If you opened this page because you run a gym, a boutique fitness studio, a recovery lounge, a med spa, or any kind of wellness business in the United States, you already know that the legal side of this industry has gotten significantly more complicated in the last few years.
Membership contracts, injury liability, health data from intake forms, IV therapy oversight, cryotherapy safety, ADA accessibility, state licensing for massage and laser services, employee classification. Each of these is a separate legal exposure point. Each has its own regulatory framework. And the consequences of getting any of them wrong range from fines and forced closure to personal injury lawsuits and federal enforcement actions.
Why Compliance Matters More in 2026 Than It Did Five Years Ago
Gyms used to be fairly simple businesses from a regulatory perspective. A lease, some equipment, some staff, a membership contract. The legal exposure was primarily around slip-and-fall injury and employment classification.
That picture has changed fundamentally. Modern wellness businesses now commonly offer services that sit at the intersection of fitness, healthcare, and aesthetics. Recovery lounges offering cryotherapy, red light therapy, compression, infrared sauna, and IV hydration. Med spas offering injectables alongside fitness memberships. Hybrid concepts combining personal training with functional medicine consultations. Boutique studios collecting biometric data as part of their programming.
Each of these service additions brings a different regulatory framework into play. Add them to your business without understanding the compliance implications and you are not just expanding your revenue. You are expanding your legal exposure in multiple directions simultaneously.
State regulators have taken notice. California, New York, Texas, Florida, and several other states have increased enforcement activity against wellness businesses that crossed into regulated medical territory without proper oversight structures. Federal agencies including the FTC and FDA have issued specific guidance affecting how wellness businesses can market their services. OSHA has updated guidance relevant to cryotherapy and needle disposal that directly affects recovery studios.
Compliance in 2026 is not a defensive legal task. It is what allows you to offer more services, attract more clients, and build a business that survives the kind of scrutiny that growth brings.
Federal Laws Every Gym and Wellness Business Must Follow
These laws apply across all fifty states regardless of where your business is located.
HIPAA Compliance for Gyms and Wellness Businesses
When HIPAA Actually Applies to Your Business
The Health Insurance Portability and Accountability Act is widely misunderstood by wellness business owners. The common assumption is that HIPAA applies only to hospitals and insurance companies. That is not accurate once your services touch anything resembling healthcare.
HIPAA applies to covered entities and their business associates. A covered entity is a healthcare provider, a health plan, or a healthcare clearinghouse. A business associate is any third party that creates, receives, maintains, or transmits protected health information on behalf of a covered entity.
For a straightforward gym collecting only membership information and payment details, HIPAA likely does not apply. But the moment your wellness business starts offering any of the following, HIPAA compliance becomes relevant: IV therapy administered by a registered nurse under physician oversight, telehealth or virtual wellness consultations, biometric health assessments documented in client files, partnerships with licensed healthcare providers that involve sharing client health information, or accepting any form of health insurance reimbursement.
Client Health Data Handling
Even businesses that are not technically covered entities need to handle client health information carefully. Intake forms asking about medical conditions, medications, injuries, and health history create data that, if improperly stored or shared, can create significant liability.
Basic practices every wellness business should have in place: store paper intake forms in locked filing systems with access limited to staff who need it, use encrypted digital storage for electronic health records, do not include health information in standard email communications without client consent and secure transmission methods, and have a clear data retention and destruction policy.
Intake Form Risks
Intake forms are where wellness businesses most commonly create HIPAA-adjacent problems without realising it. If your intake form asks health questions that go beyond what is necessary for the service being offered, you are collecting data you may not have a legitimate reason to hold and may not be equipped to protect adequately.
Keep intake forms scoped to what you actually need. A fitness assessment form needs different information than an IV therapy consent form. A cryotherapy waiver needs different information than a massage intake form. Match data collection to service type.
SMS and Email Marketing Risks
Sending health-related information to clients via standard SMS or email carries risk where that information could constitute protected health information under HIPAA. Marketing messages that reference a client’s specific health condition or treatment history fall into this category.
For wellness businesses that are covered entities or business associates, marketing communications involving health information require specific consent mechanisms that go beyond a standard marketing opt-in.
Before-and-After Photo Consent
Before-and-after photos used in marketing are a specific compliance requirement, not just a courtesy. For med spas and aesthetic wellness services, written authorisation for the use of client images in marketing materials is required. That authorisation must be separate from the general consent form for the treatment, must specify how the images will be used, and must allow the client to withdraw consent.
The FTC has also become increasingly active in requiring that before-and-after photos used in advertising represent typical results rather than exceptional ones. This applies both to the content of the photos and to any accompanying claims about what the service achieved.
HIPAA Compliance Checklist
- Written privacy policy posted and available to clients
- HIPAA-compliant business associate agreements with all technology vendors handling client health data
- Staff training on privacy obligations completed and documented
- Access controls limiting who can view client health records
- Encrypted electronic health record system if applicable
- Breach response protocol in place
- Intake forms reviewed by legal counsel for appropriate scope
- Marketing review for impermissible use of health information
OSHA Compliance for Fitness and Wellness Businesses
The Occupational Safety and Health Administration sets workplace safety standards that apply to gyms and wellness studios just as they apply to any other employer.
Bloodborne Pathogen Rules
Any wellness business where staff may be exposed to blood or other potentially infectious materials needs a written Bloodborne Pathogen Exposure Control Plan. This is an OSHA requirement, not a recommendation.
