Patient Journey Mapping: Auditing Clinical Risk in Private Healthcare

This is the seventh article in a series examining boundary governance in private healthcare. Previous articles established the structural governance gap across private sector boundaries, mapped the ungoverned constellation of insurer provider networks, examined the clinical-commercial boundary at pre-authorisation, documented the NHS-private interface between two constitutional domains, traced the digital front door as an invisible boundary, and showed that clinical safety standards do not reach the crossings where clinical risk is highest. This article presents the methodology that addresses all of these gaps: the Seven Flows framework applied to the boundaries of private healthcare.

Six articles have established that private healthcare governs its organisations but not the crossings between them. CQC inspects individual providers. The FCA regulates individual insurers. The GMC oversees individual clinicians. Nobody governs what happens at the boundary — where clinical information, clinical responsibility, and clinical risk transfer from one organisation to another.

The question that follows is not whether this gap matters. The question is how to assess it, measure it, and close it.

This article presents the Seven Flows — a boundary governance framework designed to answer seven questions at every organisational crossing in a clinical pathway. It is not a theoretical construct. It is a methodology that can be applied, audited, and scored at every boundary this series has examined. Each flow corresponds to a governance function that must be present for a boundary crossing to be safe. Where a flow is absent, the boundary creates clinical risk that no individual organisation's internal governance can identify or mitigate.

The difference between a “customer journey” and a “governance map”

Every major insurer has invested in healthcare pathway design and patient journey mapping. The outputs are familiar: swim-lane diagrams tracking the patient from first contact through pre-authorisation, treatment, and claim settlement. These maps optimise for speed, friction, and customer experience (CX) in healthcare. They ask: where does the patient wait? Where does the process stall? Where does satisfaction drop?

They do not ask: where does clinical liability transfer? Where does data integrity degrade? Where does a patient safety risk map reveal unmanaged hazards sitting between two organisations?

What is a Governance Map? A Governance Map differs from a Customer Journey Map by tracking clinical liability and data integrity (using the Seven Flows) rather than just sentiment and speed. It reveals where safety risks occur during handovers between insurers and providers. A CX map shows the patient is referred. A governance map shows whether clinical reasoning survived the referral, whether responsibility transferred explicitly, and whether anyone is accountable for what happens next.

The distinction matters because clinical workflow mapping and CX mapping produce fundamentally different outputs. A CX map might show that pre-authorisation takes 48 hours and recommend automation. A governance map shows that during those 48 hours, clinical context is stripped from the consultant's recommendation as narrative reasoning is reduced to CCSD procedure codes, creating a medical necessity adjudication that proceeds without the clinical intent that informed the original recommendation. One map produces a faster process. The other produces a safer one.

The seven questions

Every time a patient crosses an organisational boundary in healthcare — from GP to specialist, from consultant to insurer, from private provider back to the NHS — seven governance questions must be answered. If any of them cannot be answered, the crossing creates unmanaged clinical risk.

1. Identity. Are both organisations confident they are dealing with the same patient, the same clinical episode, and the same clinical record? Identity is not simply a name match. It is the assurance that the clinical identity verified by the sending organisation is reconciled with the clinical identity held by the receiving organisation, such that clinical information can be correctly attributed to the right patient and the right episode of care. In the NHS, the NHS number provides a definitive identifier. In private healthcare, its use at boundary crossings is not mandated.

The patient vs. the policyholder: why patient identification policy matters at every crossing

In the private medical insurance claims process, the patient exists in two identity systems simultaneously. To the clinician, they are a patient with an NHS number, a clinical record, and a care episode. To the insurer, they are a policyholder with a membership number, an authorised benefit, and a claims reference. The NHS number vs. policy number gap is not administrative trivia. It is the first point at which clinical governance and financial governance diverge. A patient whose clinical identity cannot be reconciled with their policy identity at each boundary crossing creates a data integrity risk that propagates through every subsequent flow.

2. Consent. Has the patient given informed, specific consent to the sharing of their clinical data across this particular organisational boundary, for the specific purpose for which the receiving organisation will use it? Consent is not a blanket contractual clause accepted at registration. It is the patient's informed understanding that their clinical data is crossing from one governance framework to another, potentially for a different purpose than the one for which it was originally collected.

