How to Prepare for a Chart Audit at Your Med Spa

A chart audit can come from several directions — your medical director conducting a scheduled internal review, a state medical board investigation, a nursing board inquiry, or a payer audit if you accept insurance. In every case, the clinics that handle them without disruption are the ones that were already running tight documentation before the audit happened. The ones that scramble are the ones treating compliance as something to perform reactively.

This guide covers what auditors actually look for in a med spa or wellness clinic, how to prepare your documentation before an audit arrives, and what a recurring internal audit process should look like.

What Gets Audited in a Med Spa Chart Review

Understanding what reviewers look at tells you exactly where to focus your preparation. In an aesthetic or wellness clinic, chart audits typically evaluate:

Consent documentation. Informed consent forms need to be present, signed, and dated prior to each procedure — not signed after the fact and not using a single blanket consent intended to cover all future treatments. Reviewers look for specificity: did the patient consent to the specific procedure performed on that specific date?

Good faith exam (GFE) documentation. Before any prescription-based treatment — Botox, GLP-1 medications, hormone therapy, IV protocols involving prescription compounds — a documented good faith exam must exist. That means a recorded medical history, relevant vitals, a problem-focused assessment, and a written clinical plan tied to the specific treatment. A checkbox telehealth form completed in under two minutes does not constitute a defensible GFE in most states in 2026.

Treatment records and clinical notes. For each patient encounter, the chart should document who performed the procedure, what was administered or performed, at what dose or setting, what the patient's response was, and any follow-up instructions given. Vague entries like "Botox injections performed, patient tolerated well" are a flag. Complete entries name the injection sites, units administered, and lot numbers of any injectables.

Prescription and standing order compliance. If your clinic operates under standing orders — written instructions allowing non-physician staff to perform certain procedures without a direct patient-specific physician order — those standing orders must be current, signed by the medical director, and appropriate for the procedures being performed under them. Expired standing orders or procedures performed outside their scope are a common audit finding.

Provider credential verification. Auditors confirm that the providers documented as performing procedures hold the credentials required to legally perform them in your state. An NP performing a procedure that requires physician delegation without a current delegation agreement on file is a compliance problem, regardless of whether the procedure itself was performed correctly.

Medical director oversight evidence. Your chart review logs — the records showing that your medical director reviewed the required percentage of charts — need to exist and be current. An audit that finds a medical director of record but no evidence of actual chart review activity is effectively finding a ghost director arrangement.

Adverse event documentation. Any adverse event or complication — even minor ones — should be documented in the patient chart, including what occurred, how it was managed, and whether the medical director was notified. The absence of any adverse event documentation across a large patient population is itself a flag, because complications happen in every clinical practice.

Building Your Pre-Audit Documentation Checklist

Before any formal audit, run through this internally:

Consent forms. Pull a random sample of 20–30 charts and verify that each has a signed, dated, procedure-specific consent form on file. Check that the date on the consent predates the treatment date. Flag any charts where consent is missing, undated, or uses an outdated template.

GFE records. For any patient receiving a prescription-based service, verify that a GFE is documented and that it contains the minimum required elements — history, vitals where appropriate, assessment, and treatment plan. If your clinic uses a telehealth GFE model, verify that the documentation reflects an actual clinical encounter, not a form submission.

Standing orders. Pull your current standing order documents and check: are they signed by your current medical director? What is the signature date? Many clinics operate on standing orders signed months or years ago by a physician who is no longer their medical director. If your medical director changed and the standing orders weren't updated, every procedure performed under those orders since the change is on shaky ground.

Chart review logs. Your medical director should have a running log of chart reviews — patient identifiers, review dates, and any findings. If this log doesn't exist or hasn't been updated in months, create a process to generate it before the next audit. Retroactive chart reviews don't carry the same weight as contemporaneous ones.

Provider credentials file. Maintain a current file for every clinical provider that includes their state license, NPI, DEA registration if applicable, malpractice insurance certificate, and any delegation agreements or collaborative practice agreements. Verify that nothing in this file is expired.