For gyms, exposure risk comes from member injuries, first aid provision, and equipment cleaning where blood contact is possible. For IV therapy providers, massage therapists, and any wellness business offering services involving skin contact or needle use, the exposure risk is significantly higher.
The plan must be updated annually, must identify who is at risk of exposure, must specify engineering and work practice controls, must cover personal protective equipment requirements, must address hepatitis B vaccination for at-risk employees, and must include a post-exposure evaluation protocol.
Needle Disposal
If your wellness business uses needles for IV therapy, vitamin injections, or any other service, proper sharps disposal is both a regulatory requirement and a liability issue. Sharps containers must be puncture-resistant, leak-proof, and properly labelled. They must be located as close as possible to the point of use. They must be disposed of through a licensed medical waste disposal service.
Improper needle disposal is a compliance violation that can also expose your business to significant liability if a client, employee, or third party is injured by an improperly discarded needle.
Cryotherapy Hazards
Cryotherapy poses specific OSHA-relevant safety concerns. Liquid nitrogen used in whole-body cryotherapy chambers is an asphyxiation risk if it displaces oxygen in an enclosed space. OSHA’s general duty clause requires employers to provide a workplace free from recognised hazards, and liquid nitrogen exposure is a recognised hazard requiring specific controls.
Safety requirements for cryotherapy operations include adequate ventilation in treatment areas, oxygen sensors that trigger an alarm if oxygen levels drop below safe thresholds, staff training on liquid nitrogen handling and emergency procedures, proper personal protective equipment for operators, and documented safety protocols for equipment malfunction.
Sauna and Steam Room Safety
Sauna and steam room areas require documented cleaning schedules, maximum occupancy compliance, appropriate temperature monitoring, emergency call systems or clear visual access to a staffed area, and clear signage for medical contraindications.
Slip-and-Fall Prevention
Slip and fall incidents are the single most common source of gym litigation. OSHA’s general duty clause requires proactive hazard management. A documented inspection schedule, non-slip flooring in wet areas, prompt reporting and remediation of spill hazards, and adequate lighting throughout the facility are the baseline requirements.
OSHA Inspection Checklist
- Current Bloodborne Pathogen Exposure Control Plan
- OSHA 300 injury and illness log maintained
- Sharps disposal containers in place where needles are used
- Emergency eyewash station if chemical storage is present
- First aid kits accessible and inventoried
- Fire extinguishers inspected and tagged
- Hazard Communication Standard compliance for cleaning chemicals
- Ventilation adequacy documented for cryotherapy areas
- Incident reporting protocol for employee injuries
ADA Compliance for Gyms and Wellness Studios
The Americans with Disabilities Act applies to gyms and wellness studios as places of public accommodation. Non-compliance creates both regulatory exposure and civil litigation risk. ADA-related lawsuits against fitness and wellness businesses have increased steadily, and many are brought on the basis of website accessibility rather than physical premises issues.
Physical Accessibility Standards
Accessible entrance with a clear path from accessible parking. If your building has steps at the entrance, there must be a ramp or lift that provides genuinely equivalent access, not a rear entrance that requires a client to ask staff for assistance.
Equipment spacing that allows wheelchair users to navigate between pieces of equipment. The ADA standard for accessible routes requires at minimum 36 inches of clear width.
Accessible locker rooms including accessible changing areas, grab bars in accessible shower stalls, and appropriate bench heights. Accessible toilet facilities in restrooms used by clients. Water fountains at accessible heights or a drinking water alternative.
Website Accessibility
Website accessibility is where ADA litigation against gyms and wellness businesses has grown most significantly. The Department of Justice confirmed in 2024 that website accessibility falls under ADA Title III requirements for places of public accommodation. A website that is not accessible to users with visual impairments who use screen readers, or to users with motor impairments who cannot use a mouse, is potentially non-compliant.
Web Content Accessibility Guidelines (WCAG) 2.1 at Level AA is the standard most courts have applied when evaluating whether a website is ADA-compliant. Practical requirements include alternative text for all images, keyboard navigability without a mouse, sufficient colour contrast, captions for video content, and accessible online booking systems.
Service Animal Rules
Under the ADA, trained service animals must be permitted in all areas of your facility where clients are permitted, including the gym floor, studios, locker rooms, and treatment areas. Emotional support animals are not covered by ADA Title III service animal requirements, though some state laws provide additional protections.
Staff may ask only two questions: is this a service animal required because of a disability, and what work or task has it been trained to perform. Asking for documentation, ID cards, or proof of training is not permitted.
ADA Audit Checklist
- Accessible parking spaces in correct number and dimensions
- Accessible entrance with no barriers to entry
- Reception desk with accessible service counter height
- Accessible paths to all public areas of the facility
- Accessible restroom facilities
- Accessible locker room with compliant features
- Appropriate equipment spacing throughout the gym floor
- Website accessibility audit completed
- Service animal policy documented and staff trained
FTC and Advertising Compliance
The Federal Trade Commission enforces truth-in-advertising standards that apply to every marketing claim a gym or wellness business makes.
Health and Weight-Loss Claims
Weight-loss claims are one of the FTC’s most actively enforced areas in the wellness industry. Claiming that a service will produce a specific amount of weight loss, or showing a result that is not typical without adequately disclosing that it is not typical, is deceptive under the FTC Act.
