an exposure report detailing the route and circumstances. Identify the source patient promptly to enable blood testing.
- Medical evaluation: Provide a confidential medical evaluation free of charge to the employee. This includes baseline blood tests and, if necessary, starting Post-Exposure Prophylaxis (PEP) - ideally within 2 hours. PEP’s effectiveness drops significantly after 24 hours and isn’t recommended after 72 hours.
- Follow-up care: Arrange follow-up HIV and HCV testing at 6 weeks, 12 weeks, and 6 months. Include counseling on recognizing infection symptoms.
- Written opinion: A healthcare professional must provide the employer with a written opinion within 15 days of the evaluation.
The financial impact of a single needlestick injury can reach $3,000, covering testing and treatment costs. To avoid compliance issues, maintain your Sharps Injury Log for at least five years and retain employee medical records for the duration of their employment plus 30 years. In fiscal year 2024, recordkeeping violations made up about 15% of all Bloodborne Pathogen citations. A digital reporting system can simplify incident tracking and help keep your facility prepared for audits.
Conclusion and Next Steps
OSHA compliance is an ongoing responsibility that impacts every aspect of your med spa, from the way you handle sharps to how you maintain staff training records. This checklist serves as a guide to help ensure every part of your med spa stays aligned with OSHA standards. Moving forward, adopting digital tools can simplify and secure your compliance efforts.
Using Technology to Support Compliance
Relying on manual methods for OSHA documentation - like paper logs, handwritten records, or physical binders - can increase the risk of missing critical paperwork during an audit. This can be costly. In 2026, OSHA fines for serious violations climbed to $16,991 per violation, while willful or repeated violations could reach up to $170,181.
Platforms like Prospyr, designed with HIPAA compliance in mind, can centralize all your documentation. Instead of hunting for paper training records or manually updating cleaning logs, you can use such tools to store staff credentials, monitor certifications for specific procedures, and organize incident reports in one accessible location. This makes it much easier to provide the necessary documentation during an unannounced inspection.
"Utilizing the best medical spa software not only keeps your business compliant but also enhances operational efficiency and client safety." - AestheticsPro
Keeping Compliance Up to Date
Beyond digitizing records, regular reviews are crucial for maintaining compliance. OSHA advises conducting workplace safety inspections at least quarterly, though monthly reviews are often considered a better practice. Your Standard Operating Procedures (SOPs) should undergo annual reviews - or be updated immediately following any adverse event or changes in state regulations.
Regulatory oversight is becoming stricter across the country. For example, in January 2026, a joint investigation of 223 med spas in New York uncovered numerous violations, leading to license suspensions and fines due to missing documentation and unsafe practices. Med spas without written SOPs are three times more likely to face regulatory action after an adverse event compared to those with documented protocols. Setting up reminders for annual policy reviews and license renewals can help prevent compliance gaps.
FAQs
What triggers OSHA coverage in a med spa?
OSHA regulations extend to med spas offering health care or related support services, except in cases where specific exemptions apply. These exemptions include:
- Not treating suspected or confirmed COVID-19 patients.
- Screening all non-employees for COVID-19 symptoms before allowing entry.
- Operating in an ambulatory care setting that is not part of a hospital.
To stay compliant, carefully evaluate your facility's practices and ensure they align with these conditions.
How do I prepare for an unannounced OSHA inspection?
To get ready for an unexpected OSHA inspection, keep all necessary documents, like your OSHA 300 log, Exposure Control Plan, and training records, well-organized and easily accessible. Make sure your facility stays compliant by properly labeling chemicals, displaying safety protocols clearly, and addressing potential issues, such as blocked exits or other hazards.
Regularly train your staff on safety procedures and stay up to date with OSHA standards. Pay special attention to areas like bloodborne pathogens, hazard communication, and PPE requirements to ensure your workplace remains in compliance at all times.
What should my post-exposure protocol include?
To ensure compliance with OSHA standards and safeguard your team, your post-exposure protocol should include the following essential steps:
- Immediate Wound Care: Start by thoroughly washing the affected area with soap and water. For mucous membrane exposures, rinse with plenty of water or saline.
- Incident Reporting: Document the incident in detail. This includes the nature of the exposure, how it occurred, and any immediate actions taken.
- Medical Evaluation: Arrange for the exposed employee to receive a prompt medical evaluation. This step is crucial for assessing potential risks and determining the need for follow-up care.
- Confidential Testing of the Source Individual: If feasible, test the source individual while strictly maintaining their confidentiality. This helps provide clarity on potential risks to the exposed employee.
Additionally, make it a priority to review and update your protocol every year. Regular training sessions for staff are equally important to ensure everyone understands and can follow the procedure effectively. By staying proactive, you can create a safer workplace while meeting regulatory requirements.
