1. What the regulation says
Care and treatment must be provided in a safe way for service users.
assessing the risks to the health and safety of service users of receiving the care or treatment … doing all that is reasonably practicable to mitigate any such risks.
the proper and safe management of medicines.
assessing the risk of, and preventing, detecting and controlling the spread of, infections, including those that are health care associated.
The full text of the regulation is at https://www.legislation.gov.uk/uksi/2014/2936/regulation/12. Where this policy and the regulation diverge, the regulation wins.
2. Plain British summary
Care and treatment must be provided in a safe way. The regulation lists nine things you have to do: assess risks, mitigate them, ensure staff competence, ensure premises and equipment are safe and used safely, supply equipment and medicines in sufficient quantities, manage medicines safely, control infection, and work with anyone else who shares responsibility for the service user's care. Reg 12 is one of the most-cited regulations in CQC enforcement action.
3. Scope
This policy applies to all employees, contractors, and external parties who deliver, support, or oversee regulated care or treatment at any location operated by . It covers every regulated activity the provider is registered for, every patient pathway from first contact to discharge, and every clinical and clinical-adjacent environment (consulting rooms, theatres, wards, recovery, mobile and home-based delivery, telephone and video consultations).
(Tenant updates the angle-bracket placeholder and confirms the location and activity coverage.)
4. Roles and responsibilities
- Registered Manager: accountable for Reg 12 compliance across every site. Reviews the risk register monthly, signs off the assurance calendar against the Reg 12 elements (medication audits, equipment checks, infection prevention audits), and reviews every incident at moderate harm or above for the Reg 12 sub-causes.
- Nominated Individual: holds provider-side accountability for Reg 12 across all locations. Reads the quarterly Reg 12 dashboard at the governance meeting.
- Clinical Lead: accountable for the clinical-care component of Reg 12: assessing risks at the patient level, ensuring the team uses the equipment safely, ensuring medicines are managed per the medicines policy. Signs off any clinical-pathway change for Reg 12 implications.
- Infection Prevention and Control Lead (named individual): accountable for the infection-control element of Reg 12 per the IPC Code of Practice. Coordinates the annual IPC audit and surfaces any outbreak to the Registered Manager within 24 hours.
- Medicines Lead (where applicable): accountable for the safe-management-of-medicines element, including controlled-drugs governance where in scope.
- All staff: apply the procedure below, log any near miss or incident affecting safety the same working day, and escalate concerns immediately where harm has occurred or is likely.
(Tenant updates the named role-holders to fit their organisation.)
5. Procedure
The Reg 12 procedure operationalises the nine elements of Reg 12(2) across the patient pathway.
- Per-patient risk assessment. At first contact, the clinician completes a risk assessment proportionate to the service. The assessment records foreseeable risks (clinical, equipment, medicines, infection, environment), the mitigation in place, and any handover points where additional risk may arise.
- Mitigation in the care plan. The mitigations identified at assessment are recorded in the care plan and shared with every team member involved in the patient's care.
- Equipment safety. Every piece of clinical equipment used in regulated activity is on the equipment register, has a current service or calibration record, and a daily or per-use check is logged where required (resuscitation equipment, anaesthetic machines, point-of-care testing devices, sterilisation equipment, controlled-drugs cabinets).
- Medicines management. Medicines are obtained, stored, prepared, administered, recorded, and disposed of per the medicines policy. Controlled drugs follow the additional governance routine (named accountable officer, two-signature handling, register reconciliation, expiry checks). Medicines-related incidents are logged the same day.
- Infection prevention. Hand hygiene, PPE, decontamination, environmental cleaning, sharps handling, and waste segregation operate per the IPC policy. The IPC Lead surfaces any breach pattern at the monthly governance meeting.
- Incident recording. Every patient-safety event (incident, near miss, no-harm event) is logged the same working day. The lifecycle then runs through investigation to closure with action, per the incident reporting policy.
- Shared-care handover. Where care is shared with another provider (a GP, a community team, a private referrer, an NHS trust), handover communication is documented and the receiving party's acceptance is recorded.