The FTC’s substantiation standard requires that health and efficacy claims be supported by competent and reliable scientific evidence before they are made, not after the fact if questioned. For many wellness services, this means claims need to be reviewed by legal counsel before they appear in marketing.
Medical-Grade and FDA-Related Claims
Describing equipment or treatments as “medical-grade” when they have not been cleared or approved by the FDA for a specific medical purpose is a claim that can attract both FTC and FDA scrutiny. The FDA classifies many devices used in wellness settings, including red light therapy devices, cryotherapy chambers, and body contouring equipment. Marketing claims that go beyond the device’s FDA clearance are misbranding violations under the Food, Drug, and Cosmetic Act.
Influencer Marketing
Any paid promotion, including content created by influencers in exchange for free services, complimentary memberships, or any other compensation, must be clearly disclosed under FTC guidelines. The disclosure must be clear and prominent, not hidden in hashtags or buried below a fold. “Ad,” “Paid partnership,” or “Sponsored” are acceptable disclosures. “#collab” or “#ambassador” are not considered adequate.
Employment and Labor Law Compliance
Trainer Classification: Employee vs Independent Contractor
Trainer misclassification is one of the most common and most expensive compliance failures in the fitness industry. Many gyms classify trainers as independent contractors to avoid payroll taxes, workers’ compensation obligations, and benefits costs. Many of those arrangements do not meet the legal standard for independent contractor status.
The IRS and the Department of Labor each apply multi-factor tests to determine whether a worker is genuinely an independent contractor or should be classified as an employee. Courts have consistently found that trainers who work exclusively at one facility, are required to follow the gym’s scheduling and conduct standards, use the gym’s equipment and space, and have their rates set by the gym are employees, regardless of what their contracts say.
The consequences of misclassification include back payroll taxes, interest and penalties, liability for unpaid overtime and benefits, and potential class action exposure.
California Trainer Classification
California applies the strictest independent contractor test in the country, known as the ABC test under AB 5. Under this test, a worker is presumed to be an employee unless all three of the following are true: the worker is free from the control and direction of the hiring entity in connection with the performance of work, the worker performs work that is outside the usual course of the hiring entity’s business, and the worker is customarily engaged in an independently established trade, occupation, or business.
For most trainers working at a California gym, prong B is where classification fails. Personal training is typically within the usual course of a gym’s business. California gyms that continue to classify trainers as independent contractors face significant risk.
Overtime and Meal and Rest Breaks
Under the Fair Labor Standards Act, non-exempt employees must be paid time-and-a-half for hours worked over 40 in a workweek. Several states impose additional overtime requirements, including daily overtime after 8 hours in California.
Meal and rest break requirements vary by state. California requires a 30-minute unpaid meal break for shifts over 5 hours and a paid 10-minute rest break for every 4 hours worked. Failure to provide legally required breaks creates per-violation penalties.
Employee Handbook Requirements
Every wellness business with employees needs a written employee handbook that covers at minimum: anti-harassment and anti-discrimination policies, a complaint and reporting procedure, pay practices and overtime policies, time off policies, social media guidelines, and an at-will employment statement where applicable.
States including California, New York, Illinois, and Massachusetts impose additional handbook requirements including specific harassment prevention policy language and mandatory acknowledgement procedures.
Business Structure and Licensing
Choosing the Right Business Structure
LLC
A limited liability company is the most common structure for single-location gyms and wellness studios. It provides liability protection separating personal assets from business liability, flexible tax treatment, and relatively simple administration. An LLC does not fully protect you from professional liability arising from your own negligence or the negligence of your staff, but it protects your personal assets from general business claims.
Corporation
A C-corporation or S-corporation is more complex to administer but may be appropriate for wellness businesses planning to raise investment, issue stock options to employees, or scale to multiple locations. Investors typically prefer to invest in corporations rather than LLCs.
MSO Structure
The Management Services Organization structure is used by wellness businesses that provide or supervise medical services. Because most states prohibit unlicensed persons from owning medical practices (the Corporate Practice of Medicine doctrine), a common structure separates the business management functions (owned by a non-physician investor or operator) from the clinical practice (owned by a licensed physician or other qualified provider). The MSO manages the business operations under a management services agreement with the medical practice.
PLLC Restrictions
A Professional Limited Liability Company is required in some states for businesses providing licensed professional services including certain healthcare, therapy, and personal care services. The specific requirements vary by state and by profession.
Licenses and Permits
Federal, State, and Local Requirements
Every gym and wellness business needs a general business license from the city or county where it operates. Beyond that, the specific licenses required depend on the services offered.
Health permits. Required in most jurisdictions for any business where physical contact with clients occurs or where food or beverages are served.
Massage therapy licenses. Massage therapists must be licensed in the state where they practice. The facility offering massage services may also need a separate massage establishment license. Requirements vary significantly by state.
Laser and energy-based device licenses. States including California, Florida, Texas, and New York regulate who can operate laser and intense pulsed light devices, and under what level of physician supervision. In some states, only a licensed physician, nurse practitioner, or physician assistant can operate these devices. In others, an esthetician with specific training can operate certain classes of device under physician oversight.
Medical director requirements. Wellness businesses offering services that constitute the practice of medicine or nursing must have appropriate physician oversight. The specific requirements for medical director agreements vary by state. In some states, the physician must be on-site or immediately available. In others, a supervisory agreement with periodic review is sufficient.