3. Provenance. Does the clinical information crossing the boundary carry its governance context with it? Provenance means the receiving organisation knows where the information came from, under what clinical circumstances it was generated, what governance framework it was created under, and what limitations or caveats should accompany it. A referral letter generated in a ten-minute virtual consultation carries different provenance from one generated after a face-to-face examination with access to a patient's full NHS medical record. Both may contain the same diagnosis. The clinical weight is different. The receiving clinician needs to know.

4. Clinical Intent. Does the sending clinician's reasoning survive the crossing? Clinical intent is the “why” behind the clinical action — not just what was recommended, but the clinical reasoning that supports the recommendation, the differential diagnoses considered, the alternatives weighed, the specific concerns that should inform the receiving clinician's decision-making. Clinical intent degrades at every boundary where information transfer is reduced to codes, forms, and structured fields that capture the what but not the why.

The risk of reducing narrative to codes: CCSD, medical necessity adjudication, and clinical context

Pre-authorisation risks are concentrated in this flow. The consultant writes a letter explaining why this patient needs this investigation given their clinical history, their differential diagnosis, and their specific risk factors. The insurer's pre-authorisation platform captures a CCSD procedure code and an ICD diagnosis code. The narrative — the clinical context that would inform medical necessity adjudication — is either truncated to a free-text field, character-limited, or omitted entirely. The insurer's clinical team then adjudicates medical necessity against the codes, not against the reasoning. This is the point at which clinical governance in private healthcare fails most consistently: the system is optimised for processing speed, not for preserving the clinical intent that would make the authorisation decision clinically safe.

5. Alert and Responsibility. Is there an explicit, documented transfer of clinical responsibility at the crossing? Responsibility does not transfer by assumption. It transfers by agreement — the sending clinician confirms they are handing over, the receiving clinician confirms they are accepting, and both parties agree on the scope of what is being transferred. Where the crossing involves an alert — an urgent finding, a time-sensitive clinical need, an escalation — the governance of that alert must include confirmation of receipt, acknowledgement of the clinical urgency, and acceptance of responsibility for acting on it. Where no framework governs this transfer, clinical responsibility falls into a gap between two organisations, each of which may believe the other is holding it.

Managing the “benefit exhausted” cliff edge: duty of care and continuity of care from private to NHS

The sharpest responsibility failure in the insured pathway occurs when the patient's benefit limit is reached mid-treatment. The insurer withdraws funding. The private provider can no longer treat. The NHS GP has not been managing the episode. The specialist who has been treating the patient must transfer clinical responsibility to a GP who has no context, no continuity, and no obligation to accept ongoing monitoring that the private consultant considers clinically necessary. This is the “benefit exhausted” cliff edge — and it is the point at which the duty of care obligation and the continuity of care from private to NHS pathway is most structurally broken. No governance framework defines what must happen at this crossing. The patient falls into a gap between two systems, and the Alert and Responsibility flow is absent at the moment it matters most.

6. Service Routing. Is the patient being directed to the most clinically appropriate destination, or is routing constrained by commercial, contractual, or network factors that may not align with clinical need? Service routing in private healthcare is the function most influenced by the clinical-commercial boundary. In the NHS, a GP refers to a specialist based on clinical appropriateness, with patient choice of provider. In private healthcare, routing may be constrained by the insurer's approved specialist list, the fee schedule, the network tier, or the guided pathway model. The question is not whether these constraints exist — they are a reasonable feature of insured care — but whether they are transparent, whether the clinical implications are assessed, and whether a pathway exists for routing outside the network when clinical need requires it.

The “open referral” algorithm: fee-assured consultants, triage algorithms, and open referral safety

What is the “Open Referral” Risk? In private healthcare, Open Referral occurs when an insurer directs a patient to a specialist. If the insurer's routing algorithm prioritises cost over clinical sub-specialisation without transferring full medical history, they become liable for Service Routing failures. The open referral pathway model — where the insurer selects from fee-assured consultants using triage algorithms rather than allowing the referring clinician to specify the specialist — optimises for network efficiency. It does not optimise for clinical appropriateness. An orthopaedic referral routed to a general orthopaedic surgeon when the patient's condition requires a sub-specialist in spinal surgery is a Service Routing failure that creates clinical risk. This is a high-risk Constitutional Crossing — the point at which commercial routing logic overrides clinical judgement without a governance framework to identify and manage the hazard.

