How to Audit Clinical Pathways Between Healthcare Organisations

The first article in this series identified nine clinical governance risks that exist at the crossings between private healthcare providers — risks that no regulator currently inspects. This article examines the methodology designed to diagnose those risks: the Seven Flows Boundary Governance Audit.

---

---

The audit question

Most clinical governance assessments ask: is this organisation safe? The boundary audit asks a different question: when a patient crosses from this organisation to that one, what happens to the seven things that must travel with them?

Those seven things — identity, consent, provenance, clinical intent, alert and responsibility, service routing, and outcome — are the necessary conditions for safe handover. They are not optional features. They are the governance infrastructure that must function at every material boundary, regardless of the constitutional domain, the commercial relationship, or the technology stack.

The audit does not assess organisations. It assesses crossings. It sits between the organisations, examines what happens when clinical information, clinical responsibility, and clinical risk move from one side to the other, and scores what it finds.

The seven flows

Each flow addresses a specific governance dimension at the boundary.

1. Identity. Can both organisations verify who the patient is and who is acting on their behalf at the point of data exchange? The insurer's member ID does not reliably map to the provider's patient ID. The private hospital's record does not share a common identifier with the NHS GP's. Identity failure at a boundary does not just create inconvenience — it creates a patient safety event in which clinical information may be attributed to the wrong person, or clinical responsibility may be assigned to the wrong clinician.

2. Consent. Has the patient's consent been obtained, recorded, and propagated for the specific boundary crossing? Consent given within one organisation for clinical purposes does not automatically extend to a different organisation operating under a different lawful basis. When clinical data crosses from a CQC-regulated provider to an FCA-regulated insurer, the purpose of processing changes. The consent architecture must account for this — and at most private healthcare boundaries, it does not.

3. Provenance. Can the receiving organisation verify the source, authorship, and integrity of the data it receives? A referral letter arriving as a PDF attachment to an email carries no cryptographic provenance. The receiving clinician cannot verify that the document was authored by the person it claims to be from, that it has not been modified in transit, or that the clinical content is complete. Provenance failure at a boundary creates an environment in which clinical decisions are made on unverified information.

4. Clinical Intent. Does the receiving organisation know precisely why the data was shared and what clinical action is expected? This is the backbone of safe handover. When a GP refers a patient, the clinical reasoning behind the referral — the differential diagnosis, the red flags considered and excluded, the urgency assessment — is the context the receiving specialist needs to make a safe decision. If the routing function reduces the referral to a specialty label, the intent is lost. The receiving clinician works from a fragment, not a picture.

5. Alert and Responsibility. When responsibility transfers, is there an explicit, bilateral handover — or does it fall into a gap? This is where the audit applies its most stringent test: Minimum Viable Responsibility Transfer. In aviation, a sector transfer does not complete until the receiving controller electronically verifies and accepts the handover. The infrastructure makes it structurally impossible for an aircraft to be unowned. In healthcare, patients are routinely unowned — discharged from one organisation, not yet received by another, with clinical responsibility assumed by everyone and owned by nobody.

6. Service Routing. Is the patient routed based on clinical criteria and governance, or on capacity, cost, or convenience? In insurer-managed networks, the routing function sits between the referring clinician and the receiving provider. The audit assesses whether routing decisions preserve clinical intent, whether the governance of the routing function is transparent, and whether the patient understands who made the routing decision and on what basis.

7. Outcome. Does the originating organisation learn what happened, and is outcome data used to improve the boundary? The outcome loop is the most frequently broken flow. A GP refers a patient into a private pathway. The patient is seen, treated, and discharged. The GP receives a discharge summary — weeks later, by letter, by fax, by PDF. The clinical outcome may or may not be recorded. Whether that outcome is fed back to improve the referral pathway is almost never systematically addressed.

What makes a boundary "material"

Not every organisational interaction requires a full seven-flow assessment. The audit defines materiality criteria: a boundary is material if clinical responsibility transfers across it, if clinical data crosses a constitutional domain, if the crossing involves a change of regulatory framework, or if patient consent must be re-established for the crossing to be lawful.

In a typical private hospital group with insurer relationships, the material boundaries include: insurer-to-provider routing, provider-to-provider referral within the network, private-to-NHS discharge, consultant-to-hospital practising privileges interface, and the clinical-commercial boundary where clinical data is processed for authorisation or claims purposes. A neighbourhood health centre may have eight to twelve material boundaries within a single building.

Constitutional domain mapping

Not all boundaries are equivalent. A crossing between two NHS providers engages different law, different regulation, and different institutional assumptions than a crossing between a private provider and an NHS GP, or between a CQC-regulated hospital and an FCA-regulated insurer.

The audit maps each boundary to its constitutional domains — the legal and regulatory frameworks that govern each side. An NHS-to-NHS crossing operates within the NHS Standard Contract, the NHS Constitution, and a shared CQC framework. A private-to-NHS crossing introduces dual regulatory jurisdiction. An insurer-to-provider crossing brings three constitutional domains into play: FCA financial services regulation, CQC clinical regulation, and GMC professional regulation, all meeting at a single patient handover.

