Skip to content
PolicyBoard
← All posts

CQC Policy Requirements: What Inspectors Actually Check

Published 15 March 2026

A CQC inspection notification lands. You have two weeks. The first question from the practice manager: "Are our policies up to date?"

If the answer involves opening 40 Word documents to check footer dates, you already have a problem. This guide maps the policies CQC inspectors expect to find at GP practices, explains how they connect to Regulation 17 (Good Governance), and sets out a practical framework for keeping them current.

Scope: This article focuses on GP practices and primary care. CQC also regulates dentists, pharmacies, hospitals, and care homes — each has sector-specific requirements. Care home policy requirements are not covered here.

How CQC Inspections Work in Primary Care

CQC assesses GP practices against five key questions:

  1. Safe — Are patients protected from abuse and avoidable harm?
  2. Effective — Does care achieve good outcomes?
  3. Caring — Do staff treat patients with compassion?
  4. Responsive — Are services organised to meet patients' needs?
  5. Well-led — Does leadership ensure high-quality, sustainable care?

Your policies sit under Well-led (governance and management) but evidence from those policies feeds into every other question. A safeguarding policy evidences "Safe." A complaints policy evidences "Responsive." An outdated infection control policy undermines "Safe" and "Effective" simultaneously.

Inspectors do not typically ask for a policy index and tick them off a list. Instead, they follow threads. They ask a receptionist: "What happens if a patient discloses abuse?" If the receptionist describes a process that matches the safeguarding policy, and that policy has been reviewed within the last year, and there is evidence staff were trained on it — that is good governance in action. If the policy says one thing and the receptionist describes something different, that is a Regulation 17 concern.

The Policies CQC Expects to See

There is no single definitive CQC list of required policies for GP practices. Instead, the expectation flows from the regulations themselves. Based on the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 and published CQC inspection guidance, these are the policies inspectors expect to be in place:

Safeguarding (Regulation 13)

  • Safeguarding adults policy — referral pathways, designated safeguarding lead, training requirements
  • Safeguarding children policy — aligned with local safeguarding partnership procedures, including FGM and Prevent
  • Chaperone policy — when chaperones are offered, how they are trained, and DBS check requirements
  • Mental Capacity Act and Deprivation of Liberty Safeguards policy — staff understanding of MCA assessments

Review frequency: At least annually. Review immediately if local safeguarding procedures change or following any safeguarding incident.

Infection Prevention and Control (Regulation 12)

  • Infection prevention and control (IPC) policy — hand hygiene, PPE, sharps disposal, decontamination of equipment
  • Cleaning schedules — documented schedules with evidence of completion

Review frequency: At least annually. Review immediately after any infection outbreak or change to IPC guidance.

Medicines Management (Regulation 12)

  • Prescribing policy — including repeat prescribing, high-risk drugs, and controlled drugs
  • Medicines storage and security policy — fridge temperature monitoring, controlled drugs registers, access controls
  • Vaccine management policy — cold chain management, fridge failure protocols

Review frequency: At least annually. Review if prescribing guidance changes or after medication incidents.

Staffing and Recruitment (Regulation 19)

  • Recruitment policy — pre-employment checks (DBS, references, qualifications, right to work), locum procedures
  • Induction policy — what new staff and locums must complete before seeing patients
  • Training and development policy — mandatory training requirements, CPD tracking

Review frequency: At least annually. Review if recruitment legislation or DBS requirements change.

Information Governance (Regulation 17)

  • Data protection and confidentiality policy — aligned with UK GDPR and Data Protection Act 2018
  • Information security policy — password management, device security, remote access
  • Subject access request procedure — how patients access their records
  • Data breach response plan — notification procedures, ICO reporting thresholds

Review frequency: At least annually. Review immediately after any data breach or ICO guidance update.

Complaints and Feedback (Regulation 16)

  • Complaints policy — aligned with the NHS complaints procedure, including timescales for acknowledgement and response
  • Significant event analysis (SEA) policy — how the practice investigates incidents and near-misses, and what actions follow
  • Duty of candour policy — the legal requirement to be open with patients when things go wrong (Regulation 20)

Review frequency: At least annually. Review after significant complaints or changes to NHS complaints framework.

Health and Safety

  • Health and safety policy — risk assessments, fire safety, COSHH, lone working
  • Business continuity plan — what happens if systems fail, premises are inaccessible, or key staff are unavailable
  • Emergency drugs and equipment policy — what emergency equipment is held, where, and how it is checked

Review frequency: At least annually. Review after incidents, premises changes, or new risk assessments.

Clinical Governance

  • Clinical audit policy — how the practice conducts and acts on clinical audits
  • Consent policy — how consent is obtained, documented, and reviewed for different procedures

Review frequency: At least annually.