7. Outcome. Does the sending organisation know what happened after the crossing? Does the receiving organisation feed back the clinical outcome to the organisation that initiated the pathway? Outcome is the flow that closes the loop. Without it, the sending organisation discharges the patient into an information vacuum. No learning occurs. No quality improvement is possible. Clinical governance becomes a series of disconnected episodes rather than a continuous pathway. In private healthcare, outcome data rarely crosses organisational boundaries. The digital front door does not know what happened after the referral. The insurer may know what was paid for but not what the clinical result was. The GP may receive a discharge letter — or may not. The outcome loop is the most consistently absent flow at every boundary this series has examined.

The missing loop in value-based healthcare: PROMs data collection and VBHC metrics at the boundary

The private healthcare sector is investing heavily in value-based healthcare (VBHC) metrics and PROMs data collection. The Private Healthcare Information Network (PHIN) publishes outcome data for private hospitals, but this data describes performance within individual providers — it does not track what happens at the boundaries between them. But value-based healthcare requires outcome data to cross organisational boundaries — and this is the flow that is most consistently absent. An insurer cannot measure value without knowing clinical outcomes. A provider cannot demonstrate value without feedback on long-term patient outcomes that occur after discharge. The entire VBHC proposition collapses at the boundary. Without governance-preserving interoperability that allows outcome data to flow back across organisational crossings while maintaining data integrity and consent compliance, value-based healthcare in the insured pathway remains a measurement framework without the measurements. The missing outcome loop is not just a governance gap. It is the structural obstacle to the sector's stated strategic direction.

Maturity at the boundary

Identifying the seven questions is the first step. Assessing how well an organisation answers them is the second. A boundary governance audit examines each flow at each crossing and scores it on a five-level maturity scale.

Level 0 — Absent. The flow does not exist at this boundary. No mechanism, process, or system addresses this governance question. The crossing creates unmanaged clinical risk. Example: no defined moment of clinical responsibility transfer between private consultant and NHS GP at the return crossing documented in Article 4.

Level 1 — Ad hoc. The flow depends on individual initiative rather than organisational process. A diligent clinician may address the governance question. A less diligent one may not. There is no systematic assurance that the flow operates consistently. Example: a consultant's secretary who always includes the NHS number in private referral letters, even though no policy requires it.

Level 2 — Defined. A process exists. It is documented. Staff know it exists. But compliance is not systematically monitored, and the process may not be designed for the specific governance risks at this boundary type. Example: an insurer whose pre-authorisation form includes a free-text clinical notes field, but where there is no mandated minimum dataset, no structured clinical context requirement, and no audit of whether the field is completed.

Level 3 — Managed. The flow is systematically addressed. The process is designed for the specific boundary type. Compliance is monitored. Deviations are identified and corrected. Evidence exists that the flow operates as intended. Example: a digital front door platform that captures explicit, specific consent to data sharing with the insurer's authorisation function during the consultation — not at registration — with a structured audit trail showing consent was obtained, what was consented to, and when.

Level 4 — Optimised. The flow is not just managed but continuously improved. Outcome data feeds back into process design. Clinical safety assessment (Hazard Log, CSO review) covers this boundary. The organisation can demonstrate to regulators — CQC, FCA, ICO — that the clinical risks at this crossing have been prospectively identified, assessed, and controlled. Example: an insurer whose pre-authorisation platform has a Clinical Safety Case with a Hazard Log that identifies the risk of clinical context stripping, documents the controls implemented, records the residual risk assessment, and is signed off by a Clinical Safety Officer.

The maturity scale is not aspirational. Level 4 describes what DCB 0129 and 0160 already require of NHS health IT systems. It is the standard that exists within publicly funded care. Applying it at boundaries in private healthcare is not raising the bar. It is extending the floor.

The seven flows at the insured pathway's five critical crossings

The previous articles in this series identified five boundary crossings in the typical insured patient pathway. At each crossing, each of the seven flows can be assessed and scored. The result is a 7 × 5 matrix — thirty-five governance assessments — that provides a complete picture of boundary governance across the insured pathway.

Crossing 1: Digital front door to insurer authorisation

The patient consults a virtual GP. Clinical data enters the insurer's commercial infrastructure. A referral is generated into the insurer's authorisation pathway. Article 5 documented this crossing in detail.

