The regulated landscape and its missing centre
Private healthcare in the UK is regulated. Individual organisations are inspected by the CQC, licensed by the FCA, assessed by PHIN, investigated by HSSIB, held to clinical safety standards under DCB 0129/0160, and expected to comply with the MPAF. The regulatory apparatus is substantial, overlapping, and growing more assertive with every passing quarter.
But consider a typical insured pathway. A patient contacts their insurer's digital triage service, receives pre-authorisation, is referred to a consultant operating under practising privileges at a private hospital, undergoes a procedure, is discharged to a community physiotherapist, and has follow-up imaging at an NHS trust. That patient has crossed seven organisational boundaries. Financial governance exists at every one of them — the insurer knows exactly where the money flows. Clinical governance exists at none of them.
No regulator inspects the crossing. No standard mandates what clinical information must survive the boundary. No framework defines who holds clinical responsibility during the transition. The patient experiences a pathway. The regulators assess providers. Nobody assesses the pathway itself.
This page maps the six regulatory pressures that govern private healthcare in the UK, explains what each one asks and what it misses, and identifies the structural gap that runs through all of them. Our eight-part series on boundary governance examines each pressure in depth. This is the overview — the map before the territory.
Pressure 1: CQC and the independent sector — inspecting organisations, not pathways
The Care Quality Commission regulates private healthcare providers under the Health and Social Care Act 2008. Every private hospital, clinic, and diagnostic facility that provides regulated activities must be registered with the CQC and is subject to inspection against five key questions: Safe, Effective, Caring, Responsive, and Well-Led.
The CQC is undergoing its most significant restructuring in a decade. The Penny Dash review, published in October 2024, found that the CQC had lost operational effectiveness and recommended a fundamental reset. The response has been decisive: four sector-specific Chief Inspectors, a target of 9,000 assessments by September 2026, and a move from generic to sector-specific inspection frameworks. New assessment frameworks will be published in summer 2026 and implemented by end of year.
For private healthcare providers, this means more frequent inspections by inspectors with independent sector expertise. The Well-Led domain — which assesses governance structures, leadership, and quality improvement — comes closest to addressing boundary governance. Under Regulation 17 (Good Governance), providers must demonstrate effective systems for assessing, monitoring, and mitigating risks.
But Well-Led assesses governance within an organisation. It does not assess what happens when a patient leaves one CQC-registered provider and arrives at another. A network of providers each rated "Good" under Well-Led does not, by definition, constitute a well-governed network. The CQC inspects nodes. The gap is at the edges.
What CQC asks: Is this organisation well-led, safe, and effective?
What CQC does not ask: What happens to clinical information, consent, and responsibility when a patient crosses from this organisation to the next?
The restructured CQC will be more assertive, more sector-specific, and more frequent in its inspections. But its unit of assessment remains the individual provider. The boundary between providers remains uninspected.
For a detailed analysis of how CQC governance interacts with practising privileges, see Practising Privileges and the Governance Gap. For the clinical safety dimension, see DCB 0129 and Private Healthcare Safety.
Pressure 2: FCA Consumer Duty — following the product into clinical delivery
The FCA regulates private medical insurance under the Financial Services and Markets Act 2000. Its Consumer Duty, codified in FCA Handbook PRIN 2A, has been fully in force since July 2024. It requires firms to deliver good outcomes for retail customers across four dimensions: products and services, price and value, consumer understanding, and consumer support.
The Consumer Duty does not regulate private hospitals directly. It regulates the insurance product. But its logic follows the product through its entire distribution chain. If a hospital's admission process, a consultant's lack of follow-up protocol, or a digital triage service's failure to capture clinical context contributes to a poor patient outcome, the insurer is exposed under the Duty's "foreseeable harm" test. The insurer manufactured the product. The product created the pathway. The pathway produced the harm.
Two forthcoming regulatory developments extend this pressure:
- FCA/ICO joint guidance on data protection and Consumer Duty — expected Q1 2026. This will address how data-sharing obligations under the Consumer Duty interact with data-protection requirements under UK GDPR. For private healthcare, where clinical data crosses multiple organisational boundaries, this guidance will define the standard for data governance across insured pathways.
- FCA distribution chain consultation — expected Q2 2026. This consultation will examine how the Consumer Duty applies through distribution chains — the sequence of entities between product manufacturer (insurer) and end customer (patient). For the first time, the FCA will formally consider how responsibility flows between entities in a healthcare distribution chain.
