Key Takeaways
- Nine clinical governance risks — from patient safety to M&A exposure — all arise from the same structural gap: no framework governs the crossing between organisations
- CQC, GMC, and FCA each regulate nodes. None regulates the crossing where clinical information, responsibility, and risk must transfer
- HSSIB can now investigate private healthcare incidents, but no prospective clinical safety framework covers the boundary
- The Data Use and Access Act 2025 places statutory duties on private providers — not just NHS organisations
- Ungoverned boundaries are unpriced liabilities on M&A balance sheets
- The Seven Flows Boundary Governance Audit is the first structured methodology that assesses governance at organisational boundaries
Series: Clinical Governance Between Private Healthcare Providers — This is Article 1 of 4. CQC inspects your organisation. GMC regulates your consultants. FCA oversees your insurer. Each regulator examines the node. None of them examine the crossing. View the full series →
CQC inspects your organisation. GMC regulates your consultants. FCA oversees your insurer. Each regulator examines the node. None of them examine the crossing — the point where clinical information must flow, clinical responsibility must transfer, and clinical risk must be governed between one organisation and the next.
Private healthcare providers operate across more organisational boundaries than at any point in their history. NHS referral pathways, insurer authorisation chains, sub-contracted services, cross-provider care pathways, PE portfolio integrations. This is the first in a series of four articles examining what those ungoverned crossings cost — clinically, commercially, and existentially.
1. Patient safety
When a patient crosses from one organisation to another, three things must happen: clinical information must arrive intact, clinical responsibility must transfer explicitly, and clinical risk must be assessed at the crossing. In private healthcare, none of these are structurally guaranteed.
A virtual GP refers a patient to a specialist within an insurer's provider network. The clinical reasoning that informed the referral — the differential diagnosis, the red flags considered and excluded, the urgency assessment — may or may not survive the crossing. If the insurer's routing function reduces the referral to a specialty label and a body part, the receiving specialist works from incomplete information. That is a clinical safety event that nobody records, because no safety framework covers the crossing.
The Paterson Inquiry found that a consultant operating across NHS and private boundaries exploited exactly this gap. Information that should have flowed between organisations did not flow. Concerns raised in one setting did not reach another. Restrictions imposed by one hospital were circumvented by moving practice to a different site. The inquiry described "a failure of the entire healthcare system." Five years later, several of its fifteen recommendations remain unimplemented. The boundary between organisations — where information, responsibility, and clinical risk transfer — remains structurally ungoverned.
HSSIB, established as an independent statutory body in October 2023, now has the power to investigate patient safety incidents in the independent sector. When it investigates an incident that occurred at an organisational boundary, it will find the same structural gap: no framework governs the crossing.
2. Regulatory and personal liability
Patient safety is a clinical concern. Liability is a board concern. They arise from the same structural gap but land on different desks.
HSSIB can now investigate private healthcare incidents — but the prospective clinical safety framework that sits before the incident does not formally extend to the independent sector. DCB 0129 and DCB 0160 require NHS organisations to identify clinical hazards, assess risks, implement controls, and document them in a Hazard Log reviewed by a Clinical Safety Officer before harm occurs. Private healthcare has the investigation layer without the prevention layer.
This creates a specific exposure: when a boundary incident occurs and HSSIB investigates, it will find that no prospective safety case covered the crossing. No hazard log recorded the risks that arise specifically at the boundary — the risk that clinical intent is lost in translation, that identity reconciliation fails between systems, that consent given for clinical purposes is extended to commercial processing. The investigation will identify a structural gap that the organisation had no framework to address.
CQC inspection covers clinical governance within provider organisations. It does not assess the governance of crossings between them. An ICO investigation following a data breach at an organisational boundary will find the same gap — data crossing from one constitutional domain to another without adequate purpose limitation controls. FCA Consumer Duty requires insurers to demonstrate good outcomes across the entire product lifecycle — which, in health insurance, means across every organisational boundary the patient pathway crosses. Each regulator sees its slice of the problem. None see the crossing itself.
For the Clinical Safety Officer, this is personal. CSO liability is directly engaged when clinical risk is not prospectively assessed. A boundary where responsibility transfer is informal and undocumented is a hazard that should appear in the hazard log. If it does not, and harm occurs at that boundary, the CSO's professional position is exposed.
How exposed are your organisational boundaries? The Boundary Risk Score gives you a rapid, scored assessment.
Check Your Score3. Growth constraint
Ungoverned boundaries are not only a safety risk. They are the structural bottleneck preventing private providers from doing the things they are commercially trying to do.
Outcomes-based commissioning requires outcome attribution across providers. If a patient's pathway crosses three organisational boundaries and the outcome is good — or poor — which boundary contributed? Without governed outcome flows at each crossing, the data to answer that question does not exist. The contract cannot function. The commissioner cannot attribute value. The provider cannot evidence performance.
