CQC have released their new assessment frameworks.

That’s right, frameworks.

CQC have been here before. Back in 2013, they implemented sector-specific frameworks.

But it didn’t work.

Things like safeguarding and governance were assessed using different key lines of enquiry (KLOEs) and different prompts depending on whether you were a hospital, a care home, or a GP practice. This made it harder to assess quality across sectors, and providers operating across multiple service types (like an NHS trust running both acute and community services) faced different assessment criteria for essentially the same governance principles.

However, coming out of the COVID era, where they had suspended routine inspections, they faced a significant backlog. They needed to do something to improve efficiencies. They argued that maintaining separate frameworks for each sector was resource-intensive as they had to use different inspection teams who required different training.

So in 2021, the CQC announced plans to move towards a single assessment framework.

KLOEs were out.

Quality statements were in.

They introduced one set of quality statements and one scoring methodology. This was intended to make it easier to collect and compare data across all provider types, allowing them to move towards continuous monitoring and data-driven assessment rather than periodic inspections.

It launched in 2023.

It wasn’t long until they acknowledged that it wasn’t working.

In trying to make one framework fit everyone, they made it fit no one particularly well.

And as Professor Sir Mike Richards put it,

one size does not fit all.

Working within a CQC-regulated digital health provider, I saw this in practice.

Independent reviews by Dr Penny Dash and Professor Sir Mike Richards examined what had gone wrong and what needed to change.

Fast forward to today, and the CQC have launched their latest assessment frameworks.

And guess what?

KLOEs are back in.

Quality statements are out.

The five key questions remain: Safe, Effective, Caring, Responsive, Well-led.

The Richards review specifically recommended returning to KLOEs but keeping the five key questions, which have “stood the test of time”.

A significant change from both previous assessment types is that the scoring has been replaced by specialist inspectors using professional judgement.

Also included are detailed rating characteristics. They describe what Outstanding, Good, Requires Improvement, and Inadequate look like, significantly removing the guesswork.

Here’s what stood out to me in the draft framework for primary care and community services, and what it means for digital health providers.

Firstly, digital care has been called out.

The framework explicitly mentions remote consultations, online assessments, hybrid care, and digital exclusion.

It also refers to technology, and will assess whether “the technology used to deliver care meets people’s needs appropriately.”

AI is mentioned too, and whether its use in clinical care pathways is “suitable for the intended purpose, secure, up-to-date and used properly.” If you’re using or planning to use AI in triage, clinical decision support, or pathway design, this will be directly assessable at your next inspection.

Cyber security is a CQC matter now. Under Management of Risk, CQC will assess whether cyber security is treated as a strategic risk and whether controls are routinely tested.

Prevention gets a proper mention too. Population health data, health inequalities, and proactive approaches to keeping people well.

The framework has called out contemporary, proactive risk management:

Governance in healthcare tends to be dominated by retrospective data collection - incident reports, complaint reviews and audit cycles that tell you what went wrong three months ago. This framework is explicitly saying that good governance means watching the data in real time, spotting patterns before they become incidents, and using intelligence to prevent harm rather than just responding to it.

For digital health providers, this is a welcome move. Real-time dashboards, pathway analytics and outcome monitoring are all tools already in use. The framework is finally catching up with how well-governed digital services actually operate.

The bit I think needs work:

Infection control and technology assurance have been bundled together under one KLOE called “Safe environments and infection prevention and control.”

Every other KLOE in the framework maps more or less to a team or function. You can look at the title and say “this person owns this.”

But the scope of this KLOE spans your facilities manager (gas, electrical, fire safety), your estates team (premises), your business continuity lead (environmental risks like flooding), your engineering team (digital systems), and your InfoSec team or clinical safety officer (technology assurance). That’s at least five different owners across completely different disciplines, under one heading.

Bundling technology assurance with infection prevention and control risks it being treated as a sub-topic, when it’s actually a big enough area of risk that it could be its own domain.

For a digital health provider, technology assurance is critical. Everything is built upon technology - clinical pathways, consultation environment, patient records, prescribing systems, triage logic, the list goes on.

Treating that as a bullet point under the same KLOE as legionella testing doesn’t reflect the scale or complexity of the risk.

My take?

Technology assurance deserves its own KLOE with its own rating characteristics - covering clinical system safety, AI assurance, data integrity, interoperability, and digital inclusion.

And then there’s the question of who’s doing the inspecting.

Will we see inspectors who genuinely understand both a GP practice and a digital care provider? Or will the CQC further divide inspector specialism within this sector?

The digital health sector needs inspectors who truly understand what strong technology governance looks like, and, more importantly, can recognise when it’s lacking. The experts in this space still remain within the sector itself. The CQC should actively recruit from within the digital health sector, or partner with it, to ensure their inspectors are adequately trained to inspect digital providers.

What’s next?

The frameworks are being finalised, and consultation is open until 12th June.

I’ll be responding to the consultation, and if any of this affects how you deliver care, I’d urge you to as well.

You can provide feedback here

I write about building clinical products in digital health - the messy intersection of medicine, regulation, and product design. If this resonates, follow along for more, and visit clinicalproduct.uk.

Further reading:

Draft sector-specific frameworks

Review of CQC’s single assessment framework and its implementation - Professor Sir Mike Richards

Review into the operational effectiveness of the Care Quality Commission: full report - Dr Penelope Dash