The Seven Flows of Clinical Handover Governance

What is clinical identity verification at boundaries? Clinical identity verification at organisational boundaries is the process of confirming patient, practitioner, and organisation identity when data crosses between separate healthcare systems — ensuring that clinical actions are attributed to the correct patient regardless of which system originated the data.

The boundary question

Can both organisations verify who the patient is and who is acting on their behalf at the point of data exchange?

What we assess

PDS lookup at boundary, NHS number verification, clinician identity in structured messages, cross-system identity reconciliation.

Specific audit questions

1. What identifiers are used at the boundary (NHS number, local IDs, demographic matching)?
2. Is there a documented process for verifying patient identity at the point of transfer?
3. What happens when identifiers do not match or are absent? Is there a fallback protocol?
4. Are identity verification events logged and auditable?
5. Has the hazard log (DCB 0129/0160) identified identity matching at the boundary as a hazard?
6. Is there a documented incident where misidentification at the boundary caused or risked patient harm?

Statutory basis

UK GDPR Article 5(1)(d) accuracy; CQC Regulation 17 good governance.

What failure looks like

Patient data crosses a boundary without verified identity. Receiving organisation acts on data attributed to the wrong patient. No one detects the mismatch because neither system cross-references.

What is boundary-specific consent in healthcare? Boundary-specific consent ensures that a patient's permission and lawful basis for data processing are verified, recorded, and propagated specifically for each organisational boundary their data crosses — not assumed from a generic privacy notice or inherited from the sending organisation's public task.

The boundary question

Has the patient's consent been obtained, recorded, and propagated for the specific boundary crossing?

What we assess

Boundary-specific DPIA, privacy notice referencing the specific crossing, National Data Opt-Out compliance, consent propagation mechanism, patient awareness of constitutional transition (where applicable).

Specific audit questions

1. Does a boundary-specific DPIA exist for this crossing?
2. Does the privacy notice explicitly reference this specific organisational boundary?
3. Has the National Data Opt-Out been implemented at this boundary?
4. How is consent propagated across the boundary — is there a technical mechanism or is it assumed?
5. Where the boundary crosses constitutional domains, has the patient been informed of the transition (e.g., care → commercial)?
6. Can the receiving organisation demonstrate independent lawful basis, or does it rely on the sending organisation’s basis?

Statutory basis

UK GDPR Article 6 lawful basis; UK GDPR Article 5(1)(b) purpose limitation; Common Law Duty of Confidentiality.

What failure looks like

Patient data crosses a boundary under a generic privacy notice that doesn't reference the specific crossing. Patient is unaware their data has moved from a care context to a commercial or compliance context. Lawful basis is assumed rather than independently established by the receiving organisation.

Our interpretive position: Each controller must independently establish its lawful basis at every boundary. Organisation B cannot rely on Organisation A's consent or public task. This is our "lawful basis non-inheritance" principle, grounded in UK GDPR controller obligations.

What is clinical data provenance? Clinical data provenance is the complete, verifiable lineage of a clinical record — its origin, authorship, method of capture, and any transformations applied during transfer. At organisational boundaries, provenance ensures the receiving clinician can trust the integrity and source of the data they act upon.

The boundary question

Can the receiving organisation verify the source, authorship, and integrity of the data it receives?

What we assess

Structured metadata in transfer messages, author identification, timestamp integrity, data integrity verification, audit trail through the boundary.

Specific audit questions

1. Does data crossing the boundary carry structured metadata (author, timestamp, source system)?
2. Can the receiving clinician verify who created the data and when?
3. Is there an audit trail through the boundary showing the data’s journey?
4. If data is transformed, compressed, or summarised during transfer, is the transformation documented?
5. Has a data integrity check been implemented at the boundary?
6. Are there known incidents where data quality degraded during boundary transfer?

Statutory basis

DCB 0129 clinical risk management; CQC Regulation 17(2)(c) quality and accuracy of records.

What failure looks like

Data arrives at the receiving organisation without structured metadata. The clinician acts on information whose source and reliability they cannot verify. If the data was corrupted, compressed, or truncated during transfer, no one detects it.

What is clinical intent in healthcare data exchange? Clinical intent is the explicit, structured communication of why data is being shared and what clinical action is expected from the receiving organisation. Without it, referrals and discharges become narrative documents that require interpretation rather than computable, actionable instructions.

The boundary question

Does the receiving organisation know precisely why the data was shared and what clinical action is expected?

What we assess

Structured action coding in referrals and discharges, explicit clinical questions, urgency classification, expected response specification.