What the FCA asks: Does this product deliver good outcomes for customers across its entire distribution chain?
What the FCA does not yet ask: What clinical governance exists at the boundaries within that chain?
The FCA's regulatory logic is clear: manufacturers are responsible for outcomes, and outcomes are shaped by the entire pathway, not just the point of sale. An insurer that cannot demonstrate governed boundaries across its network faces Consumer Duty exposure that no amount of claims-process improvement can address.
For the full analysis, see FCA Consumer Duty and Healthcare Pre-Authorisation Risk. For the digital triage dimension, see The Digital Front Door.
Pressure 3: PHIN and the CMA Order — transparency at the node, not the boundary
The Private Healthcare Information Network (PHIN) was established under the CMA Private Healthcare Market Investigation Order 2014. Its statutory purpose is to increase transparency in private healthcare by collecting and publishing data on consultant and hospital performance, enabling patients to make informed choices.
The CMA Order's full implementation deadline is June 2026. By that date, private hospitals must submit complete, standardised data on consultant-level outcomes, fees, and volumes. PHIN publishes this data to create a functioning information market — the remedy the CMA determined was necessary after finding that the private healthcare market suffered from significant information asymmetry.
PHIN addresses node transparency. A patient can compare consultant A's outcomes with consultant B's outcomes at hospital C. This is valuable and necessary. But PHIN does not address boundary transparency. It does not capture what happens to clinical information when a patient is referred from an insurer's digital triage service to a consultant, from a consultant to a hospital, or from a hospital to an NHS follow-up pathway.
What PHIN asks: What are the outcomes, fees, and volumes at this provider for this consultant?
What PHIN does not ask: What clinical information survived the referral boundary? Was consent re-verified? Was clinical responsibility explicitly transferred?
The CMA Order was designed to fix an information market failure. It succeeded on its own terms. But a patient choosing a consultant based on published outcome data is still entering a pathway where the governance of every boundary crossing is undefined. Transparency about nodes does not create governance at edges.
For the full analysis of provider network governance and the open-referral model, see Provider Network Governance and Open Referral Risk.
Pressure 4: HSSIB — investigating across sectors, preventing within them
The Healthcare Services Safety Investigations Body (HSSIB) became a statutory body in October 2023 under Part 4 of the Health and Care Act 2022. Its remit extends to the independent sector — HSSIB can investigate patient safety incidents in private hospitals, clinics, and other independent healthcare providers, not only NHS organisations.
This is significant. HSSIB conducts no-blame investigations with statutory protections for the information it gathers. Its "safe space" provisions mean that clinicians and staff can provide candid accounts without fear that their statements will be used in disciplinary proceedings, litigation, or regulatory action. The purpose is systemic learning, not individual accountability.
But HSSIB's extension into the independent sector creates an asymmetry. Investigation reaches across the public-private boundary. Prevention does not. HSSIB can investigate an incident that spans an NHS trust and a private hospital. It can identify that the boundary crossing between the two organisations was the failure point. It can publish recommendations. But the prevention infrastructure — the learning systems, the governance frameworks, the policy responses — sits within sectors, not across them.
What HSSIB asks: What systemic factors contributed to this patient safety incident?
What the system does not yet provide: A governance framework to act on HSSIB's cross-boundary findings before the next incident occurs.
When HSSIB investigates a case where a patient was harmed at a boundary crossing between a private provider and an NHS trust, its recommendations will identify the structural gap. The question is whether organisations will have governance infrastructure in place to act on those recommendations — or whether they will wait for the next investigation to confirm the same finding.
For the clinical safety standards that should complement HSSIB's work, see DCB 0129 and Private Healthcare Safety.
Pressure 5: DCB 0129/0160 — standards that assess systems, not boundaries
DCB 0129 (Clinical Risk Management: its Application in the Manufacture of Health IT Systems) and DCB 0160 (Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems) are mandated under Section 250 of the Health and Social Care Act 2012. They are the UK's clinical safety standards for health IT — the framework through which digital health tools are assessed for clinical risk before and during deployment.
The standards are currently under review, with a consultation expected in 2026. The review is widely expected to modernise the standards for a landscape that has changed substantially since their last major update — a landscape that now includes AI-driven clinical decision support, remote monitoring platforms, wearable-derived data, and cross-organisational digital pathways.