- Duty of candour trigger. Any patient-safety incident meeting the moderate-harm threshold opens a duty-of-candour record per the Reg 20 policy. The verbal-then-written notification trail is preserved on the source incident.
- Statutory notification trigger. Any patient-safety event meeting a Reg 18 (Registration Regulations) notification trigger spawns a notification record per the CQC statutory notifications policy. The notification is filed within the operational SLA.
- Periodic learning review. Aggregate patterns across incidents and near misses are reviewed quarterly at the clinical governance meeting. Learning that warrants a change to practice produces improvement actions; the actions are tracked to completion with evidence.
6. Training requirement
All clinical staff in scope complete the following at induction and on the cadence noted:
- Mandatory infection prevention and control training, annually.
- Resuscitation training (BLS, ILS, or ALS depending on role), annually for BLS, at the professional-regulator cadence for ILS or ALS.
- Medicines management training where the role involves administration, annually.
- Sepsis recognition (where in scope), annually.
- Safeguarding (adults and children), at the level the role requires, every three years minimum.
- Mental Capacity Act awareness, every three years for clinical roles.
Non-clinical staff complete the basic Reg 12 awareness module at induction.
Training records are held in the tenant's training matrix register and surfaced on the assurance calendar as renewals fall due. (Tenant adjusts the topic list to match the service shape.)
7. Audit
Compliance with this policy is monitored by the Registered Manager and the Clinical Lead jointly, on the following cadence:
- Quarterly file audit: random sample of 5 to 10 patient records reviewed against the per-patient risk assessment and care-plan-mitigation requirements.
- Monthly equipment register review: every entry's service or calibration date checked against the next-due date.
- Quarterly medicines audit: stock reconciliation, controlled-drugs register check, expiry audit.
- Annual infection prevention and control audit: against the IPC Code of Practice criteria, using the IPC audit tool the IPC Lead nominates.
- Quarterly incident-pattern review: aggregate incident themes against the Reg 12 elements.
Audit findings are recorded in the tenant's audit register, presented at the monthly clinical governance meeting, and any actions are logged in the improvement-actions register.
8. Record-keeping
Records this policy generates (per-patient risk assessments, equipment service records, medicines audits, infection-prevention audits, incident records, duty-of-candour records, statutory notifications, improvement actions) are held in the tenant's clinical and governance systems for a minimum of 8 years from the date of the last entry in the record (per the NHS Code of Practice on Records Management for adult records; longer for children's records, mental health records, and certain other categories per the same Code).
For controlled-drugs registers, the statutory minimum retention is 2 years from the date of the last entry per the Misuse of Drugs (Safe Custody) Regulations; most providers retain for 7 years aligned with clinical-record retention.
The Verivius platform records the per-record audit trail indefinitely while the workspace is active; on cancellation, the export pathway preserves the record set.
9. Related policies in this pack
- General Requirements Policy (
hscra-reg-8-general) - Person-Centred Care Policy (
hscra-reg-9-person-centred-care) - Consent Policy (
hscra-reg-11-consent) - Provider Responsibility Policy (
hscra-reg-4-provider-responsibility) - Infection Prevention and Control Policy (
ipc-code-of-practice) - Medicines and Controlled Drugs Policy (
medicines-and-controlled-drugs) - Duty of Candour Policy (
hscra-reg-20-duty-of-candour)
10. Document control
| Version | Date | Author | Changes |
|---|---|---|---|
| v1 | 2026-05-19 | Verivius (sample) | Initial sample template. |
| v1.1 | 2026-06-01 | Verivius (sample) | Filled out Sections 3 to 8 with concrete content. Section 5 procedure expanded from a placeholder to a 10-step Reg 12(2) flow tied to the incident, duty-of-candour, and statutory-notification lifecycles. Section 6 names the typical training topics and cadences. Section 7 names the audit cadence and methods. Section 8 references the NHS Code of Practice retention guidance and the Misuse of Drugs (Safe Custody) Regulations CD-register minimum. |
This sample policy template was issued by Verivius as part of the Mock Inspection design partner onboarding pack. It is a template, not a substitute for legal advice or the tenant's own policy-development process. Where this template and the live regulation diverge, the live regulation wins.