Pool and spa permits. Facilities with pools, hot tubs, hydrotherapy pools, or cold plunge pools typically require permits from the local health department and must comply with state pool safety standards.
Music licensing. Playing music in a commercial gym or studio without appropriate licenses from performance rights organisations including ASCAP, BMI, and SESAC is copyright infringement. A gym or studio playing licensed music needs to hold licenses from all three organisations because different songs are covered by different rights holders.
Insurance Requirements
General liability. The baseline coverage for any gym or wellness business. Covers third-party bodily injury and property damage claims. Minimum coverage of $1 million per occurrence is standard, with $2 million aggregate. Higher limits are advisable for facilities with higher-risk services.
Professional liability. Covers claims arising from professional services provided to clients. Essential for any wellness business offering health assessments, IV therapy, massage, or other services where professional negligence is a possible claim.
Malpractice insurance. Required for licensed healthcare providers practicing in a wellness setting. Standard professional liability may not cover medical malpractice claims.
Workers’ compensation. Required in virtually all states for any business with employees. Provides coverage for employee workplace injuries.
Cyber liability. Given the volume of personal and health data that wellness businesses now hold, cyber liability coverage is no longer optional. A data breach affecting client health information or payment data can cost significantly more than most general liability policies cover.
Product liability. Important for wellness businesses that sell supplements, equipment, or other physical products, as well as businesses using equipment that could cause injury.
State-by-State Compliance Highlights
State law variation is one of the most significant compliance challenges for wellness businesses, particularly those operating in multiple states or planning to expand. Below are the key compliance considerations for major markets.
California
California is the most regulated state for wellness businesses in the country, and it is also the market with the highest enforcement risk.
CPOM (Corporate Practice of Medicine). California strictly enforces the prohibition on corporations practicing medicine. Any business offering services that constitute the practice of medicine must be structured through a licensed physician-owned professional corporation, with a separate MSO managing business operations. Violations can result in the business being shut down.
Health club cancellation law. California Health & Safety Code Sections 1812.80 through 1812.98 impose specific requirements on gym membership contracts. Contracts must include specific cancellation rights, must not include perpetual automatic renewals without specific disclosure, must provide a five-day cooling-off period, and must allow cancellation for specified life changes including relocation and disability.
CCPA. The California Consumer Privacy Act and its successor the CPRA give California residents specific rights regarding their personal data. Wellness businesses that collect California residents’ data and meet the revenue or data volume thresholds must have a compliant privacy policy, must honour opt-out requests, and must provide data deletion rights.
Employee classification. California’s ABC test under AB 5 applies to all worker classification determinations. As noted above, this makes classifying trainers as independent contractors extremely difficult.
Med spa ownership. Only licensed physicians, or professional corporations owned by licensed physicians, can operate medical spas offering prescription services or services constituting the practice of medicine in California.
| Topic | California Status |
|---|---|
| Med spa physician ownership required | Yes |
| CPOM strictly enforced | Yes |
| Special gym contract laws | Yes |
| Auto-renewal disclosure required | Yes |
| CCPA privacy law | Yes |
| Laser restriction | Yes, physician or supervised |
| IV therapy physician oversight | Yes |
Texas
Texas has a more permissive regulatory environment than California in some areas but enforces specific requirements around delegation and supervision of medical services.
Delegation rules. Texas allows licensed physicians to delegate certain medical procedures to unlicensed or differently licensed personnel under specific supervision requirements. The Texas Medical Board has issued guidance on what procedures can be delegated, to whom, and under what level of supervision.
IV therapy. IV therapy in Texas must be ordered by a licensed physician and administered by a licensed RN, LVN under RN supervision, or other appropriately licensed provider. The ordering physician must have a bona fide physician-patient relationship. Wellness IV bars operating without physician oversight violate Texas Medical Board rules.
Med spa ownership. Texas does not require physician ownership of the business entity, but all medical procedures must be performed under appropriate physician oversight through a proper supervisory or delegation agreement.
Waivers. Texas courts have generally enforced pre-injury liability waivers for sports and fitness activities where the waiver was conspicuous, clearly written, and not contrary to public policy. Waivers for gross negligence are not enforceable in Texas.
| Topic | Texas Status |
|---|---|
| Med spa physician ownership required | No (but supervision required) |
| CPOM enforcement | Moderate |
| Special gym contract laws | Limited |
| IV therapy physician oversight | Yes |
| Laser license required | Yes |
| Waiver enforceability | Generally yes, excluding gross negligence |
Florida
Florida has specific statutory requirements for health studios (gyms and fitness centers) that many out-of-state operators discover only after they are already operating.
Florida Health Studio Act. The Florida Health Studio Act regulates health studio contracts for services with a value over $600 over a term greater than one month. Requirements include a mandatory three-day cancellation period, specific contract disclosures, bonding or prepaid contract insurance for businesses collecting advance fees, and restrictions on the duration of contracts.
Massage establishment licensing. Florida requires massage establishments to be separately licensed through the Department of Health. Therapists must hold a Florida massage therapy license. Violations are actively enforced.