DCB 0129 requires manufacturers to produce a Clinical Safety Case — a structured argument, supported by evidence, that a health IT system is acceptably safe. DCB 0160 requires deploying organisations to produce a complementary safety case for their specific deployment context. Both are rigorous, evidence-based, and focused on the system itself.
The structural limitation is scope. DCB 0129 assesses a system. DCB 0160 assesses a deployment. Neither assesses what happens when clinical data leaves one system and enters another across an organisational boundary. A Clinical Safety Case for a private hospital's EPR does not address the clinical risk created when that EPR's discharge summary is transmitted to an insurer's claims platform, stripped of clinical context, and forwarded to a physiotherapy provider as a referral. Each system is individually safe. The boundary between them is clinically unassessed.
What DCB 0129/0160 asks: Is this health IT system acceptably safe for its intended use?
What DCB 0129/0160 does not ask: Is the clinical information that crosses from this system to the next system clinically safe at the point of crossing?
The forthcoming standards review is an opportunity to address this gap. Whether it does so remains to be seen. In the meantime, organisations that apply clinical safety thinking to their boundary crossings — not just their internal systems — will be ahead of wherever the standards land.
For the full analysis, see DCB 0129 and Private Healthcare Safety and Patient Journey Mapping and Governance Risks.
Pressure 6: MPAF — governing practitioners, not crossings
The Medical Practitioners Assurance Framework (MPAF), developed by the Independent Healthcare Providers Network (IHPN), is the sector's voluntary response to the Paterson Inquiry. The 2020 inquiry into Ian Paterson — a breast surgeon who carried out unnecessary operations on hundreds of patients across both NHS and private settings — found that governance failed at the boundaries between organisations. Between NHS trust and private hospital. Between private hospitals. Between hospital and insurer.
The MPAF sets out expected practice for practising privileges applications, whole practice appraisal, information sharing between providers, and scope-of-practice agreements. The CQC uses MPAF principles in its Well-Led assessments. Major private hospital groups have adopted it. It represents genuine progress on a problem that the Paterson case exposed in devastating terms.
But the MPAF governs the relationship between a hospital and the consultants who practise within it. It addresses the hospital-consultant boundary — one specific crossing point. It does not govern the hospital-insurer boundary. It does not govern the consultant-insurer boundary. It does not govern the provider-to-provider boundary when a patient is referred from one private facility to another. It does not govern the private-to-NHS boundary when a patient transitions from private care to NHS follow-up.
What MPAF asks: Does this hospital have robust governance for the consultants who practise here?
What MPAF does not ask: What governance exists when a patient leaves this hospital and enters another organisation's care?
The Paterson Inquiry's fifteen recommendations included a single database of consultant practising privileges, whole practice appraisal across all sites, and reforms to legal liability. Several key recommendations remain unimplemented. The MPAF is a partial response to a systemic failure. It governs one type of boundary. The insured pathway contains at least seven.
For the full analysis, see Practising Privileges and the Governance Gap.
The convergence: six timelines, twelve months
Each of these six regulatory pressures has its own logic, its own statutory basis, and its own timeline. But the timelines are converging. Within the next twelve months, the CQC will publish and implement new sector-specific assessment frameworks. The FCA will issue joint guidance with the ICO and consult on distribution chain responsibilities. PHIN will reach its full CMA compliance deadline. HSSIB will continue investigating in the independent sector. The DCB standards review will progress toward consultation. And the MPAF will remain the sector's primary voluntary framework for practising privileges governance.
None of these regulators will mandate boundary governance by name. But each of them, in pursuing its own objectives, will generate findings, expectations, and questions that point to the same structural gap. A CQC inspector asking about governance. An FCA supervisor asking about distribution chain outcomes. A PHIN dataset showing outcome variation without pathway context. An HSSIB investigation tracing harm to a boundary crossing. A Clinical Safety Case that stops at the system boundary. An MPAF assessment that stops at the hospital door.
The pressure is cumulative, and it is arriving simultaneously. For a detailed analysis of the convergence and its implications, see The Six Regulatory Pressures Converging in 2026.
Key regulatory dates: 2026
The boundary governance gap: what every regulator misses
Strip away the statutory language and the regulatory acronyms, and the gap is straightforward. When a patient crosses from one organisation to another in a private healthcare pathway, three things happen to clinical governance:
- Clinical information degrades. A discharge summary becomes a referral letter. A referral letter becomes a claims form. A claims form becomes a booking confirmation. At each boundary, clinical context is lost — not through malice, but through the absence of any standard requiring its preservation.