IHO formation requires constituent organisations to demonstrate boundary governance between them. The Ten Year Plan's shift toward Integrated Healthcare Organisations creates exactly the kind of multi-provider structure where boundary governance is the precondition for the commercial entity to function. A group of providers that cannot demonstrate governed crossings between them cannot credibly form an IHO.
Insurer pathway expansion hits the same wall. An insurer wanting to scale a managed pathway — adding providers, extending geographic reach, introducing new specialties — needs confidence that governance works at every new boundary the pathway creates. If the existing boundaries are ungoverned, scaling them multiplies the risk rather than the commercial opportunity.
The structural argument is straightforward: governed boundaries are the infrastructure that enables commercial growth. Without them, every new partnership, every new pathway, every new contract creates more ungoverned crossings — and more risk that the commercial structure cannot safely support.
4. Pathway quality
This is distinct from safety. Safety asks: can a patient be harmed at this boundary? Pathway quality asks: can you see, measure, and improve what happens across it?
A private insurer operating a managed provider network — Doctor Care Anywhere, Bupa, Vitality — sells a product: a clinical pathway from first contact to outcome. The product's quality depends on what happens at every crossing within the network. GP to specialist. Specialist to diagnostic. Diagnostic back to specialist. Specialist to rehabilitation. Private to NHS on discharge.
With open referrals and ungoverned boundaries, the insurer cannot observe what happens between the nodes. The referral goes out. Something happens. Maybe an outcome comes back, maybe it doesn't. Time-to-treatment across the pathway is unknown. Which provider-to-provider crossings are bottlenecks is unknown. Whether clinical intent survived the routing is unknown. Whether the receiving clinician had the information they needed to make a good decision is unknown.
This is a product quality problem. The insurer is selling a pathway it cannot see. The provider network is delivering a service it cannot measure.
With governed boundaries — confirmed responsibility transfer, preserved clinical intent, closed outcome loops — you get something that does not exist today: cross-boundary operational intelligence. Which referral routes produce the best outcomes? Where are patients waiting longest? Which crossings degrade clinical information? Which providers consistently confirm responsibility transfer within clinical timeframes and which do not? That data is the basis for continuous pathway improvement. Without it, pathway quality is an assumption, not a measurement.
5. Interoperability failure
The practical reality of clinical data crossing private healthcare boundaries is blunt. Discharge summaries from private hospitals reaching GP practices via letter, fax, or PDF attachment to email. No FHIR-based transfer of care. No structured clinical content. No mechanism for the GP to confirm receipt, acknowledge responsibility, or signal that the information was insufficient.
Between providers within an insurer's network, each crossing is governed by whatever bilateral data sharing arrangement the two providers have — or, frequently, by no arrangement at all. There is no standardised clinical safety framework spanning the network. There is no interoperability standard mandated between network members. Each provider operates its own clinical system, its own data model, its own information governance framework.
The patient experiences a pathway. The data does not.
But interoperability without governance is not the solution — it is a different kind of risk. Data flowing between organisations without clinical intent, without provenance, without confirmed responsibility, creates an illusion of continuity. The systems are connected. The governance is not. A receiving clinician who receives structured data and assumes it represents a complete clinical picture — when in fact the routing function stripped the clinical reasoning — is in a worse position than one who receives nothing and knows to ask.
The Seven Flows framework addresses this directly: interoperability is necessary but insufficient. The data must flow, and it must flow with its governance context — who sent it, why, under what clinical intent, with what consent, and with what expectation of responsibility on receipt.
6. Data governance across the clinical-commercial boundary
Private healthcare creates a data governance challenge that has no equivalent in NHS-only care: clinical data routinely crosses from clinical to commercial processing purposes within a single patient episode.
When a GP refers a patient, clinical data — special category health data under UK GDPR — moves from a CQC-registered clinical service to an FCA-regulated insurer's commercial platform. The data was generated for a clinical purpose. It is now being processed for a commercial purpose: claims authorisation, provider routing, utilisation management. Under UK GDPR Art 5(1)(b), data collected for one purpose cannot be processed for an incompatible purpose without additional lawful basis.
The problem compounds. Clinical data shared for pre-authorisation may subsequently be used for underwriting, claims adjudication, fraud detection, or premium calculation — purposes fundamentally incompatible with the original clinical purpose. Common Law Duty of Confidentiality and UK GDPR purpose limitation principles restrict sharing of clinical data for non-care purposes. But the mechanisms to enforce purpose limitation at the boundary — to ensure that data shared for clinical routing is not repurposed for commercial analytics — are largely absent.
This is not an interoperability problem. The data flows. It flows across a constitutional boundary — from a care-oriented domain governed by CQC to a commercial domain governed by the FCA — and the governance of that constitutional crossing is the gap.
7. Exclusion
The existential risk. The environment that has allowed private providers to operate with ungoverned boundaries is changing, and the changes have statutory force.
