Skip to content
PolicyBoard
← All posts

GP Practice Policy Management: Staying CQC-Compliant

Published 1 July 2026

By Brian Crocker

The CQC inspection report for a six-partner practice in the East Midlands noted "inconsistent documentation of policy review." The lead inspector had asked to see the infection prevention and control policy. The practice had one. It had been approved in 2021. There was no record of whether it had been reviewed against the 2022 updates to the relevant guidance, no approval signature, and no review date. The policy existed; the governance did not.

Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 requires registered persons to have "systems or processes established and operated effectively to ensure compliance" with regulatory requirements — including the secure maintenance of "accurate, complete, contemporaneous" records. In practice, that means the CQC expects to see policies that are current, approved, and evidenced as reviewed — not merely filed.

This guide covers what CQC expects to find, which policies matter most at inspection, and how small GP practices can stay on top of the review cycle without it consuming the practice manager's week.

What CQC Actually Looks for in Policy Governance

CQC inspectors work through the five key questions — Safe, Effective, Caring, Responsive, Well-led — and policies come up most consistently under Safe and Well-led. The inspector is not looking for a specific word count or template. They are looking for evidence of governance: that someone owns each policy, that it was reviewed and approved within a reasonable period, and that the approved version is what staff are actually using.

The common governance failures CQC finds at GP practices:

Out-of-date policies. A medicines management policy that still references the 2018 NICE guidance when the practice updated its prescribing protocols in 2023. The policy says one thing; practice does another.

No approval record. A policy revised by a partner, saved over the previous version, but never taken to the full partnership for approval. There is a current-looking document and no audit trail.

Version conflicts. Two copies of the safeguarding policy — one on the shared drive, one printed and in the reception folder — that differ in the referral telephone numbers. Staff are using different versions.

No review trigger for regulatory changes. The IPC guidance was updated. Nobody reviewed the IPC policy. There is no mechanism that would have prompted a review.

A policy register with review dates addresses all four. What CQC wants to see is not a perfect archive — it is a governance system that catches problems before they create risk.

The Policies That Come Up Most at CQC Inspection

CQC does not publish a single required policy list for GP practices. The relevant requirements come from Regulation 17, the CQC guidance on Regulation 17, and the specific key questions the inspection addresses. The policies that consistently come up:

Under Safe (S key question):

  • Infection prevention and control policy — reviewed against the latest IPC guidance (updated regularly)
  • Medicines management policy — covering prescribing, dispensing, controlled drugs
  • Safeguarding children and vulnerable adults policies — must reflect current national and local guidance
  • Health and safety policy
  • Significant event (critical incident) policy

Under Effective (E key question):

  • Clinical audit policy — how the practice reviews and acts on clinical data
  • Patient records policy — accuracy, access, retention

Under Responsive (R key question):

  • Complaints policy and procedure — with evidence of how complaints have been handled

Under Well-led (W key question):

  • Governance framework document — who owns what, how decisions are made
  • Confidentiality and data protection policy — aligned with UK GDPR
  • Staff recruitment and employment policies

This is not an exhaustive list. Different inspections raise different policies depending on what the inspection finds. But these are the areas where inadequate policy governance is most likely to affect the overall rating.

The Review Cycle Problem at GP Practices

GP practices typically have thirty to fifty policies. At an annual review cycle, that is one policy review every one to two weeks on a sustained basis. Add triggered reviews — when the IPC guidance changes, when a significant event triggers a policy look, when the practice expands or restructures — and the volume is significant.

The review cycle fails in small practices for a predictable reason: it relies on the same person who manages appointments, staffing, premises, compliance, and supplier contracts to also track when forty policies need reviewing. That person is the practice manager, and their time is not unlimited.

The standard failure mode is that reviews happen in clusters — typically before an inspection — rather than continuously. The inspection then finds a cluster of policies all reviewed in the same month, which may prompt questions about whether the reviews were substantive or perfunctory.

A structured approach distributes the workload:

  1. Categorise by review frequency. Infection control policies reviewed every six months when guidance changes. Clinical governance policies reviewed annually. Administrative policies reviewed every two years. The Policy Review Schedule Generator helps you map this across your full policy library.

  2. Assign owners. Not all policies need to be reviewed by the practice manager. Clinical policies are reviewed by clinical leads. Safeguarding is reviewed by the designated safeguarding lead. Distributing ownership spreads the workload and puts subject-matter expertise in the review.

  3. Calendar the reviews. Tie review months to the clinical year — September safeguarding reviews aligned with the new academic year, February clinical governance reviews before the annual NHS England returns, and so on.

  4. Record the review, not just the date. CQC wants to see evidence of a substantive review. That means a record of who reviewed, what was checked, whether anything changed, and who approved the updated version. A date in a footer is not enough.

Our free CQC Compliance Policy Checker lists the policy areas CQC inspectors cover under each key question. It is useful both for identifying gaps and for structuring a pre-inspection self-assessment.

Common Questions From Practice Managers

How far back do CQC reviews actually go? Inspectors typically look at the most recent review date and whether the policy has been reviewed since any material changes in relevant guidance. For IPC policies, this means reviews against current national guidance. For safeguarding, alignment with the current Working Together to Safeguard Children guidance. Policies unchanged for more than three years will draw scrutiny regardless of the dates.

Do we need a policy for everything? No. Policies need to be proportionate to your operating context. A two-partner practice does not need the same governance structure as a Primary Care Network with fifteen partners. CQC assesses policies relative to the complexity and risk profile of the service.

Can we use national template policies? Yes, with adaptation. Template policies from Practice Index, the BMA, or NHS regional support organisations are a reasonable starting point. CQC expects them to be adapted to reflect your practice's actual arrangements — named staff, local referral pathways, specific premises. A generic template with no adaptation is a governance weakness.

What if a policy was reviewed but not approved at partnership level? This is common and carries risk. A policy revised by one partner but not brought to the full partnership for sign-off lacks governance authority. The revision may be clinically correct but lacks the formal accountability CQC is looking for. Bring all policy revisions to the next partnership meeting and minute the approval.

Managing Policy Governance Across a Primary Care Network or Merged Practice

PCN arrangements complicate policy governance. Multiple practices may share policies on safeguarding, IPC, or clinical audit. The governance question becomes: who owns the shared policy, who approves changes, and how do individual practices evidence that they are operating to the current version?

The answer is usually a shared register with named leads for each policy and a clear approval chain. A policy shared between three practices but owned by nobody is a governance gap waiting to surface at inspection.

PolicyBoard is designed to handle this kind of multi-site arrangement — shared policies with a clear owner, practice-specific review records, and an audit trail that holds up at inspection. Join the waitlist to be notified when it launches.

Sources

  • Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 17
  • CQC: Regulation 17 — Good Governance guidance

This guide is written for practice managers, GP partners, and PCN leads managing policy governance at small UK primary care services. It covers general principles based on published CQC guidance and regulatory requirements. It is not legal or clinical advice — always verify requirements against current CQC inspection guidance and seek professional support for specific compliance questions.

Stop tracking policy reviews in spreadsheets

PolicyBoard automates review reminders, approval workflows, and compliance dashboards for UK regulated organisations.

No spam. Unsubscribe any time. Privacy policy