Identity: Typically Level 1-2. Patient identity verified against platform registration. Insurer verifies against policy. NHS number may or may not be captured. Reconciliation between platform identity and NHS clinical record dependent on manual matching, not systematic interoperability.

Consent: Typically Level 1-2. Consent to data sharing with insurer established through terms and conditions at registration, not during the consultation. May meet contractual requirements. Unlikely to meet ICO guidance on explicit, specific, informed consent for special category health data crossing between data controllers.

Provenance: Typically Level 1. The insurer's authorisation team may not systematically distinguish between a referral originating from a face-to-face NHS GP consultation and one from a ten-minute virtual consultation. The governance context in which clinical information was generated is not structurally preserved.

Clinical Intent: Typically Level 1-2. Pre-authorisation forms capture diagnosis and procedure codes. The virtual GP's clinical reasoning — why this referral rather than alternatives, what could and could not be assessed remotely, what concerns should inform the specialist's approach — may be communicated in free text or may not be communicated at all.

Responsibility: Typically Level 0-1. No standard defines the moment at which clinical responsibility transfers from the virtual GP to the insurer's authorisation function, or from the authorisation function to the specialist. The insurer's modification of a referral (different specialist, different investigation, different pathway) creates a responsibility gap that no governance framework addresses.

Service Routing: Typically Level 2-3. Insurers have well-developed specialist selection and appointment booking processes. Routing within the network is often efficient and fast. Routing outside the network — when the patient's condition requires NHS-only services or specialists not on the approved list — is typically Level 0-1.

Outcome: Typically Level 0-1. No structured mechanism feeds back the clinical outcome from the specialist to the virtual GP platform. The digital front door opens onto a pathway and does not learn what happens next.

Crossing 2: Insurer authorisation to specialist

The insurer authorises treatment and directs the patient to a specific consultant within the provider network. Article 2 mapped this crossing. Article 3 examined the clinical-commercial dynamics.

Identity: Typically Level 2. The insurer provides the specialist with the patient's name, date of birth, and policy details. NHS number may not be transmitted. The specialist's clinical system may not be interoperable with the insurer's platform.

Consent: Typically Level 1-2. The patient consented to the insurer processing their data. The patient may not have explicitly consented to their clinical information being shared with the specific specialist selected by the insurer's routing algorithm.

Provenance: Typically Level 1. The specialist receives a referral that has passed through the insurer's authorisation process. Whether the referral was modified during authorisation — whether the insurer's clinical team changed the recommended investigation or substituted a different pathway — may or may not be visible to the specialist.

Clinical Intent: Typically Level 1-2. The specialist receives the insurer's authorised scope of treatment. Whether this matches the referring clinician's original clinical intent — the full reasoning behind the referral — depends on how much clinical context survived the authorisation process.

Responsibility: Typically Level 1-2. The specialist accepts clinical responsibility for the patient at the point of consultation. But the scope of what was authorised may constrain the scope of what the specialist can do. If the specialist identifies a clinical need beyond the authorised scope, a new authorisation request creates delay and introduces the clinical-commercial boundary dynamics examined in Article 3.

Service Routing: Typically Level 2-3 within network. If the specialist needs to refer onward to a colleague or a different facility, routing remains within the insurer's network. Whether this secondary routing is clinically optimal or network-constrained is not systematically assessed.

Outcome: Typically Level 1-2. The specialist reports outcomes to the insurer for claims purposes. Whether this includes structured clinical outcome data — not just what was done, but whether it worked — varies by insurer and by specialty.

Crossing 3: Specialist to diagnostic provider

The specialist refers for imaging, pathology, or other diagnostic investigations. In private healthcare, the diagnostic provider is typically a separate CQC-registered organisation within the insurer's network.

Identity: Typically Level 2. Patient demographics transferred with the request. Clinical record reconciliation between the specialist's system and the diagnostic provider's system dependent on shared identifiers that may not include the NHS number.

Consent: Typically Level 1-2. The patient consented to treatment by the specialist. Whether the patient gave specific consent to their clinical data being shared with a separate diagnostic organisation — a distinct data controller — is typically addressed through the specialist's general consent process rather than specific boundary consent.

Provenance: Typically Level 2. Diagnostic requests carry the requesting clinician's details. The clinical context behind the request — why this test, what differential diagnosis is being explored, what the clinician is specifically looking for — varies from structured and detailed to minimal.

