Regulation 17: Good governance

Page last updated: 9 July 2024
Categories
Organisations we regulate

Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: Regulation 17

The intention of this regulation is to make sure that providers have systems and processes that ensure that they are able to meet other requirements in this part of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (Regulations 4 to 20A). To meet this regulation; providers must have effective governance, including assurance and auditing systems or processes. These must assess, monitor and drive improvement in the quality and safety of the services provided, including the quality of the experience for people using the service. The systems and processes must also assess, monitor and mitigate any risks relating the health, safety and welfare of people using services and others. Providers must continually evaluate and seek to improve their governance and auditing practice.

In addition, providers must securely maintain accurate, complete and detailed records in respect of each person using the service and records relating to the employment of staff and the overall management of the regulated activity.

As part of their governance, providers must seek and act on feedback from people using the service, those acting on their behalf, staff and other stakeholders, so that they can continually evaluate the service and drive improvement.

When requested, providers must provide a written report to CQC setting out how they assess, monitor, and where required, improve the quality and safety of their services.

CQC can prosecute for a breach of part of this regulation (17(3)) if a provider fails to submit such a report when requested. CQC may consider that this failure could prevent the provider from taking appropriate, timely action. CQC could therefore move directly to prosecution for a breach of this part of the regulation without first serving a Warning Notice.

Regulatory action can be taken for other parts of the regulation. See the offences section for more detail.

CQC must refuse registration if providers cannot satisfy us that they can and will continue to comply with this regulation.

The regulation in full

17.—

  1. Systems or processes must be established and operated effectively to ensure compliance with the requirements in this Part.
  2. Without limiting paragraph (1), such systems or processes must enable the registered person, in particular, to—
    1. assess, monitor and improve the quality and safety of the services provided in the carrying on of the regulated activity (including the quality of the experience of service users in receiving those services);
    2. assess, monitor and mitigate the risks relating to the health, safety and welfare of service users and others who may be at risk which arise from the carrying on of the regulated activity;
    3. maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided;
    4. maintain securely such other records as are necessary to be kept in relation to—
      1. persons employed in the carrying on of the regulated activity, and
      2. the management of the regulated activity;
    5. seek and act on feedback from relevant persons and other persons on the services provided in the carrying on of the regulated activity, for the purposes of continually evaluating and improving such services;
    6. evaluate and improve their practice in respect of the processing of the information referred to in sub-paragraphs (a) to (e).
  3. The registered person must send to the Commission, when requested to do so and by no later than 28 days beginning on the day after receipt of the request—
    1. a written report setting out how, and the extent to which, in the opinion of the registered person, the requirements of paragraph (2)(a) and (b) are being complied with, and
    2. any plans that the registered person has for improving the standard of the services provided to service users with a view to ensuring their health and welfare.

Guidance

This sets out the guidance providers must have regard to against the relevant component of the regulation.

17(1) Systems or processes must be established and operated effectively to ensure compliance with the requirements in this Part.

Guidance on 17(1)

  • Providers must operate effective systems and processes to make sure they assess and monitor their service against Regulations 4 to 20A of Part 3 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (as amended). The provider must have a process in place to make sure this happens at all times and in response to the changing needs of people who use the service.
  • The system must include scrutiny and overall responsibility at board level or equivalent.

17(2) Without limiting paragraph (1), such systems or processes must enable the registered person, in particular, to—

17(2)(a) assess, monitor and improve the quality and safety of the services provided in the carrying on of the regulated activity (including the quality of the experience of service users in receiving those services);

Guidance on 17(2)(a)

  • Providers must have systems and processes such as regular audits of the service provided and must assess, monitor and improve the quality and safety of the service. The audits should be baselined against Regulations 4 to 20A of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 and should, where possible, include the experiences people who use the service. The systems and processes should be continually reviewed to make sure they remain fit for purpose. Fit for purpose means that:
    • systems and processes enable the provider to identify where quality and/or safety are being compromised and to respond appropriately and without delay.
    • providers have access to all necessary information.
  • Information should be up to date, accurate and properly analysed and reviewed by people with the appropriate skills and competence to understand its significance. When required, results should be escalated and appropriate action taken.
  • Providers should have effective communication systems to ensure that people who use the service, those who need to know within the service and, where appropriate, those external to the service, know the results of reviews about the quality and safety of the service and any actions required following the review.
  • Providers should actively seek the views of a wide range of stakeholders, including people who use the service, staff, visiting professionals, professional bodies, commissioners, local groups, members of the public and other bodies, about their experience of, and the quality of care and treatment delivered by the service. Providers must be able to show how they have:
    • analysed and responded to the information gathered, including taking action to address issues where they are raised, and
    • used the information to make improvements and demonstrate that they have been made
  • Providers must seek professional/expert advice as needed and without delay to help them to identify and make improvements.
  • Providers must monitor progress against plans to improve the quality and safety of services, and take appropriate action without delay where progress is not achieved as expected.
  • Subject to statutory consent and applicable confidentiality requirements, providers must share relevant information, such as information about incidents or risks, with other relevant individuals or bodies. These bodies include safeguarding boards, coroners, and regulators. Where they identify that improvements are needed these must be made without delay.
  • Providers should read and implement relevant nationally recognised guidance and be aware that quality and safety standards change over time when new practices are introduced, or because of technological development or other factors.