The Data Use and Access Act 2025 places a duty on "every health and care provider" — not every NHS provider — to contribute to the Single Patient Record. The legislative language is deliberate. Private providers treating NHS patients will need real-time FHIR-compliant data contribution. The timeline is 2028, subject to parliamentary time. Providers who cannot comply will not be non-compliant with a recommendation. They will be in breach of statute.
The Provider Selection Regime means that contract renewals require demonstrable evidence of performance, governance, and integration capability. An incumbent provider that cannot evidence governed boundaries at its NHS crossings is vulnerable to challenge under the PSR's evidence requirements.
The Ten Year Plan's earned autonomy model makes existing governance obligations enforceable and measurable. For private providers, boundary governance ceases to be aspirational and becomes a condition of continued autonomy. The governance bar is being raised. Providers that cannot clear it will find themselves excluded from the pathways, panels, and partnerships that constitute their commercial market.
The insurer dimension is equally direct: if you cannot demonstrate governed boundaries to an insurer designing a managed network, you do not get on the panel. The insurer's FCA Consumer Duty obligation to demonstrate good outcomes across the product lifecycle means it cannot afford to include providers whose boundaries are ungoverned. Exclusion is not a regulatory action. It is a commercial consequence of being unable to evidence what your commissioners, insurers, and partners increasingly require.
8. Operational inefficiency
Every ungoverned boundary generates administrative friction. The clinical costs of boundary failure are discussed above. The operational costs are equally real and more immediately visible on a P&L.
Consider the insurer authorisation chain. In tariffed pathways, where service prices are pre-agreed, routing follows a predictable sequence: GP refers, insurer authorises against known price, provider delivers, outcome and billing close the loop. In non-tariffed pathways, the sequence reorders and a negotiation loop may follow: provider quotes, insurer queries or rejects, provider revises, insurer approves. Each step is a boundary crossing. Each step is manual because neither side trusts the data crossing the boundary.
Identity reconciliation is manual — the insurer's member ID does not reliably map to the provider's patient ID. Clinical intent verification is manual — the insurer's clinical team re-reviews what the referring clinician already assessed. Authorisation is manual — because the structured data to support automated decision-making does not cross the boundary. Billing disputes arise because the clinical record on one side of the boundary does not match the commercial record on the other.
Govern the boundary — structured identity, provenance-tracked clinical intent, confirmed responsibility transfer, closed outcome loops — and the operational infrastructure can be built on reliable data rather than reconstructed from unreliable data. Pre-authorisation becomes a rules engine decision against structured clinical intent. Claims reconciliation becomes a matching exercise against confirmed outcomes. Payment triggers fire on confirmed responsibility acceptance rather than on retrospective paperwork.
For an insurer processing hundreds of thousands of pathways, that is structural cost reduction. For a provider, it is faster payment, fewer disputes, and less administrative burden on clinical staff.
9. M&A and due diligence
Private equity ownership of healthcare providers continues to consolidate the market. When a PE-backed group acquires a provider, the due diligence process assesses financial performance, regulatory compliance, workforce, and facilities. It rarely assesses boundary governance.
Two private providers merging creates internal boundaries that previously had external governance. Before the acquisition, each provider's external boundary with the other was — however informally — recognised as a crossing requiring some form of handover. After the merger, it becomes an internal boundary. Internal boundaries are assumed to be governed by shared policy, shared systems, shared culture. In practice, the two organisations may continue operating on different clinical systems, different data models, different information governance frameworks, and different clinical safety cultures — but the boundary between them has lost whatever external governance attention it previously received.
Ungoverned boundaries are unpriced liabilities on the balance sheet. A PE group that acquires three providers and integrates them into a single network without assessing the boundary governance between them has created a structure where clinical risk is concentrated at exactly the crossings it has not evaluated. When an incident occurs at one of those internal boundaries — and the absence of governance makes this a question of when, not if — the liability flows upward to the group that made the acquisition decision without pricing the risk.
The audit methodology includes an M&A assessment tier for exactly this reason: rapid assessment of the target's material boundaries, constitutional analysis of post-acquisition boundary changes, and technology assessment of integration complexity and cost. The boundary governance scorecard becomes a due diligence instrument — a quantified assessment of risk that the acquiring entity can price, mitigate, or walk away from.
What these nine risks share
Every one of these risks — safety, liability, growth, quality, interoperability, data governance, exclusion, efficiency, and M&A exposure — arises from the same structural gap: no framework governs the crossing between organisations. The nodes are regulated, inspected, accredited, and assessed. The edges are not.
The Seven Flows Boundary Governance Audit was designed specifically for this gap. It is the first structured, statutory-traceable methodology that assesses governance at organisational boundaries — not within them.
The next article in this series examines how the audit works: seven flows assessed at every material boundary, five maturity levels, evidence reconciliation across both sides of every crossing, and the cascading failure logic that reveals structural dependencies invisible to internal governance.