Med spa oversight. Florida allows certain medical procedures to be delegated to RNs and ARNPs under physician supervision. Physician oversight must be genuine and documented, not nominal.
| Topic | Florida Status |
|---|---|
| Health Studio Act applies | Yes |
| Advance fee bonding required | Yes for qualifying studios |
| Massage establishment license | Yes |
| Med spa physician oversight | Yes |
| 3-day contract cancellation right | Yes |
New York
New York enforces strict CPOM rules and has increasingly active regulatory oversight of medical wellness services.
CPOM. New York does not allow non-physicians to own medical practices or to receive fee-splitting arrangements with physicians. This significantly restricts the MSO structure used in other states. Proper structuring requires careful legal advice specific to New York.
Med spa regulations. Injectables, prescription treatments, and other medical procedures can only be performed by or under the supervision of a licensed physician, physician assistant, or nurse practitioner within their scope of practice.
Privacy. New York’s SHIELD Act imposes data security requirements on any business holding private information of New York residents. Wellness businesses collecting health and biometric data have specific obligations under this law.
| Topic | New York Status |
|---|---|
| CPOM strictly enforced | Yes |
| Fee-splitting prohibition | Yes |
| SHIELD Act compliance | Yes |
| Med spa physician supervision | Yes |
Other Key States Summary
| State | Med Spa Ownership | Special Gym Contract Law | Auto-Renewal Law | Privacy Law | Laser License |
|---|---|---|---|---|---|
| Arizona | Physician or dentist | No | Yes | No specific law | Yes |
| Nevada | Physician required | Yes | Yes | Yes | Yes |
| Illinois | Physician required | No | Yes | BIPA (biometrics) | Yes |
| Georgia | Physician preferred | No | No | No specific law | No |
| Colorado | Physician or APRN | No | No | Yes | Yes |
| New Jersey | Physician required | No | Yes | Yes | Yes |
| Washington | Physician required | Yes | Yes | My Health My Data Act | Yes |
| Pennsylvania | Physician required | No | No | No specific law | Yes |
| Massachusetts | Physician required | No | Yes | Yes | Yes |
For the full 50-state compliance database, visit MyLegalPal.com.
Service-Specific Regulations
Cryotherapy Compliance
Whole-body cryotherapy has grown significantly as a recovery service, and the regulatory environment around it has developed alongside that growth.
Licensing
Most states do not have a specific license category for cryotherapy operators, but depending on the claims made about the service, it may be regulated as a medical device service. If cryotherapy is marketed for pain relief, injury recovery, or any health condition, it may constitute the practice of medicine or physical therapy in some states, requiring appropriate professional oversight.
Safety Requirements
Safety requirements for cryotherapy operations center on the liquid nitrogen hazard and client safety during treatment. Clients must complete a health screening process identifying contraindications including cardiovascular conditions, Raynaud’s disease, cold allergies, pregnancy, and certain respiratory conditions. An operator must be present at all times during treatment. Emergency stop mechanisms must function correctly and staff must be trained on their use.
Waivers for Cryotherapy
A cryotherapy consent form and liability waiver should specifically address the nature of extreme cold exposure, the known risks including frostbite, cardiovascular stress, and the contraindications specific to the treatment. A generic gym waiver does not adequately cover cryotherapy-specific risks.
IV Therapy Compliance
IV therapy has become one of the fastest-growing wellness services, and it is one of the most heavily regulated.
Physician Oversight Requirements
In every state, IV therapy constitutes a medical procedure. It requires a physician’s order, must be administered by a licensed RN (in most states), and must be preceded by appropriate client screening. A physician medical director relationship with a nominal monthly fee and no genuine clinical oversight is not sufficient and is actively targeted by state medical boards.
Standing Orders
A standing order is a physician’s pre-authorisation for specific procedures to be carried out by nursing staff based on defined criteria, without requiring a specific order for each client. Standing orders for IV therapy are used in many wellness IV operations to allow RNs to administer defined protocols. The validity of standing orders varies by state, and the physician who issues them must genuinely know each client’s medical history. A blanket standing order that authorises any client to receive IV therapy without individual physician review is not legally adequate in most states.
State Restrictions
Some states effectively prohibit the wellness IV therapy model by requiring direct physician presence or a genuine telemedicine consultation with the physician before each IV administration. These include some states that have interpreted telehealth requirements strictly. Any wellness business offering IV therapy should have state-specific legal advice on the permissible structure in each state where it operates.
Red Light Therapy Regulations
FDA Device Classification
The FDA classifies light therapy devices as medical devices under the Food, Drug, and Cosmetic Act. The specific classification depends on the device’s intended use and design. Devices intended for use in professional wellness settings must have appropriate FDA clearance for their intended use category.
Marketing a red light therapy device or service for medical purposes beyond what the device’s FDA clearance covers is a misbranding violation. Common examples include claiming that red light therapy treats a specific diagnosed condition, accelerates healing from specific injuries, or produces medical outcomes not covered by the device’s clearance.
Marketing Claims
Wellness-oriented claims for red light therapy, such as supporting recovery, improving skin appearance, or reducing muscle soreness, generally remain permissible where they are truthful, non-deceptive, and do not imply medical treatment of a disease. Claims that characterise the service as a treatment for a specific medical condition require substantiation that most wellness businesses do not have.
Sauna and Recovery Lounge Compliance
Sanitation Requirements
Sauna and steam room areas are regulated by state and local health departments as wet areas requiring specific sanitation standards. Regular cleaning schedules must be documented. Non-porous surfaces that can be properly cleaned must be used throughout the area. Wooden benches and surfaces require specific maintenance protocols.
