Regulation 12: Safe care and treatment

The headline duty in Reg 12(1) is short: care and treatment must be provided in a safe way for service users. The operational weight sits in Reg 12(2), which lists nine specific things the provider must do to meet that duty: assess the risks of the care or treatment, do all that is reasonably practicable to mitigate them, ensure the people delivering the care are competent, ensure premises and equipment are safe and used safely, supply equipment and medicines in sufficient quantities, manage medicines safely, prevent and control infection (including healthcare-associated infection), work effectively with other providers sharing responsibility for the service user, and ensure relevant information is shared in a timely way with the people who need it.

Reg 12 sits underneath both private-funded and NHS-funded work; for NHS-funded episodes the Learn From Patient Safety Events service (LFPSE) and, where in scope, the Patient Safety Incident Response Framework (PSIRF) layer additional reporting obligations on top. The provider keeps the Reg 12 evidence trail underneath both.

CQC inspects Reg 12 across two surfaces. The first is the systems-level evidence: written risk assessments, standard operating procedures for the high-risk parts of the service, equipment registers, medicines management standard operating procedures, infection prevention and control policy, training records. The second is the day-to-day record sample: the inspector samples five to ten recent incidents, complaints, or safeguarding concerns and tests whether the Reg 12 response (investigation, learning, change to practice, evidence of change) actually happened on each one.

The standard is not perfection; the standard is a visible system. Inspectors expect to see that risks are recognised, mitigations are operating, and the team learns from the events that do happen. A service with zero incidents in the trailing year is read as a recording failure, not as a safe service. A service with incidents that have produced visible change is read as functioning Reg 12 compliance.

Across thirteen years of CQC inspections, the Reg 12 gap was rarely the initial write-up. The team almost always logs the incident promptly and captures the facts. The gap appears two to four weeks later, in the closure loop. The most common patterns: incidents closed as “no further action required” with no reasoning; improvement actions opened but never completed; generic learning (“remind staff to be more careful”) that does not name a specific change; the duty-of-candour conversation recorded but the written follow-up never sent; the statutory notification trigger missed because the recognition step did not run at log-time. Each pattern is a Reg 12 finding in itself; an aggregate pattern across many closed incidents is a well-led culture finding that flows through to the rating. The services that come out of inspection compliant on Reg 12 are the ones whose incident logs read as evidence of a service that learns from what goes wrong.

Verivius drives this regulation through the incident-reporting lifecycle and the clinical-audit cycle. Every incident is checked at log-time against the Reg 18 notification triggers and the Reg 20 duty-of-candour threshold; investigation work runs through to closure with action; the action plan tracks to completion with evidence. The audit trail at inspection shows the chain from source event to closure to change-to-practice.

Sample policy template: Reg 12 Safe care and treatment. Companion lifecycle marketing pages: incident reporting and duty of candour.