Clinical Intent: Typically Level 1-3. Some diagnostic requests include detailed clinical questions. Others include a diagnosis code and a test code with no clinical context. The diagnostic provider's ability to optimise the investigation for the clinical question depends entirely on what the specialist communicates.

Responsibility: Typically Level 2. The specialist holds clinical responsibility for requesting the investigation and acting on the results. The diagnostic provider holds responsibility for the quality of the investigation and timely reporting. The boundary between these responsibilities is generally understood in practice, though not always formally documented at this crossing.

Service Routing: Typically Level 2. Routing within the insurer's diagnostic network is usually defined. If the required diagnostic capability is not available within the network, pathways to out-of-network providers may be ad hoc.

Outcome: Typically Level 2-3. Diagnostic results are typically communicated back to the requesting specialist. This is one of the better-governed outcome loops in the private pathway, though turnaround times and communication channels vary.

Crossing 4: Private provider to insurer at claim

Clinical activity generates a claim. The provider reports what was done, coded by procedure and diagnosis. The insurer processes the claim against the authorised scope of treatment.

Identity: Typically Level 3. Claims processing requires accurate patient-policy matching. Financial systems tend to enforce identity reconciliation more rigorously than clinical systems.

Consent: Typically Level 2. The patient's contractual consent to claims processing was established at policy inception. Whether the patient understood the scope of clinical data that would be shared for claims purposes — and whether the insurer's processing of that data for utilisation analysis, product design, or network management falls within the consented scope — is a data governance question that most policies address contractually but not through informed clinical consent.

Provenance: Typically Level 1-2. Claims data carries procedure and diagnosis codes. The clinical context — the patient's full clinical picture, the clinical reasoning behind treatment decisions — is reduced to codified data. Provenance of the clinical episode is lost in the translation to claims language.

Clinical Intent: Typically Level 0-1. Claims processing does not require clinical intent. The insurer knows what was done. It does not systematically capture why it was done, what alternatives were considered, or what the clinician's reasoning was. This matters when the insurer's utilisation review function later queries whether the treatment was necessary.

Responsibility: Typically Level 2-3. Financial responsibility transfers clearly at the claim — the insurer accepts the liability for the authorised cost. Clinical responsibility remains with the treating clinician. These two accountability structures are well-separated in claims processing, which is actually a governance strength.

Service Routing: Not applicable at this crossing.

Outcome: Typically Level 1. The insurer receives claims data that confirms treatment was delivered. Whether the treatment produced a good clinical outcome — whether the patient improved, experienced complications, required further intervention — is not systematically captured in claims data. The insurer knows what was paid for. It does not systematically know whether it worked.

Crossing 5: Private pathway to NHS return

Treatment ends. The patient returns to their NHS GP. Clinical information must cross from the private sector back into the NHS constitutional domain. Article 4 documented this crossing as the most structurally ungoverned in the insured pathway.

Identity: Typically Level 1-2. The private consultant's discharge letter addresses the GP by practice name. NHS number may or may not be included. The GP's clinical system must match the letter to the correct patient record — a process that depends on administrative staff correctly reconciling the identity from a document that may arrive as a PDF, a posted letter, or occasionally a fax.

Consent: Typically Level 0-1. The patient's consent to their private treatment information being shared with their NHS GP is generally assumed, not explicitly obtained. Whether the patient understood that their private treatment history would be incorporated into their NHS clinical record — visible to every NHS clinician subsequently accessing that record — is rarely discussed.

Provenance: Typically Level 1. The discharge letter arrives as correspondence. When it enters the GP's clinical record, it may be filed as incoming correspondence without governance metadata marking it as originating from a private episode under different governance and different clinical accountability.

Clinical Intent: Typically Level 0-2. The consultant's letter should communicate what was done, what was found, what treatment was given, what follow-up is needed. There is no private sector equivalent of the PRSB eDischarge Summary Standard with its eighteen defined sections. Content depends entirely on the individual consultant's practice. The GP may receive a comprehensive clinical narrative or a two-paragraph letter omitting medication doses, failing to specify who is responsible for follow-up blood tests, and not identifying the urgency of recommended actions.

