Compliance

Compliance built into the workflow.
Not retrofitted onto it.

Most practices treat compliance as documentation after the fact — forms filled, charts signed, audits survived. Montego encodes supervision, delegation, consent, scope of practice, and audit requirements into every action, so violations are prevented before they happen, not discovered in a review.

100%
Audit coverage
SOC 2
Certification
CA · FL · TX
States today
100%
PHI access logged
The regulatory landscape

Four frameworks. One action satisfies all of them.

Compliance in aesthetic medicine spans federal privacy law, state supervision and delegation rules, standard-of-care obligations, and state-level data privacy requirements. Because Montego is built on a single patient record, one documented action — a good-faith exam, a signed consent, a logged chart access — can satisfy several frameworks at once. Select an action to see how.

Pick an action inside Montego

One action satisfies 3 of 4 frameworks at once.

State supervision laws

Supervision, delegation, and scope of practice rules enforced by each state's medical board.

Satisfied
HIPAA

Federal privacy, security, and breach notification for protected health information.

Satisfied
Standard of care

Good-faith exam, informed consent, and clinical documentation requirements.

Satisfied
State privacy laws

Consumer data rights, disclosure obligations, and opt-out requirements across states.

Live in CA, FL & TX — building toward all 50

Built to the strictest state standard, configurable for the rest.

"State-native compliance: built for each state we enter, benchmarked to California — one of the most regulated environments in aesthetic medicine."

Montego operates in California, Florida, and Texas today, with a roadmap to all 50 states. It adapts supervision, delegation, consent, documentation, scope of practice, and audit requirements to each state we enter. Select a state to see how it works.

The benchmark

California

The strictest regulatory environment in aesthetic medicine — and the standard Montego is built to. Configure for California and you are ready almost anywhere.

Workflow example

A new injectable patient cannot be charted until a good-faith exam is documented and a supervising physician is on the standing order — Montego checks both before the visit can proceed.

Supervision & delegationAB 2236 supervision and delegation enforced; delegated treatments require a standing order and a supervising physician on file.
Good-faith examA documented good-faith exam by a physician, NP, or PA is required before treatment — charting is blocked until it exists.
Scope of practiceActions mapped to Medical Board of California scope rules; out-of-scope actions are blocked, not merely flagged.
ConsentVersioned, procedure-specific consent captured and linked before treatment proceeds.
Documentation & retentionRecords retained to California medical-record standards with complete version history.
Data privacyCCPA / CPRA consumer-data rights and disclosure handled on every patient record.
Audit trailEvery clinical action logged, timestamped, and attributable to a named user.
Montego configures to current state requirements and gives you the documentation to prove it — it supports your compliance program, it doesn’t replace your legal counsel.
How Montego is built for it

Compliance you don't have to think about.

The platform prevents failures before they happen. Choose a scenario to see the difference between hoping for compliance and enforcing it.

Without Montego

The note saves anyway — the gap only surfaces in an audit months later.

Audit gap · Documentation failure
With Montego

Charting is blocked until a documented good-faith exam is on file.

Blocked at charting
Compliance metrics

Numbers that represent real evidence.

Not vanity statistics — each figure maps to documentation, consent, and access events captured automatically.

Audit coverage100%

Of clinical actions logged and attributable

Required documentation100%

Charts blocked until the required exam and fields are on file

Consent capture100%

Procedures with versioned consent on file

Access events logged100%

Reads and writes with a full audit trail

Security vs compliance

Compliance is the obligation. Security is the protection.

This page covers how your practice meets its regulatory obligations — supervision, consent, scope, and state rules. How your patient data is technically protected — encryption, access control, audit logging, and data residency — lives in its own technical reference.

Compliance — this page

Supervision, delegation, scope of practice, consent, documentation, and per-state requirements — enforced inside the workflow and included on every plan.

Security — the technical reference

Encryption, role-based access, audit logging, data residency, and BAA-covered infrastructure — the documentation your security team needs.

Compliance workflows

Every step creates an audit trail.

Compliance is not a page in the product — it runs through every workflow, from intake to retention.

Patient intake
Consent collection
Photo documentation
Charting
Treatment execution
Follow-up
Billing
Record retention
Each step is logged, attributable, and retained to your state's standard.
Manual vs Montego

The difference is operational, not aspirational.

Managed by hand
Good-faith examTracked on paper or skipped
Scope of practiceRelies on staff memory
ConsentLoose forms, hard to match
Audit trailReconstructed under pressure
Access to PHIBroad, rarely reviewed
Gaps surface in audits and complaints — not in the workflow.
On Montego
Good-faith examEnforced before charting
Scope of practiceBlocked by role automatically
ConsentVersioned, timestamped, linked
Audit trailComplete and attributable
Access to PHILeast-privilege, fully logged
Continuous, attributable audit trail across every action.
Audit trail100%Of clinical actions logged and attributable.
CertificationSOC 2Type II, audited annually by an independent firm.
CoverageCA · FL · TXStates live today, with a configurable framework built to expand to all 50.
HIPAASOC 2 Type IIState board rulesState privacy laws

Stop managing compliance manually.

See how Montego operationalizes it into the software — across every state you operate in.