Healthcare & Social Care

Healthcare provider annual compliance checklist

Annual checklist of recurring compliance obligations for CQC-registered healthcare providers covering registration, workforce, clinical governance, premises, data protection, and policy reviews.

UK-wide
Guide summary

Check your healthcare business meets all annual rules. Pay your CQC fee, update staff registrations, review policies, and check insurance covers are in place. Do this before your CQC inspection every year.

  • Pay CQC annual fee (from £1,164, due in April)
  • Check staff registrations (GMC, NMC, HCPC)
  • Renew insurance (employers' liability, £5m minimum)
  • Update DBS checks every 3 years
  • Complete mandatory staff training (safeguarding, IPC, fire)
  • Do medicines audits and check expiry dates
  • Review fire risk assessment annually
  • Submit NHS Data Security Toolkit by 30 June
  • Update all policies (safeguarding, complaints, data)
  • Check right to work for staff with time-limited visas
On this page
UK-wide

Related guides in CQC Registration

Use this checklist to verify that your CQC-registered healthcare service meets its recurring annual compliance obligations. Work through each section and address any gaps before your next CQC inspection or annual governance review.

  1. 1

    CQC annual fee paid (invoiced annually on your registration anniversary)

  2. 2

    CQC registration details up to date (locations, nominated individual, registered manager)

  3. 3

    All professional registrations verified (GMC, NMC, GDC, GPhC, HCPC)

  4. 4

    Employers' liability insurance renewed (minimum £5 million cover)

  5. 5

    Public liability insurance renewed

  6. 6

    Professional indemnity insurance renewed

  7. 7

    Medical malpractice insurance renewed (if applicable)

  8. 8

    ICO data protection fee paid (due annually on registration anniversary)

  1. 1

    DBS checks current for all staff in regulated activity (periodic rechecking is good practice, not a statutory requirement - set a policy)

  2. 2

    DBS Update Service status checked for subscribed staff

  3. 3

    Fit and proper persons requirement reviewed for directors and registered manager

  4. 4

    Mandatory training completed by all staff (safeguarding, IPC, fire, manual handling, MCA/DoLS, medicines, basic life support)

  5. 5

    Staff appraisals completed for all employees

  6. 6

    Clinical supervision sessions completed and recorded

  7. 7

    Professional revalidation dates tracked and upcoming renewals flagged

  8. 8

    Right to work checks repeated for time-limited permissions before expiry

  1. 1

    Medicines audit completed (stock check, expiry dates, storage conditions)

  2. 2

    Regular controlled drugs stock checks done (at least weekly is widely recommended) and CD register reconciled (Schedule 2)

  3. 3

    Infection prevention and control audit completed and action plan in place

  4. 4

    Clinical waste contracts reviewed and consignment notes filed

  5. 5

    Incident reports reviewed and learning disseminated to staff

  6. 6

    Complaints log reviewed and themes reported to governance meeting

  7. 7

    Clinical policies reviewed within their stated review dates

  8. 8

    Duty of candour notifications completed for all notifiable safety incidents

  1. 1

    Fire risk assessment reviewed (annually minimum)

  2. 2

    Fire drill conducted and evacuation procedure tested

  3. 3

    Equipment maintenance and calibration up to date (PAT testing, medical devices)

  4. 4

    Health and safety risk assessments reviewed

  5. 5

    Legionella risk assessment current and water management plan followed

  6. 6

    Emergency procedures tested and staff briefed

  7. 7

    First aid supplies checked and replenished

  8. 8

    Waste disposal arrangements reviewed (clinical and non-clinical streams)

  1. 1

    NHS Data Security and Protection Toolkit (DSPT) submitted by 30 June deadline

  2. 2

    Privacy notices reviewed and up to date

  3. 3

    Subject access request process tested

  4. 4

    Data breach reporting procedure reviewed

  5. 5

    Information governance training completed by all staff

  6. 6

    Caldicott Guardian role assigned and active (if processing NHS patient data)

  1. 1

    Safeguarding adults and children policy reviewed

  2. 2

    Whistleblowing (raising concerns) policy reviewed

  3. 3

    Business continuity plan reviewed and tested

  4. 4

    Complaints procedure reviewed

  5. 5

    Medicines management policy reviewed

  6. 6

    Infection prevention and control policy reviewed

  7. 7

    Health and safety policy reviewed

  8. 8

    Recruitment and selection policy reviewed (including DBS procedures)

  9. 9

    Data protection and confidentiality policy reviewed

If you answered 'no' to any items in the registration and legal or workforce sections, address these as a priority. Operating with lapsed CQC registration, expired insurance, or unchecked DBS records exposes your organisation to enforcement action and potential criminal liability.

What to do next

For items where you identified gaps:

Official compliance resources