Incident reporting for CQC-regulated providers

The legal anchor is Regulation 12 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: care and treatment must be provided in a safe way for service users. Regulation 12 is not prescriptive about an incident-reporting format. The standard CQC tests it during inspection: are risks assessed, are problems identified early, are investigations proportionate, is learning shared and acted on, and does the same problem keep recurring because the loop closed in form but not in substance.

For private episodes, incident reporting sits primarily under Reg 12, Reg 17 (good governance), Reg 20 (duty of candour) where the moderate-harm-or-above threshold is met, and Reg 18 of the Care Quality Commission (Registration) Regulations 2009 for notifications. For NHS-funded episodes, the Learn From Patient Safety Events service (LFPSE) reporting and, where in scope, the Patient Safety Incident Response Framework (PSIRF) layer on top. Verivius distinguishes funding source at record level so the right reporting obligations apply per episode rather than per tenant.

Across the inspection portfolio Klaudiusz worked over thirteen years inside CQC, the gap was rarely the initial write-up. The team writes the incident up the same day or the next morning, captures who was present, describes what happened. The gap appears two to four weeks later in the closure loop.

One: the cause section gets thinner than the event section.The team is good at recording what happened. They are less consistent at recording what actually caused it. Cause analysis becomes a one-line entry (“staff workload pressure” or “communication gap”) rather than the specific chain of events that an inspector can read against the action plan. Without the specific cause, the action plan cannot target it, and the same incident class recurs.

Two: actions get listed but never closed. The investigation produces three to five recommended actions. They go into a meeting minutes paragraph or a separate document outside the platform. Six months later, the inspector asks what changed. The team can recall some of the actions but not which were completed and when. The incident lifecycle and the action lifecycle need to be linked end-to-end so closure is automatic, not chased.

Three: the duty of candour link is implicit rather than explicit.The team has the harm-classification conversation, the verbal apology happens, the written follow-up letter is sent. None of those three steps are recorded against the source incident in a way an inspector can trace. When the inspector reads the duty of candour records and the incident records side by side, the absence of a clear link reads as “the team did the right thing but does not know they did”.

The standard CQC sample is five to ten incidents, stratified by severity and chosen non-randomly. The inspector reads three things from each record: the initial write-up, the closure paragraph, and the linked evidence (investigation notes, action plan with owners, duty of candour records where relevant, the change to practice that followed).

The reading test is not whether each record is perfect. It is whether the records together describe a service that is paying attention. Patterns of incidents that close cleanly with specific actions are good evidence. Patterns that close on the same boilerplate (“raised at team meeting, staff reminded”) are evidence of a closure ritual rather than a learning system.

Inspectors also cross-reference. If five incidents in three months mention the same theme (medication administration, communication at handover, equipment availability), the inspector asks what the team did at the aggregate level: was there a trend review, did the quarterly audit pick it up, did the governance meeting discuss it. The absence of an aggregate response to a visible pattern is a Reg 17 well-led concern that lands harder than any single incident finding.

For moderate-harm-or-above incidents, the inspector also reads the duty of candour trail. The expectation under Reg 20 is that the patient or family was told what happened, the apology was given, the written follow-up arrived, and any interim updates between verbal and written stages were recorded. Reg 20 is one of the highest-frequency findings on private hospital inspections because the records exist but the trail is fragmented across letters, emails, and meeting minutes rather than sitting against the source incident.

Verivius runs incidents as a closed lifecycle: log, triage, investigate, close. Each step writes one row to the audit trail. Recommended actions spawn improvement actions linked back to the source incident so closure evidence is automatic. The duty of candour assessment is prompted at log-time if the harm classification crosses the Reg 20 threshold, and the verbal and written notification records sit against the source incident rather than in a separate folder. Statutory notification triggers fire from the same record. Aggregate views show theme patterns across the last quarter so the well-led response to a recurring pattern is visible without a separate audit. For the full feature walk-through see what Verivius actually does.

See also the Day-to-day use section on the FAQ for the short answers across every lifecycle.