Responsibility: Typically Level 0-1. This is the most critical gap. When does clinical responsibility transfer from the private consultant to the NHS GP? The consultant's letter may say “please continue monitoring.” The GP practice policy may say “we do not accept monitoring responsibilities from private providers.” The patient is caught between two clinicians, neither of whom has explicitly accepted responsibility for ongoing clinical actions the other considers necessary. No standard — contractual, regulatory, or professional — defines the moment of responsibility transfer at this boundary or the conditions that must be met for it to be safe.

Service Routing: Typically Level 0-1. If the patient needs ongoing specialist care within the NHS, the private consultant cannot refer directly through the e-Referral Service. The patient must re-present to their GP. The routing infrastructure that should govern this crossing is available (e-RS) but the private sector has no systematic mechanism for accessing it.

Outcome: Typically Level 0. The private provider almost never knows what happened after the patient returned to NHS care. The outcome loop — feedback closing the clinical cycle — does not cross the private-to-NHS boundary. The private provider discharges the patient into a governance void and has no structured mechanism for learning whether the treatment they delivered produced a good outcome in the longer term.

Reading the matrix

The 7 × 5 matrix produces a governance profile of the insured pathway. The pattern that emerges is consistent with what the previous six articles identified: financial governance is significantly more mature than clinical governance at every crossing. Identity and consent are better governed where there is a financial transaction (Crossing 4) than where there is a clinical handover (Crossing 5). Service routing is well-governed within the network but collapses at the boundary between the insured network and the NHS. Outcome is the most consistently absent flow across all crossings.

But the matrix does more than confirm the problem. It makes it measurable. An organisation that scores Level 0-1 across most flows at most crossings knows the scale of the governance gap. An organisation that has invested in specific flows at specific crossings can demonstrate that investment. Two insurers offering similar clinical quality can be distinguished by their boundary governance maturity — and that distinction becomes material under Consumer Duty, under CQC's Well-Led framework, and under any future extension of clinical safety standards to the independent sector.

The maturity assessment is also a roadmap. An organisation does not need to reach Level 4 at every flow at every crossing simultaneously. The assessment identifies which crossings carry the highest clinical risk, which flows are most degraded, and where investment will produce the greatest governance improvement. A targeted programme that moves the three or four most critical flows from Level 0-1 to Level 2-3 produces a measurably different governance position — and does so in a timeframe that aligns with regulatory cycles.

Evidence requirements

A maturity score without evidence is an assertion. A maturity score with evidence is a governance position. At each level, the evidence requirements are specific:

Level 0: No evidence required — the flow does not exist. The audit records its absence.

Level 1: Evidence that the flow occasionally operates: examples of good practice by individual clinicians or staff members, but no organisational policy or systematic process.

Level 2: Evidence of a defined process: documented policy, procedure, or system specification addressing the flow at this crossing. Evidence may include process documentation, system configuration records, or staff awareness records.

Level 3: Evidence of managed operation: compliance monitoring data, audit results, deviation records, incident reports showing that failures in the flow are identified and corrected. Evidence that the process operates as intended, not just that it exists.

Level 4: Evidence of optimised operation: clinical safety assessment covering this boundary — this creates a clinical safety hazard identification process with Hazard Log, Clinical Safety Case, outcome data feeding back into process improvement, CSO sign-off, and evidence of continuous improvement over time. Evidence that the organisation can demonstrate to a regulator — CQC, FCA, or both — that clinical risks at this crossing have been prospectively identified and are actively managed.

How to audit your pathway: the clinical governance audit tool

A boundary governance audit applies this methodology to an organisation's actual crossings. The process follows a structure familiar to anyone who has worked with DCB 0129 or ISO 27001: scope definition, evidence gathering, assessment, reporting, and action planning. It transforms patient journey mapping from a CX exercise into a clinical safety hazard identification process.

Scoping identifies which crossings are in scope. For an insurer, this typically includes the digital front door, the authorisation crossing, the specialist routing boundary, and the claims interface. For a private hospital group, it includes the practising privileges boundary, the provider-to-provider crossings within the network, the NHS-private interface in both directions, and the insurer interface. For a digital front door platform, the scope centres on the clinical-to-commercial crossing and the one-way valve.

Evidence gathering examines how each of the seven flows currently operates at each in-scope crossing. This involves reviewing policies and procedures, examining system configurations, interviewing clinical and operational staff at the boundary, and tracing a sample of patient journeys across the crossing to observe what actually happens — as distinct from what the documentation says should happen.

