CQC enforcement: why Regulation 12 and Regulation 17 so often travel together

Regulation 12 requires care and treatment to be provided in a safe way. That includes assessing risks to people's health and safety, ensuring staff have the qualifications and competence to keep people safe, keeping premises and equipment safe, managing medicines properly and controlling infection. Its purpose is to prevent avoidable harm or the risk of it.

Regulation 17 requires good governance: systems and processes that assess, monitor and improve the quality and safety of the service, manage risk, and maintain accurate, complete records of care and of the running of the service. Its purpose is to make sure the provider would know, and act, if something were going wrong.

One regulation is about the care itself. The other is about whether the organisation can see its own care clearly. Hold that distinction, because everything else follows from it.

CQC enforcement runs on two separate tracks, and many providers only understand the distinction once enforcement has already started.

Civil enforcement is protective and points at the future. It acts on your registration: imposing, varying or removing conditions, suspending the registration, or cancelling it altogether. Warning notices and notices of proposal live on this track. The question civil enforcement answers is: should this provider be allowed to continue, and on what terms? Failing to comply with civil enforcement action is itself a criminal offence.

Criminal enforcement is punitive and points at the past. It covers simple cautions, fixed penalty notices and prosecution. CQC has held these prosecution powers since April 2015, taking on the role previously held by the Health and Safety Executive for harm to people receiving care from registered providers. Under the division of responsibility set out in the memorandum of understanding between CQC and the HSE, CQC leads on the safety and quality of treatment and care for people using services from CQC-registered providers, while the HSE and local authorities remain the lead for the health and safety of workers, visitors and contractors. A prosecution must be brought within three years of the alleged offence. Penalties are financial and for some offences the fine is unlimited; the largest prosecutions have produced fines running into millions of pounds, and registered managers can be prosecuted personally. Carrying on a regulated activity without registration at all can additionally mean imprisonment.

Here is the detail that makes sense of the Regulation 12 and 17 pairing, and it is one that is often poorly explained to providers.

A breach of Regulation 12 can be a criminal offence. Where the failure to provide safe care results in avoidable harm to a person, or exposes them to a significant risk of it, CQC can prosecute, and it does not need to serve a Warning Notice first. There is no procedural runway. The harm event itself can take a provider straight from inspection finding to criminal investigation.

Most governance failures under Regulation 17 work differently. Poor governance under Regulation 17(1) and 17(2) is not, by itself, a prosecutable offence. It drives the civil track: warning notices, conditions, suspension or cancellation. It is how CQC builds the case that a service should not continue in its current form.

There is one narrow exception, and it proves the rule. Under Regulation 17(3), a provider who fails to send CQC a requested written report on their governance within 28 days of the request commits an offence that can be prosecuted directly, without a Warning Notice. But note what kind of offence it is: a summary offence carrying a capped fine, for refusing to account for your governance, not for the state of the governance itself. The ordinary finding that a governance system is ineffective remains a civil matter, not a criminal charge.

So the two regulations are not duplicates of each other. They are the two halves of CQC's enforcement machinery. Regulation 12 carries the criminal exposure for what happened to a person. Regulation 17 carries the civil case against the registration for the system that allowed it. A serious enforcement case very often needs both, because CQC is very often doing both things at once: holding the provider to account for the harm, and deciding whether the service is safe to continue.

Now to the part I watched from the inside. When a service fails on safe, it is very difficult for it to remain well-led, and the reason is structural rather than rhetorical.

Take a real pattern: a person is harmed because risk assessments were not updated after a fall. That is the Regulation 12 question: was the care safe? But the next question an inspector asks is the Regulation 17 question: how was this possible? Where was the audit that should have caught the stale risk assessments? Where was the incident review after the first fall? Did the manager know, and if not, why did the governance system not tell them? If the answer is that the system did not detect it, did not escalate it, or detected it and nothing changed, then the governance breach is not an add-on to the safety breach. It is the explanation of it.

That is why arguing “the incident was a one-off but our leadership is strong” almost never lands. A governance system that did not prevent, detect or respond to the failure has demonstrated the Regulation 17 breach in the very act of the Regulation 12 breach occurring. Safe and well-led are scored separately, but evidentially they are joined at the spine.

There is also a practical reason the pairing dominates, and it is about how cases are built. Every alleged breach has to be evidenced: to the criminal standard, beyond reasonable doubt, for a prosecution, and robustly enough to survive representations and appeal on the civil track. Spreading a case across five or six regulations multiplies the evidential burden without strengthening the outcome.

A harm event evidenced thoroughly under Regulation 12, plus the documentary trail of the system that failed under Regulation 17, covers both tracks with one coherent body of evidence. The clinical records, the incident history, the audit gaps and the meeting minutes that prove the safety failure are largely the same documents that prove the governance failure. One story, two regulations, both enforcement tracks. From a case-building perspective it is simply the strongest shape available, which is why you see it again and again.

Follow the logic to its end and it arrives somewhere useful, because the defence to both tracks turns out to be the same thing.

On the criminal track, the legislation provides a defence where the registered person took all reasonable steps and exercised all due diligence, under Regulation 22(4). Note carefully: the burden of proving that sits on the provider. Due diligence is not a feeling or a culture statement. It is an evidence test, and the only evidence that can meet it is the record made at the time: the risk assessment that was reviewed, the audit that was done, the action that was taken and dated, the learning that was shared.

On the civil track, the question is whether your governance can be relied upon going forward, and the answer is made of exactly the same material.

Which produces the hard irony at the centre of all this: the provider who cannot evidence their governance loses twice. They have no due diligence defence under Regulation 12, and the absence of evidence is itself the Regulation 17 breach. Conversely, the provider with a live, dated, continuous evidence trail has both the defence and the rebuttal. In enforcement, your records are not the bureaucracy around your care. They are the case for your continued existence.

That continuous evidence trail is the entire thesis behind Verivius: incidents, complaints, safeguarding, audits and actions captured as they happen, with the follow-through documented, so that the answer to “how was this possible” is a system that saw it and acted. If you would rather build that trail before anyone asks for it, explore the sector packs or book a thirty-minute conversation.

The plain-English regulation explainers: Regulation 12, safe care and treatment and Regulation 17, good governance. On evidencing governance specifically: why most providers fail Reg 17, and how to evidence good governance. The sample policy templates, ready to adapt: Reg 12 Safe care and treatment and Reg 17 Good governance.