Guide

Healthcare provider annual compliance checklist

Annual checklist of recurring compliance obligations for CQC-registered healthcare providers covering registration, workforce, clinical governance, premises, data protection, and policy reviews.

Last updated: 19 February 2026

UK-wide

Use this checklist to verify that your CQC-registered healthcare service meets its recurring annual compliance obligations. Work through each section and address any gaps before your next CQC inspection or annual governance review.

1. CQC annual fee paid (due each April)

2. CQC registration details up to date (locations, nominated individual, registered manager)

3. All professional registrations verified (GMC, NMC, GDC, GPhC, HCPC)

4. Employers' liability insurance renewed (minimum £5 million cover)

5. Public liability insurance renewed

6. Professional indemnity insurance renewed

7. Medical malpractice insurance renewed (if applicable)

8. ICO data protection fee paid (due annually on registration anniversary)

1. DBS checks current for all staff in regulated activity (recheck every 3 years)

2. DBS Update Service status checked for subscribed staff

3. Fit and proper persons requirement reviewed for directors and registered manager

4. Mandatory training completed by all staff (safeguarding, IPC, fire, manual handling, MCA/DoLS, medicines, basic life support)

5. Staff appraisals completed for all employees

6. Clinical supervision sessions completed and recorded

7. Professional revalidation dates tracked and upcoming renewals flagged

8. Right to work checks repeated for time-limited permissions before expiry

1. Medicines audit completed (stock check, expiry dates, storage conditions)

2. Controlled drugs quarterly stock check done and CD register reconciled (Schedule 2)

3. Infection prevention and control audit completed and action plan in place

4. Clinical waste contracts reviewed and consignment notes filed

5. Incident reports reviewed and learning disseminated to staff

6. Complaints log reviewed and themes reported to governance meeting

7. Clinical policies reviewed within their stated review dates

8. Duty of candour notifications completed for all notifiable safety incidents

1. Fire risk assessment reviewed (annually minimum)

2. Fire drill conducted and evacuation procedure tested

3. Equipment maintenance and calibration up to date (PAT testing, medical devices)

4. Health and safety risk assessments reviewed

5. Legionella risk assessment current and water management plan followed

6. Emergency procedures tested and staff briefed

7. First aid supplies checked and replenished

8. Waste disposal arrangements reviewed (clinical and non-clinical streams)

1. NHS Data Security and Protection Toolkit (DSPT) submitted by 30 June deadline

2. Privacy notices reviewed and up to date

3. Subject access request process tested

4. Data breach reporting procedure reviewed

5. Information governance training completed by all staff

6. Caldicott Guardian role assigned and active (if processing NHS patient data)

1. Safeguarding adults and children policy reviewed

2. Whistleblowing (raising concerns) policy reviewed

3. Business continuity plan reviewed and tested

4. Complaints procedure reviewed

5. Medicines management policy reviewed

6. Infection prevention and control policy reviewed

7. Health and safety policy reviewed

8. Recruitment and selection policy reviewed (including DBS procedures)

9. Data protection and confidentiality policy reviewed

If you answered 'no' to any items in the registration and legal or workforce sections, address these as a priority. Operating with lapsed CQC registration, expired insurance, or unchecked DBS records exposes your organisation to enforcement action and potential criminal liability.

What to do next

For items where you identified gaps:

• See Register with the CQC for registration update procedures
• See Healthcare professional registration for revalidation guidance
• See Medicines and controlled drugs compliance for medicines audit procedures
• See Healthcare data protection for DSPT and information governance
• See Clinical governance and quality improvement for governance framework guidance

---

Related guides in CQC Registration

Register with the Care Quality Commission (CQC)

Complete step-by-step guide to CQC registration for healthcare providers in England, including what activities require registration, application fees, fit and proper person requirements, and the full registration process timeline.

Read guide

Healthcare and social care regulation (CQC)

CQC registration requirements for health and social care providers in England, including detailed guidance on regulated activities, costs, and devolved nation alternatives.

Read guide

Start a clinical laboratory service

How to set up and operate a clinical laboratory in the UK. Covers UKAS accreditation, CQC registration, HTA licensing, MHRA requirements, professional registration, and quality standards for medical testing services.

Read guide

Healthcare premises and equipment requirements

CQC Regulation 15 premises and equipment requirements, radiation protection under IRR 2017, healthcare ventilation, medical gas systems, decontamination of reusable devices, accessibility obligations, and fire safety for healthcare premises.

Read guide

Clinical governance and quality improvement

Clinical governance framework for healthcare providers covering patient safety culture, clinical audit, incident investigation, duty of candour, complaints handling, and continuous quality improvement. Links governance activities to the CQC Well-led domain and explains why effective governance protects both patients and your organisation.

Read guide