Emergency Procedures
Recovery facilities must have documented emergency procedures for heat-related illness, which is one of the most foreseeable risks in sauna environments. Staff must be trained to recognise signs of heat exhaustion and heat stroke and to respond appropriately. AEDs and first aid equipment must be accessible within the facility.
Medical Spa Regulations
Med spas offering injectables, body contouring, IV therapy, and other aesthetic or medical wellness services face the most complex regulatory environment of any wellness business type.
Injectable Services
Botulinum toxin and dermal fillers are prescription drugs administered by injection. In every state, they may only be prescribed and administered by licensed healthcare providers within their scope of practice. The specific scope of practice for nurse practitioners, physician assistants, and registered nurses varies by state. In some states, RNs can administer injectables only under a physician’s direct supervision. In others, NPs and PAs can perform these services independently within their licensed scope.
Consent Forms
Consent forms for medical spa services must be service-specific, must describe the procedure, the alternatives, the expected outcomes, and the specific risks in a way the client can understand, and must be signed before each treatment. A general consent signed once at intake does not satisfy the informed consent requirement for each specific procedure.
Physician Supervision Models
The structure of physician supervision for med spa services is one of the most actively litigated and regulated areas of wellness law. States differ significantly on whether a medical director who reviews protocols monthly meets the supervision standard, or whether more frequent or direct oversight is required. Enforcement is increasing. Getting this structure right requires state-specific legal advice.
Contracts, Waivers and Documentation
Gym Membership Agreements
A gym membership agreement is a consumer contract and in many states is subject to specific statutory requirements that override standard contract terms.
Cancellation Rights
Multiple states give gym members specific statutory cancellation rights that cannot be waived by contract. California, Florida, New York, Virginia, and several other states require gyms to allow cancellation within a defined window of signing, require acceptance of cancellation for certain life events, and restrict the financial consequences of cancellation.
Auto-Renewal Clauses
Auto-renewal provisions in gym membership contracts are regulated in most states with activity in this area. Specific disclosure requirements, required placement of renewal terms, advance notice requirements before renewal, and cancellation mechanism requirements all vary by state. A membership agreement that is compliant in Texas may violate California’s auto-renewal disclosure requirements.
EFT Authorization
Electronic funds transfer authorisation in membership agreements must comply with Regulation E under the Electronic Fund Transfer Act. Clients must affirmatively authorise recurring EFT charges, must receive specific disclosures about the amount and frequency of charges, and must be given rights to revoke authorisation.
Liability Waivers
A liability waiver is one of the most misunderstood documents in the fitness industry. Many gym owners believe that a signed waiver provides complete protection from any injury claim. It does not.
Enforceability
A liability waiver can protect a gym from negligence claims where it is clearly written, conspicuously presented, specifically identifies the risks being waived, and is signed before any injury occurs. Courts have enforced well-drafted waivers in the majority of US states for ordinary negligence claims.
Gross Negligence
A waiver cannot protect a gym from claims arising from gross negligence, recklessness, or intentional misconduct. These include situations where safety equipment was known to be defective, where staff were not trained for the service they provided, or where the business operated a facility it knew to be unsafe.
States Where Waivers Are Less Enforceable
Virginia, Louisiana, and Montana have laws or judicial precedents that significantly limit the enforceability of pre-injury liability waivers. Gyms and wellness studios operating in these states should not rely on waivers as a primary risk management tool.
Minors
A parent or guardian can sign a liability waiver for a minor in some states but not in others. California does not allow parents to waive a minor’s right to sue for negligence in a commercial fitness setting. A minor’s waiver signed by a parent in California is generally not enforceable.
Risk Management and Common Lawsuits
Most Common Lawsuits Against Gyms and Wellness Studios
Slip and Fall
Slip and fall claims represent the most common category of personal injury litigation against fitness facilities. Wet floors near pools, locker rooms, water fountains, and entrance areas are the highest-risk locations. Prevention requires documented inspection protocols, non-slip surfaces in wet areas, appropriate signage, and prompt hazard response.
Equipment Injuries
Free weight injuries, treadmill accidents, and injuries from malfunctioning equipment are a consistent source of claims. Equipment maintenance records, regular safety inspections, and proper onboarding of new members on equipment use are the primary defences.
Burns and Cryotherapy Injuries
Burns from steam rooms, saunas, and heat-based treatments, and cold injuries from cryotherapy, are increasingly common as these services expand into wellness facilities. Proper screening, maximum exposure protocols, and staff monitoring during treatments are the required safety measures.
Sexual Harassment and Misconduct
Claims involving staff-on-client harassment or misconduct in massage and personal training contexts represent a significant litigation category. Robust screening and background checks for all staff with direct client contact, documented harassment policies, transparent reporting mechanisms, and appropriate supervision of solo client interactions are the required risk management measures.
ADA Claims
ADA accessibility lawsuits against gyms and wellness studios have increased significantly. Serial ADA plaintiffs often target businesses with website accessibility failures, parking non-compliance, or facility access barriers. An accessibility audit addressing both physical and digital accessibility is the most effective preventive measure.
Incident Reporting and Documentation
Every wellness facility needs documented incident reporting procedures. When an injury or adverse event occurs, the record created in the next twenty-four hours becomes the foundation of any subsequent legal defence or regulatory response.