Constitutional domain mapping matters because the governance requirements differ by domain. The lawful basis for data processing may change. The consent model may need to be re-established. The clinical safety framework on one side of the boundary may have no equivalent on the other. The audit scores these cross-constitutional boundaries with additional rigour, applying five interaction principles:

Clinical risk responsibility follows care delivery, not organisational structure. Lawful basis cannot be inherited across a constitutional boundary — it must be independently established. Purpose limitation travels with the data. Higher-risk constitutional orientations require enhanced governance controls. Neither constitution dominates by default.

Five maturity levels

Each flow at each boundary is scored on a five-level maturity model.

Level 0 — Absent. No governance exists for this flow at this boundary. There is no process, no documentation, and no awareness that the flow requires governance.

Level 1 — Initial. Some awareness exists but governance is informal, ad hoc, and person-dependent. A clinician may make a phone call to confirm a handover — but if that clinician is not on shift, the process does not happen.

Level 2 — Defined. A documented process exists and has been communicated. Both sides of the boundary are aware of it. But compliance is not monitored, and evidence of execution is inconsistent.

Level 3 — Managed. The process is documented, executed, monitored, and evidenced. For Alert and Responsibility, Level 3 requires explicit MVRT — bilateral, confirmed, time-stamped responsibility transfer. A boundary cannot reach Level 3 on this flow without it. This is the level at which governance becomes auditable.

Level 4 — Optimised. Level 3 requirements are met, and the boundary additionally demonstrates continuous improvement. Outcome data is used to refine the boundary. Incident data triggers process revision. The boundary learns.

The audit does not require every boundary to reach Level 4. Different boundaries carry different risk profiles. The audit output identifies which boundaries require which maturity level, and the remediation roadmap prioritises accordingly.

Cascading failure logic

The seven flows are not independent. They form a dependency structure, and the audit enforces this through cascading failure rules.

If Identity scores below Level 2, Consent and Provenance are capped at Level 1 — because if you cannot reliably verify who the patient is, consent attribution and data provenance are structurally unreliable.

If Clinical Intent scores below Level 2, Alert and Responsibility and Service Routing are capped at Level 1 — because if the receiving organisation does not know why the patient was referred, it cannot take responsibility for the right thing or route them appropriately.

If Consent scores below Level 2, Service Routing is capped at Level 2 — because routing a patient without adequate consent creates a lawful basis failure regardless of how well the routing function operates.

If Alert and Responsibility scores below Level 2, Outcome is capped at Level 1 — because if nobody has confirmed responsibility for the patient, there is no accountability for the outcome.

These cascading rules mean that a boundary's overall maturity is not simply the average of its seven flow scores. A single foundational failure — typically in Identity or Clinical Intent — can suppress the entire scorecard. This is the most counterintuitive and most valuable feature of the methodology: it reveals structural dependencies that are invisible to internal governance assessments, which examine each dimension in isolation.

The audit records both raw scores and cascade-adjusted scores. The gap between them is often the most important finding — it shows an organisation that may have invested heavily in outcome tracking or service routing, but whose investment is structurally undermined by an unresolved identity or intent failure at the foundation.

Evidence reconciliation

The audit interviews stakeholders on both sides of every material boundary. This is non-negotiable. A governance process that Organisation A believes exists but Organisation B is unaware of is not a governance process — it is an assumption.

Evidence is validated at three levels. Documentary evidence — policies, procedures, data sharing agreements — confirms that a process has been designed. Demonstrable evidence — audit trails, log files, signed handover records — confirms that the process has been executed. Observed evidence — direct observation of a boundary crossing in operation — confirms that the process functions as documented.

A flow cannot score above Level 2 on documentary evidence alone. And where evidence from the two sides of a boundary is irreconcilable — where Organisation A's account of the crossing contradicts Organisation B's — the lower assessment prevails. This is not conservative scoring for its own sake. It reflects the reality that the patient experiences the weaker side of the boundary, not the stronger.

Dispute as a recognised boundary state

Not every boundary disagreement is a governance failure. Organisations may legitimately disagree about clinical thresholds, routing criteria, or responsibility boundaries. The audit treats dispute as a recognised boundary state — not an error to be suppressed but a governance condition to be managed.

However, a boundary where disputes are handled informally — through phone calls, corridor conversations, or escalation by seniority rather than protocol — cannot score above Level 2 on the relevant flow. Governed dispute requires five mechanisms: time-bounded resolution, interim responsibility assignment (someone must own the patient while the dispute is resolved), defined resolution authority, contractual or statutory evidence base for the resolution, and a learning loop that feeds the dispute back into boundary improvement.

What the audit produces

The output is not a compliance certificate. It is a diagnostic instrument: a scored assessment of every material boundary, with statutory traceability linking each finding to the regulation it engages, a technology readiness assessment identifying integration requirements, and a remediation roadmap that prioritises boundaries by risk exposure and sequences interventions by dependency.

The scorecard gives a CSO boundary-specific risk assessments they can add directly to their hazard log. It gives a medical director visibility of where clinical information degrades in transit. It gives an insurer's compliance team evidence of which network boundaries meet Consumer Duty requirements and which do not. It gives a PE portfolio board a quantified view of unpriced boundary risk across their acquisitions.

The next article in this series examines what happens after the diagnosis: the three-stage engagement model that turns the audit into a co-designed remediation plan, a lighthouse project, and a funded business case for the board.

---