17(2)(b) assess, monitor and mitigate the risks relating to the health, safety and welfare of service users and others who may be at risk which arise from the carrying on of the regulated activity;

Guidance on 17(2)(b)

  • Providers must have systems and processes that enable them to identify and assess risks to the health, safety and/or welfare of people who use the service.
  • Where risks are identified, providers must introduce measures to reduce or remove the risks within a timescale that reflects the level of risk and impact on people using the service.
  • Providers must have processes to minimise the likelihood of risks and to minimise the impact of risks on people who use services.
  • Risks to the health, safety and/or welfare of people who use services must be escalated within the organisation or to a relevant external body as appropriate.
    Identified risks to people who use services and others must be continually monitored and appropriate action taken where a risk has increased.

Note: In this regulation, 'others' includes anyone who may be put at risk through the carrying on of a regulated activity, such as staff, visitors, tradespeople or students.

17(2)(c) maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided;

Guidance on 17(2)(c)

  • Records relating to the care and treatment of each person using the service must be kept and be fit for purpose. Fit for purpose means they must:
    • Be complete, legible, indelible, accurate and up to date, with no undue delays in adding and filing information, as far as is reasonable. This includes results of diagnostic tests, correspondence and changes to care plans following medical advice.
    • Include an accurate record of all decisions taken in relation to care and treatment and make reference to discussions with people who use the service, their carers and those lawfully acting on their behalf. This includes consent records and advance decisions to refuse treatment. Consent records include when consent changes, why the person changed consent and alternatives offered.
    • Be accessible to authorised people as necessary in order to deliver people's care and treatment in a way that meets their needs and keeps them safe. This applies both internally and externally to other organisations.
    • Be created, amended, stored and destroyed in line with current legislation and nationally recognised guidance.
    • Be kept secure at all times and only accessed, amended, or securely destroyed by authorised people.
  • Both paper and electronic records can be held securely providing they meet the requirements of the Data Protection Act 2018.
  • Decisions made on behalf of a person who lacks capacity must be recorded and provide evidence that these have been taken in line with the requirements of the Mental Capacity Act 2005 or, where relevant, the Mental Health Act 1983, and their associated Codes of Practice.
  • Information in all formats must be managed in line with current legislation and guidance.
  • Systems and processes must support the confidentiality of people using the service and not contravene the Data Protection Act 2018.

17(2)(d) maintain securely such other records as are necessary to be kept in relation to—

(i) persons employed in the carrying on of the regulated activity, and

(ii) the management of the regulated activity;

Guidance on 17(2)(d)

  • Records relating to people employed and the management of regulated activities must be created, amended, stored and destroyed in accordance with current legislation and guidance.
  • Records relating to people employed must include information relevant to their employment in the role including information relating to the requirements under Regulations 4 to 7 and Regulation 19 of this part (part 3) of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. This applies to all staff, not just newly appointed staff. Providers must observe data protection legislation about the retention of confidential personal information.
  • Records relating to the management of regulated activities means anything relevant to the planning and delivery of care and treatment. This may include governance arrangements such as policies and procedures, service and maintenance records, audits and reviews, purchasing, action plans in response to risk and incidents.
  • Records must be kept secure at all times and only accessed, amended or destroyed by people who are authorised to do so.
  • Information in all formats must be managed in line with current legislation and guidance.
  • Systems and processes must support the confidentiality of people using the service and not contravene the Data Protection Act 2018.

17(2)(e) seek and act on feedback from relevant persons and other persons on the services provided in the carrying on of the regulated activity, for the purposes of continually evaluating and improving such services;

Guidance on 17(2)(e)

  • Providers should actively encourage feedback about the quality of care and overall involvement with them. The feedback may be informal or formal, written or verbal. It may be from people using the service, those lawfully acting on their behalf, their carers and others such as staff or other relevant bodies.
  • All feedback should be listened to, recorded and responded to as appropriate. It should be analysed and used to drive improvements to the quality and safety of services and the experience of engaging with the provider.
  • Improvements should be made without delay once they are identified, and the provider should have systems in place to communicate how feedback has led to improvements.
  • Where relevant, the provider should also seek and act on the views of external bodies such as fire, environmental health, royal colleges and other bodies who provide best practice guidance relevant to the service provided.

17(2)(f) evaluate and improve their practice in respect of the processing of the information referred to in sub-paragraphs (a) to (e).

Guidance on 17(2)(f)

  • Providers must ensure that their audit and governance systems remain effective.

17(3) The registered person must send to the Commission, when requested to do so and by no later than 28 days beginning on the day after receipt of the request—-

17(3)(a) written report setting out how, and the extent to which, in the opinion of the registered person, the requirements of paragraph (2)(a) and (b) are being complied with, and

17(3)(b) any plans that the registered person has for improving the standard of the services provided to service users with a view to ensuring their health and welfare.

Guidance on 17(3)(a) and 17(3)(b)

  • This information could include a request for an action plan or a Provider Information Return for adult social care services.

See also

Related guidance

Related legislation