An incident report should document the date, time, and location of the incident, the identity of all involved parties including witnesses, a factual description of what occurred without characterising fault, the immediate response provided, and any equipment or conditions involved.
Incident reports should be retained for a minimum of five years, or longer where a claim has been made or is anticipated.
Emergency Preparedness
AED Requirements
Automated external defibrillator requirements for gyms vary by state but the trend has moved strongly toward mandating AED availability. California, New Jersey, New York, Illinois, and several other states require health clubs and fitness facilities to have AEDs on-site and to maintain staff trained in their use. Even in states without a specific requirement, the absence of an AED at a facility where cardiac events are a foreseeable risk creates significant exposure.
CPR Certification
Many states require that a minimum number of staff on duty at all times hold current CPR certification. California, New York, and New Jersey are among the states with specific requirements. Some states require that all personal trainers hold a CPR certification as part of their professional credentials.
Compliance Operations
Standard Operating Procedures Every Wellness Business Needs
A standard operating procedure (SOP) is a documented process that tells your staff exactly how to handle a defined situation. SOPs serve two purposes: they ensure consistent service quality and safe operations, and they demonstrate to regulators and courts that your business runs systematically rather than ad hoc.
Sanitation SOP. Cleaning schedules, approved products, documentation requirements, and escalation procedures for sanitation failures.
Incident SOP. Step-by-step protocol for responding to client injuries, adverse reactions, equipment failures, and facility emergencies.
Consent SOP. Process for ensuring appropriate consent forms are completed before each service, stored correctly, and accessible for review.
Privacy SOP. Procedures for handling client health information, responding to data requests, and managing a data breach.
Hiring SOP. Background check requirements, credential verification, onboarding documentation, and initial training requirements for each staff role.
Staff Training Requirements
A compliance program is only as effective as the staff carrying it out. Required training areas for wellness business staff include:
HIPAA fundamentals where client health data is handled. OSHA bloodborne pathogen training for all staff with potential exposure risk. Sexual harassment prevention training, which is specifically required by statute in California, New York, Illinois, Delaware, and several other states. CPR and AED training for staff on duty. Emergency procedures specific to the services offered. Service-specific safety protocols for cryotherapy, IV therapy, sauna, and any other specialised treatment offered.
Training must be documented. A training log recording what was covered, when it was delivered, and which staff completed it is the evidence of compliance if ever needed.
Annual Compliance Audit Framework
A structured annual compliance review keeps your business current with changing requirements and surfaces issues before they become enforcement actions or lawsuits.
Quarterly: Review and update sanitation logs, incident reports, and staff certification records. Audit marketing materials for claims compliance.
Annually: Review all client contracts for compliance with current state law requirements. Review insurance coverage adequacy. Review staff classification. Update employee handbook for new legal requirements. Conduct ADA accessibility audit. Review data privacy practices against current applicable law. Verify all licenses and permits are current. Confirm medical director and supervision agreements are compliant with current state board guidance.
Franchise and Multi-State Operations
Running a wellness business across multiple states multiplies every compliance obligation. A membership agreement that works in Texas needs to be reviewed and modified for California, Florida, and New York. A trainer classification structure compliant in most states may violate California’s AB 5. A medical director oversight model approved by one state’s medical board may not satisfy another’s.
Centralized Marketing Risks
Multi-location wellness businesses that run national marketing campaigns face specific risks around advertising compliance. A weight-loss claim that is adequately substantiated for one service offered at one location may not be substantiated for a different service type at another location. Marketing claims must be reviewed against the services actually available at each location and the evidence available to support each specific claim.
Franchise Compliance Systems
Franchise systems in the wellness industry face a particular challenge: they need to maintain brand-wide compliance standards while adapting to the varying requirements of each state where franchisees operate. A franchise operations manual that does not address state-specific legal requirements creates compliance gaps at every location in a regulated state.
Emerging Compliance Trends for 2026 and Beyond
Biometric Data Regulation
Illinois’ Biometric Information Privacy Act (BIPA) has produced more litigation against wellness businesses than any other privacy law in the country. BIPA requires explicit written consent before collecting biometric identifiers including fingerprints, facial geometry, and retina scans, and prohibits selling or profiting from biometric data. Class action litigation under BIPA has resulted in settlements and judgments in the tens of millions of dollars.
Body composition scanning technology, fingerprint check-in systems, and facial recognition access control all implicate BIPA. Texas and Washington have similar biometric privacy laws. Several other states are considering equivalent legislation.
AI Health Tools and Telehealth
Wellness businesses increasingly use AI-powered apps, chatbots, and digital health tools to engage clients. Where these tools collect health information, provide health recommendations, or support clinical decision-making, they may be subject to FDA oversight as medical devices, HIPAA compliance requirements, and state telehealth regulations.
GLP-1 and Weight Management Programs
The rapid growth of GLP-1 weight management programs in wellness settings is creating a new regulatory category that most state boards are still developing guidance on. Wellness businesses offering GLP-1 medications, peptide therapies, or other prescription compounds as part of their programming need careful legal structuring and ongoing monitoring of state medical board positions.
Longevity and Functional Medicine
The longevity clinic and functional medicine space is attracting increasing regulatory attention as services previously offered only in traditional medical settings move into wellness environments. Businesses offering genetic testing, advanced biomarker analysis, hormone optimisation, or other services associated with longevity medicine need structures that comply with both medical practice regulations and FDA requirements for laboratory services.
