How long do you actually have to notify CQC?

CQC notification duties for a registered provider in England sit in a small number of named places. Each one has its own scope, its own wording, and its own timing language. They do not all agree on style.

In rough order of how often they apply to the average independent provider:

• The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 18. This is the long-form list of what to notify, covering things like death of a service user, abuse or allegation of abuse, a police investigation involving the service, and so on. Read it.
• The Care Quality Commission (Registration) Regulations 2009. A separate set covering events around the registration itself, changes to the registered manager, changes to the regulated activities, that sort of thing.
• Regulation 20, Duty of Candour. Separate again. This one is not a notification to CQC; it is a duty to the relevant person (the patient or their representative) when something goes wrong. The two duties, Reg 18 to CQC and Reg 20 to the patient, are commonly conflated. They are not the same.
• Sector-specific duties. Depending on what you do, you may also be reporting to other regulators or under other statutes: RIDDOR for some workplace events, ICO for some data breaches, local authority for safeguarding, NHS England under contract terms if you hold one, the General Dental Council, the General Medical Council, the Health and Safety Executive, and so on. Each has its own deadline language.

What you will notice if you read them is that the wording is rarely "within X working days". More often it is "without delay", "as soon as reasonably practicable", or "no later than [a defined trigger plus a defined period]". The legalese exists because reality is messier than fixed deadlines suggest.

The language matters. "Without delay" is not the same as "within 24 hours". A consultancy that tells you you have 24 hours when the regulation says "without delay" has substituted a number for a judgment. The number is easier to operationalise, but it is not what the duty says, and if you get challenged on it during an inspection your defence is the regulation, not the consultancy's leaflet.

The trigger matters too. Most duties start running from a specific event such as the death of a service user, an allegation of abuse becoming known, or a serious injury occurring. That trigger language is precise. Whether your duty has actually started running often depends on what you knew and when, and this is where most arguments happen.

And the worst answer is the wrong answer arriving on time. I have seen providers race to notify within a folklore deadline using a category that did not match the actual incident. The result was a notification that satisfied a deadline that did not exist and did not properly satisfy the duty that did. Better to take the extra hour, read the regulation, and notify accurately than to send the wrong notification on time.

I am not going to give you a table of deadlines in this article. I would not trust the table when I wrote it, and I would not trust it six months later when the regulation changed underneath it.

What I would offer instead is a reading habit:

1. When something happens, name it before you act on it. "A patient fell" is not yet a notifiable category. Look at what the regulation actually says. "Death of a service user", "serious injury", "abuse or alleged abuse", the categories are precise. Match your event to the right category first.
2. Find the wording for that category in the regulation itself. Not in a consultancy slide. Not in a checklist. The regulation. Reg 18 is not long; you can read it in five minutes.
3. Read the timing language carefully.Notice whether it says "without delay", "as soon as reasonably practicable", or specifies a period from a defined trigger.
4. If you need a working deadline for your internal process, give yourself a number that is tighter than what the duty allows. Treat your own internal deadline as a service-level decision, not a regulatory one. Verivius defaults are usually tighter than the regulator's wording, deliberately.
5. Keep the citation, not the paraphrase. If you write internal policy on a notification duty, include the regulation reference. Six months from now, when the policy is being followed by someone who was not in the room when you wrote it, they need the citation.

This is the question I think about more than any other in this product.

Regulations change. Guidance changes. Consultancies move on. Inspectors change roles. The only thing that stays put is the source text, and even the source text is amended.

If your governance posture is "we follow what our consultancy told us in 2024", you are exposed every time something material changes. If your governance posture is "we know where the duty lives and we check the wording before we act", you are durably correct. The first posture looks the same as the second on a good day. They diverge on the day something goes wrong.

The product I am building is a way to keep the source text close at hand so that the second posture is the cheaper one. Verivius does not paraphrase regulatory deadlines. It reproduces them verbatim with the citation and shows you the relevant Reg 18 paragraph the moment an incident enters that category. That is a small technical choice with a large practical effect.

But the platform is downstream of the habit. The habit is the thing. Read the regulation before you act on it. Cite the regulation when you write about it. Trust the citation, not the folklore.