- Clinical responsibility fragments. The discharging consultant's duty of care ends. The receiving clinician's duty of care begins. But the boundary itself — the period during which the patient is between organisations — has no defined clinical responsibility. The patient is in transit. The governance is absent.
- Clinical risk goes unassessed. Every organisation in the pathway has internal risk management. None has risk management for the crossing points. A hazard that exists only at the boundary — a drug interaction visible only when two systems' data is combined, a contraindication that spans two episodes of care — is invisible to both organisations' risk frameworks.
This is not a regulatory failure. Each regulator does what its statute requires. The gap is structural: no statute requires anyone to govern the boundary. The Data Use and Access Act 2025 begins to address data sharing, but data sharing is a necessary condition for boundary governance, not a sufficient one. Sharing data across a boundary without governing the clinical meaning of that data does not close the gap.
The Seven Flows framework addresses this gap directly. It defines seven governance invariants — Identity, Consent, Provenance, Clinical Intent, Alert and Responsibility, Service Routing, and Outcome — that must hold at every clinical handover, including every boundary crossing in a private healthcare pathway. For the full framework, see The Seven Flows.
How boundary governance answers each regulator's questions
Boundary governance is not an additional regulatory burden. It is the infrastructure that allows organisations to answer the questions that each regulator is already asking — or will ask within the next twelve months.
- CQC Well-Led: Boundary governance provides auditable evidence that an organisation's governance extends beyond its walls to the crossings where patients actually experience risk.
- FCA Consumer Duty: Boundary governance demonstrates that the insurer's product delivers good outcomes across its entire distribution chain, not just at the point of sale or the point of claims settlement.
- PHIN/CMA Order: Boundary governance adds pathway-level transparency to the node-level transparency that PHIN already provides, giving patients and commissioners the full picture of how care flows across organisations.
- HSSIB: Boundary governance provides the prevention infrastructure that acts on cross-boundary investigation findings before the next incident, closing the loop between investigation and systemic improvement.
- DCB 0129/0160: Boundary governance extends clinical safety assessment from individual systems to the crossings between systems, ensuring that the clinical meaning of data is preserved as it moves across organisational boundaries.
- MPAF: Boundary governance extends practising privileges governance from the hospital-consultant relationship to every crossing in the pathway, addressing the full scope of the Paterson Inquiry's findings rather than one dimension of them.
The organisations that build boundary governance infrastructure now will not be caught by the convergence. They will be ready for each deadline with evidence already in place — not because a regulator mandated it, but because they understood that the gap existed and chose to close it.
The series: eight articles on boundary governance in private healthcare
This page provides the regulatory map. Our eight-part series on private healthcare governance provides the territory — detailed analysis of each pressure, each boundary, and each methodology for governing the crossings. The series is structured in four layers, from problem identification through to the case for action.
Private Healthcare Governance Series
Layer 1 — The problem
- Article 1: Practising Privileges and the Governance Gap The Paterson Inquiry exposed boundary failure. The MPAF addresses one boundary. The pathway contains seven.
- Article 2: Provider Network Governance and Open Referral Risk Open referral networks create clinical risk that no single provider's governance framework can detect.
- Article 3: FCA Consumer Duty and Healthcare Pre-Authorisation Risk The Consumer Duty follows the product into clinical delivery. Pre-authorisation is a boundary with no clinical governance.
Layer 2 — Specific boundaries
- Article 4: NHS-Private Hybrid Pathway Risk Patients crossing between NHS and private care face a governance gap that neither sector is designed to manage.
- Article 5: The Digital Front Door Digital triage is the first boundary crossing in modern insured pathways. It sets the clinical context for everything that follows.
Layer 3 — Methodology
- Article 6: DCB 0129 and Private Healthcare Safety Clinical safety standards assess systems within organisations. Boundary governance extends safety assessment to the crossings between them.
- Article 7: Patient Journey Mapping and Governance Risks Mapping the patient journey reveals the boundary crossings. The Seven Flows provide the governance invariants for each one.
Layer 4 — Case for action
- Article 8: The Six Regulatory Pressures Converging in 2026 Six timelines fall within twelve months. The organisations that build boundary governance now will define what compliance looks like.