Frequently Asked Questions
Q: Does HIPAA apply to my gym?
HIPAA applies if your gym is a covered entity or business associate under the law. Most straightforward gyms that collect only membership and payment information are not covered entities. However, if you offer services involving health assessments, telehealth, IV therapy, or partnerships with licensed healthcare providers that involve sharing client health information, HIPAA compliance becomes relevant. When in doubt, a brief consultation with a healthcare lawyer clarifies your specific obligations.
Q: Do I need a liability waiver at my gym?
Yes, and it needs to be drafted carefully. A properly written, conspicuously presented liability waiver protects your business from ordinary negligence claims in most US states. It does not protect you from claims involving gross negligence, reckless conduct, or intentional harm. State law varies on enforceability, and waivers for minors require specific attention. A generic online waiver template is not an adequate substitute for a waiver drafted for your specific services and jurisdiction.
Q: What happens if I classify my trainers as independent contractors when they should be employees? A: You face exposure to back payroll taxes, interest and penalties from the IRS and state tax authorities, liability for unpaid overtime, and potential class action claims from affected trainers. In California, the penalties under the labor code for misclassification are particularly significant. The cost of resolving a misclassification audit consistently exceeds the cost of classifying workers correctly from the beginning.
Q: Can a non-physician own a medical spa? A: This depends entirely on the state and the specific services offered. Many states enforce the Corporate Practice of Medicine doctrine, which prohibits non-physicians from owning practices that provide medical services. In states with strict CPOM enforcement, a non-physician can own the management company but not the medical practice entity. In states with more permissive rules, non-physician ownership with appropriate physician supervision structures may be permitted. Getting this wrong can result in the business being ordered to shut down.
Q: Is my IV therapy setup legally compliant? A: IV therapy compliance requires a physician order, appropriate clinical supervision, administration by a licensed provider, and documented client screening. The specific requirements vary by state. Wellness IV operations that lack genuine physician oversight are among the most common targets of state medical board enforcement actions. If your IV therapy model does not involve a physician who genuinely knows each client’s medical history and has issued a specific or properly structured standing order, your setup likely has compliance gaps.
Q: Do I need a music license for my fitness studio? A: Yes, if you play music in your studio. Playing music commercially without licenses from the relevant performance rights organisations is copyright infringement. You need licenses from ASCAP, BMI, and SESAC because different music is covered by different organisations. Streaming services like Spotify do not cover commercial public performance.
Q: What ADA requirements apply to my gym website? A: Your gym website is considered a place of public accommodation under Title III of the ADA, based on DOJ guidance confirmed in 2024. WCAG 2.1 Level AA is the standard most courts have applied. A website that is not navigable by screen reader users or keyboard-only users is potentially non-compliant. ADA website accessibility lawsuits against fitness businesses have increased significantly and can be filed without prior notice.
Q: What is the difference between a med spa and a regular spa for compliance purposes? A: A regular spa offering only services such as massages, facials, and body treatments using non-prescription products is regulated primarily as a personal care or cosmetology business. A medical spa offering injectables, laser treatments, IV therapy, prescription skincare, or any service constituting the practice of medicine is regulated as a medical business, requiring physician involvement, medical director agreements, appropriate practitioner licensure, and compliance with medical practice regulations in addition to standard spa licensing. The distinction matters significantly for ownership structure, insurance, and liability.
Q: Can a personal trainer be held liable for a client’s injury? A: Yes. A personal trainer can be held personally liable for negligence resulting in client injury, and the gym that employed or contracted them may share that liability. The primary protections are appropriate professional liability insurance, training credentials from a nationally recognised certifying body, detailed client screening protocols, and documented informed consent for training programs involving risk. Trainers who certify or recommend services outside their competence face heightened liability.
Q: How often should I update my gym’s compliance program? A: At minimum annually as part of a formal compliance review. Additionally, any time you add a new service, hire a new category of staff, or expand to a new state, you should conduct a compliance review specific to that change. Regulatory changes including new state laws, updated agency guidance, and new federal requirements create ongoing obligations to update policies and procedures. A structured quarterly review with an annual comprehensive audit is the recommended approach.
Get Legal Help for Your Wellness Business
Legal compliance for gyms, wellness studios, and recovery spas is genuinely complex, and it changes frequently. State laws shift, new services create new regulatory questions, and enforcement activity across federal and state agencies continues to increase.
My Legal Pal works with fitness and wellness businesses at every stage, from pre-opening structure and licensing through operational compliance, contract review, and employment matters. Our lawyers understand the specific regulatory environment that wellness businesses operate in, and we provide practical, plain-language advice that helps you run your business confidently.
Whether you need a membership agreement reviewed for state compliance, a medical director structure assessed, employment classification analysed, or a full compliance audit conducted, we can help.
Visit MyLegalPal.com to speak to a business lawyer and get your legal documents drafted for gyms and wellness studios.
My Legal Pal. Making Legal Simple.
About This Guide
This guide was prepared by the legal team at My Legal Pal and reflects federal and state regulations applicable to gym, wellness studio, and recovery spa businesses as of early 2026. Law in this area changes frequently and varies significantly by state. This guide is for informational purposes only and does not constitute legal advice. Always consult a qualified lawyer for advice specific to your business, services, location, and circumstances.