Medication and supply records. If your clinic maintains injectable inventory, verify that lot numbers and expiration dates are being documented on purchase and in patient charts, and that your storage logs meet any state or board pharmacy requirements.

The Most Common Chart Audit Failures in Med Spas

These come up repeatedly across state board investigations and internal audit findings:

Backdated or amended documentation. Nothing triggers deeper investigation faster than records that appear to have been altered after the fact. If you identify a documentation gap, note it as a late entry with the current date — do not modify the original record.

Blanket consents used for ongoing treatment series. A single consent signed at intake that's intended to cover all treatments indefinitely is not adequate for most state requirements or malpractice purposes. Procedure-specific consent at each new treatment is the defensible standard.

GFEs performed by non-qualified providers. In most states, a GFE must be performed by a physician, NP, or PA — not by an RN, esthetician, or front desk staff using a script. Verify that the provider documented as performing GFEs in your system holds the credential required to do so in your state.

Standing orders that don't match services. A common gap is a med spa that has expanded its service menu since the standing orders were last updated. If you're now offering GLP-1 protocols, peptide therapies, or a new device, but your standing orders predate those services, those services are technically being performed without physician authorization.

No documentation of medical director involvement. If your medical director agreement says chart review happens monthly and there are no records showing it happened, the agreement is not a compliance shield — it's evidence of a structure that exists on paper but not in practice.

Setting Up a Recurring Internal Audit Process

The clinics that hold up best under external audit are the ones running internal audits on a defined schedule — not just when something goes wrong.

A practical approach for most med spas:

Monthly: Medical director reviews the required percentage of charts per your agreement and logs findings. Any standing orders that are 12 months from their signature date get flagged for renewal.

Quarterly: Pull a random sample of 10–15 charts and run through the documentation checklist above. Review consent compliance, GFE documentation completeness, and provider credential currency. Document findings and any corrective actions taken.

Annually: Full credential verification for all providers. Full standing order review and re-signature by current medical director. Review of all consent templates to ensure they reflect current services and current state law. Update your medical director agreement if the scope of services has changed.

The documentation generated by internal audits — the checklists, the findings logs, the corrective action records — is also valuable evidence if you're ever subject to an external audit. It demonstrates that your practice has a functioning compliance culture, not just a compliance structure that exists on paper.

How Wellness MD Group Supports Your Chart Audit Readiness

Compliance infrastructure is one of the core things we build for the clinics we work with. That means medical directors who actually conduct chart reviews and generate documentation of their findings, standing orders that are kept current, and protocol frameworks matched to your specific service menu and state requirements.

If you're approaching an audit and need to assess where your documentation stands — or if you're building a new clinic and want to get the compliance foundation right from the start — our team can help.

Talk to our team about compliance infrastructure →

Frequently Asked Questions

How often should a med spa conduct internal chart audits?

At minimum, quarterly internal reviews with a random chart sample, plus whatever chart review cadence your medical director agreement specifies — usually monthly. Annual full reviews of credentials, standing orders, and consent templates round out the cycle.

Who can conduct a chart audit at a med spa?

Internal chart audits can be conducted by your medical director, a compliance officer, or a qualified clinical staff member using a standardized checklist. External audits may be conducted by state medical boards, nursing boards, or payers.

What triggers a state board chart audit?

Common triggers include patient complaints, adverse event reports, anonymous tips, prior board discipline, and targeted enforcement sweeps in specific practice areas. Some states also conduct random audits of licensed facilities regardless of complaint history.

How far back can a chart audit go?

Medical record retention requirements vary by state but typically require keeping records for a minimum of seven years, and longer for records involving minors. An audit can in principle review any records within the retention period.

What happens if documentation gaps are found?

Minor gaps typically result in a corrective action plan — documentation of what the gap was, how it was corrected, and what process changes were made. Significant or repeated gaps, or evidence of fraudulent documentation, can result in license discipline, fines, or closure orders.

Wellness MD Group provides medical director placement, standing order development, and compliance infrastructure for med spas and wellness clinics in all 50 states. This content is for informational purposes and does not constitute legal advice. Consult a qualified healthcare attorney for guidance specific to your state and situation.