What Regulation 17 Specifically Requires

Regulation 17 does not list individual policies. It requires systems and processes that ensure compliance with all other regulations. In practice, this means:

  1. Records must be "accurate, complete and contemporaneous" — your policies are records. An undated or unsigned policy does not meet this standard.
  2. Systems must assess, monitor and improve quality — you need to show that policy review is part of a systematic governance cycle, not an annual panic.
  3. Risks must be identified and mitigated — your policies should reflect current risks. If your practice started offering minor surgery last year but the clinical governance policy still only covers standard consultations, that is a gap.
  4. Feedback must be sought and acted on — policy changes should be traceable to feedback, incidents, or audit findings.

Inspectors may ask:

  • "How do you know which policies are due for review?"
  • "Who is responsible for each policy?"
  • "How do you ensure staff are aware of policy changes?"
  • "Can you show me the approval record for this policy?"

If your answer to the first question is "we check the spreadsheet" or "the practice manager keeps track," the follow-up will test whether that system actually works.

Common Findings in GP Practice Inspections

Based on published CQC inspection reports, these are recurring policy-related issues:

Policies not reviewed within stated timeframes. The policy footer says "review annually" but the last review date is two years ago. This directly contradicts the practice's own governance standards.

Policies that do not reflect current practice. The infection control policy references procedures that predate the practice's refurbishment. The safeguarding policy lists a named lead who left 18 months ago.

No evidence of policy approval. The policy exists but there is no record of who approved it or when. Governing body minutes do not reference policy review.

Staff unaware of policy content. The policy is comprehensive but staff cannot describe the procedure it sets out. This suggests distribution and training are not working.

No systematic oversight. There is no schedule, no register, and no way to tell which policies are current and which are overdue. The practice relies on individuals remembering to check.

A Practical Framework for CQC Readiness

Step 1: Build Your Policy Register

List every policy the practice has. For each one, record:

  • Policy name and category (safeguarding, IPC, governance, etc.)
  • Current version date
  • Policy owner (who is responsible for reviewing it)
  • Review frequency
  • Next review date
  • Status (current, due soon, overdue)

Step 2: Map Policies to Regulations

Cross-reference your policy list against the categories above. Identify gaps — do you have a data breach response plan? A duty of candour policy? A locum induction procedure?

Step 3: Set Review Reminders

For each policy, set reminders 90, 60, and 30 days before the review date. Assign the reminder to the policy owner, not a generic practice inbox. Our Policy Review Schedule Generator can calculate your review dates and export them to your calendar.

Step 4: Document Approvals

Every policy review should produce a dated record: who reviewed it, what changed (if anything), who approved the updated version. Store this centrally — not in the document footer.

Step 5: Make Policies Accessible

Staff need to find and read policies quickly. A shared drive with 200 files in one folder is not accessible. Organise by category, label clearly, and ensure every team member knows where to look.

If you are evaluating systems to manage this process, see our guide to policy management software for evaluation criteria.

Connecting Policies to Your Wider Governance

Policy management is one part of your governance framework. It connects to:

  • Clinical audit — audit findings should trigger policy reviews
  • Significant event analysis — SEA outcomes should feed into policy updates
  • Staff training — policy changes should trigger training updates
  • Patient feedback — complaints and survey results should inform policy improvements

A well-managed policy register sits at the centre of this system. It is not a filing task — it is how you prove to CQC that your practice is well-led.

PolicyBoard is designed to automate the policy register, review reminders, approval workflows, and compliance dashboard that CQC expects to see. Join the waitlist to be notified when it launches.

Sources

  • CQC Regulation 17: Good Governance
  • CQC: How We Monitor GP Practices
  • BMA: How to Prepare for a CQC Inspection

This article covers CQC policy requirements for GP practices in England. It is not legal or clinical advice. Always refer to the latest CQC guidance and consult your professional advisors.

Stop tracking policy reviews in spreadsheets

PolicyBoard automates review reminders, approval workflows, and compliance dashboards for UK regulated organisations.

No spam. Unsubscribe any time. Privacy policy

Related articles

What to Look for in Policy Management Software: 2026 UK Guide

A criteria-based buyer's guide for UK schools, GP practices, charities, and councils choosing policy management software — features that matter, features that don't.

What Is Policy Management? A Plain-English Guide

Policy management explained for UK schools, GP practices, charities, and councils — what it covers, why manual tracking fails, and what to look for in a system.

How Often Should Policies Be Reviewed? UK Guide for Regulated Organisations

Policy review frequencies for CQC-regulated GP practices, Ofsted-inspected schools, charities, and councils — with regulatory citations and a practical review schedule.