Specific audit questions

1. Are referrals and discharges communicated with structured action codes or only free text?
2. Is there an explicit clinical question or action requirement in every boundary crossing?
3. Is urgency classification communicated in structured form?
4. Does the receiving organisation know what clinical response is expected and within what timeframe?
5. Are there instances where clinical intent has been lost or misinterpreted at this boundary?
6. Is clinical intent preserved when data crosses between different IT systems?

Statutory basis

CQC Regulation 12 safe care and treatment; DCB 0160 clinical risk management in deployment.

What failure looks like

A discharge summary states the diagnosis but follow-up actions are in free text. The GP receives a narrative letter without structured action codes. The specialist receives a referral without a clear clinical question. Clinical intent degrades or is lost in translation between systems.

What is clinical responsibility transfer at boundaries? Clinical responsibility transfer is the explicit, bilateral handover of accountability for a patient's care from one organisation to another. The Seven Flows methodology requires that responsibility cannot be relinquished until the receiving party has explicitly accepted it — the Minimum Viable Responsibility Transfer (MVRT) principle.

The boundary question

When responsibility transfers, is there an explicit, bilateral handover — or does it fall into a gap?

What we assess

MVRT compliance (see below). Confirmed receipt mechanism. Clinically-timed escalation pathway. Unowned patient identification. Audit trail of responsibility transfer.

Specific audit questions

1. When responsibility transfers at this boundary, is there confirmed bilateral acceptance?
2. Can the infrastructure prevent a transfer from completing without acknowledgement?
3. What is the escalation pathway if acknowledgement is not received within a defined timeframe?
4. Can the system identify patients currently in transit with no named responsible clinician?
5. Are MVRT events logged as auditable governance artefacts?
6. Has the boundary been tested with a simulated MVRT failure scenario?

Statutory basis

CQC Regulation 12(2)(i) proper and safe management of medicines and treatments; PSIRF patient safety principles.

What failure looks like

A patient is discharged from one organisation without confirmed receipt by the next. For a period measured in hours or days, no named clinician has responsibility. The patient is clinically unowned. This is the most dangerous failure in boundary governance.

What is clinical service routing? Clinical service routing is the governance-informed allocation of patients to receiving providers based on clinical criteria, constitutional domain awareness, and care appropriateness — not simply capacity, waiting list length, or geographical proximity.

The boundary question

Is the patient routed based on clinical criteria and governance, not just capacity or convenience?

What we assess

Clinical triage criteria for routing decisions, governance-informed routing (constitutional domain awareness), capacity vs. clinical appropriateness, waiting list management at boundaries.

Specific audit questions

1. Are routing decisions at this boundary based on clinical criteria or primarily on capacity?
2. Do routing decisions account for the constitutional domain of the receiving provider?
3. Is there a documented triage protocol for determining which patients are routed across this boundary?
4. Are waiting list management practices at this boundary clinically governed?
5. Has routing at this boundary ever resulted in a patient being sent to an inappropriate provider?
6. Is there governance oversight of routing decisions (not just clinical, but constitutional)?

Statutory basis

CQC Regulation 9 person-centred care; NHS Standard Contract service specifications.

What failure looks like

A patient is routed to the nearest available provider rather than the clinically most appropriate one. Routing decisions don't account for the constitutional domain of the receiving provider — a complex patient is routed to a provider whose governance framework is inadequate for their needs.

What is cross-boundary outcome tracking? Cross-boundary outcome tracking is the structured feedback loop that ensures the originating organisation learns what happened to a patient after they crossed an organisational boundary — closing the loop between referral and result to enable continuous improvement of boundary governance.

The boundary question

Does the originating organisation learn what happened, and is outcome data used to improve the boundary?

What we assess

Structured outcome reporting across boundaries, cross-boundary clinical audit, boundary-specific outcome metrics, feedback loops into governance.

Specific audit questions

1. After a patient crosses this boundary, does the originating organisation routinely receive structured outcome data?
2. Is there a cross-boundary clinical audit that covers this boundary?
3. Are boundary-specific outcome metrics tracked and reported?
4. Is outcome data used to improve governance at this boundary?
5. What is the feedback mechanism when outcomes are poor — is there a structured loop or is it ad hoc?
6. Can the originating organisation demonstrate learning from outcomes at this boundary?

Statutory basis

CQC Regulation 17(2)(a) quality improvement; outcomes-based commissioning requirements under Ten Year Plan.

What failure looks like

The boundary is a one-way door. The originating organisation never learns whether the referral resulted in good care, delayed care, or harm. Without this feedback loop, the same boundary failures repeat indefinitely. Outcome consistently scores the lowest of any flow in our assessments.