Assessment scores each flow at each crossing against the maturity scale, with evidence recorded at each level. The output is the 7 × n matrix (where n is the number of crossings in scope), with each cell containing a maturity score, the evidence supporting it, and the rationale for the assessment.

Reporting presents the governance profile as a boundary readiness assessment. This includes the maturity matrix, an analysis of the highest-risk crossings and flows, comparison against regulatory expectations (Consumer Duty, CQC Well-Led, DCB 0129/0160 principles), and identification of the governance improvements that would produce the greatest risk reduction.

Action planning translates the assessment into a prioritised programme of governance improvements. This is where the audit becomes operational — not a document that sits on a shelf, but a roadmap that moves specific flows at specific crossings from their current maturity level to a target level, with defined milestones, responsibilities, and evidence requirements.

Who commissions this and why

The boundary governance audit addresses different questions for different organisations, but the methodology is identical.

Insurers face the most pressing regulatory driver. The FCA's Consumer Duty requires demonstration that products deliver good outcomes across the customer journey. The upcoming distribution chain consultation will examine how responsibility flows between entities in the insured pathway. An insurer that has commissioned a boundary governance audit can demonstrate to the FCA that it has systematically assessed the governance of its pathway and identified where outcomes might be compromised by boundary failures. An insurer that has not commissioned one will be responding reactively when the FCA asks the question.

Private hospital groups face CQC scrutiny under the Well-Led framework, which asks whether leaders have the capacity and capability to deliver high-quality, sustainable care. Well-Led does not yet specifically assess boundary governance. But a private hospital group operating across multiple sites, treating both NHS and private patients, managing practising privileges for hundreds of consultants, and interfacing with multiple insurers, has boundary governance risk at every organisational crossing. A boundary audit gives the executive team and the board visibility of that risk — and gives CQC inspectors evidence of governance maturity that their framework values but has not yet formally required.

Digital health platforms — the virtual GP services, the triage platforms, the clinical pathway management systems — sit at the digital front door and at the clinical-commercial crossing. Their product is the boundary. A boundary audit gives them a framework for demonstrating that the crossing they facilitate is governed, not just functional — a distinction that matters to the insurers they contract with, the CQC that inspects them, and the ICO that assesses their data governance.

Independent sector providers pursuing NHS contracts already need to demonstrate DCB 0129 and 0160 compliance for their NHS-funded activity. A boundary audit extends that governance framework to their private activity, creating a unified governance approach that satisfies both CQC and NHS commissioners. For organisations preparing for M&A — and the UK private healthcare market continues to consolidate — a boundary audit provides a governance baseline that acquirers increasingly expect.

The methodology is the message

This article has presented the Seven Flows as a framework, a maturity model, and an audit methodology. It is all three. But for the reader who has followed this series from the first article to the seventh, the methodology is also the thread that connects every argument.

Article 1 asked: who governs the crossings between private healthcare organisations? The Seven Flows are the seven governance functions that should be present at every crossing. Article 2 showed that financial flows are governed while clinical flows are not. The Seven Flows identify which clinical governance functions are missing and how mature the ones that exist are. Article 3 examined the clinical-commercial boundary and found no framework governing it. The Seven Flows provide that framework. Article 4 documented the NHS-private interface as two constitutional domains with no governed crossing mechanism. The Seven Flows are the mechanism. Article 5 traced the digital front door and its invisible boundary. The Seven Flows make the boundary visible. Article 6 showed that clinical safety standards do not reach private healthcare boundaries. The Seven Flows extend clinical safety methodology to the edges.

The methodology exists. It maps to the existing regulatory landscape — Consumer Duty, CQC Well-Led, DCB 0129/0160, MPAF, UK GDPR. It uses the language of clinical safety assessment that the NHS has been using for over a decade. It produces measurable, evidence-based governance assessments that organisations can present to regulators, boards, and partners. And it addresses a governance gap that six articles have now shown exists at every significant boundary in private healthcare.

The question is not whether the gap needs closing. It is whether your organisation will close it before the regulators ask why it is open.

Julian Bradder

CEO, Inference Clinical

Julian leads Inference Clinical's work on governance infrastructure for clinical handover. His background spans NHS digital transformation, clinical safety, and healthcare data architecture. Connect on LinkedIn