9 min read
June 10, 2026

CQC's Continuous Assessment Model: What It Means for Your Data Strategy

TL;DR
CQC assesses your service continuously, not just at inspection, using statutory notifications, LFPSE incident data, complaints, workforce returns, and partner intelligence to maintain a live risk profile. Silence is treated as a risk signal, not an absence. Providers whose systems produce structured data automatically build a positive risk profile, which means less frequent and less intensive scrutiny. The fix is four data integration changes, not a systems overhaul.
Diagram showing CQC continuous assessment data sources, including notifications, LFPSE, complaints, and workforce data, feeding a provider risk profile.

Key Takeaways

CQC builds a risk profile between inspections from statutory notifications, LFPSE data, complaints, workforce returns, and partner intelligence. CQC's risk model treats silence as an indicator: a provider reporting nothing looks like one without functioning systems or one not reporting events it should. LFPSE replaced the National Reporting and Learning System, which was decommissioned on 30 June 2024, and CQC uses LFPSE data to spot patterns and outliers. Continuous readiness needs four changes: automated notifications, dual-use structured incident data, daily workforce data, and aggregated feedback. Consistent, structured data builds a positive risk profile, which can mean less frequent on-site assessment and a stronger position at rating reviews.

CQC does not wait for inspections to form a view of your service. It has not done so for years, and with each regulatory update the continuous assessment model becomes more data-intensive.

Between formal assessments, CQC collects and analyses a stream of information about every registered provider: statutory notifications, Learn from Patient Safety Events (LFPSE) incident data, patient complaints, safeguarding referrals, PHIN submissions, workforce data returns, whistleblowing reports, and information from partner organisations. This data feeds a risk model that determines when to inspect, what to focus on, and increasingly whether to act on a service's rating without a full on-site visit.

A provider sending consistent, structured data signals between inspections presents a different risk profile to CQC than a provider sending nothing. The latter is not invisible. The latter is a concern. This is the shift most providers have not fully internalised: CQC readiness is no longer an event. It is a continuous state, and the systems that support it need to match.

How does CQC build your risk profile between inspections?

CQC's monitoring function uses multiple data sources to maintain a current view of every registered service.

Statutory notifications. Providers are legally required to notify CQC of certain events, including deaths, serious injuries, allegations of abuse, and applications to deprive someone of their liberty, under the Care Quality Commission (Registration) Regulations 2009 (Regulation 16 covers deaths; Regulation 18 covers other incidents). CQC tracks the volume, timeliness, and content of these notifications. Late notifications are a red flag. Missing notifications, where CQC learns of an event from another source before the provider reports it, are a serious concern.

LFPSE data. The Learn from Patient Safety Events service is the national system for recording patient safety events, which replaced the National Reporting and Learning System after it was decommissioned on 30 June 2024 (NHS England, LFPSE service). CQC uses this data to identify patterns and outliers. A provider with a sudden spike in safety events, or one reporting none when comparable services report regularly, both draw attention.

Patient complaints and feedback. CQC receives complaints directly from patients and families and monitors public feedback channels. A service with rising complaint volumes or recurring complaint themes is flagged for closer attention.

Workforce data. Staff turnover, vacancy rates, agency usage, and training completion all feed the risk model. High turnover or heavy agency dependence correlate with care quality concerns, and CQC knows this.

Partner intelligence. Local authorities, NHS commissioners, Healthwatch, safeguarding boards, and other regulators share information with CQC. A safeguarding referral from a local authority or a concern raised by an NHS commissioner triggers monitoring activity.

Provider portal submissions. CQC's provider portal collects information directly from providers. The quality and timeliness of those submissions are themselves data points.

Why is silence the most dangerous signal?

The most dangerous position for a provider is not having bad data. It is having no data.

A provider that submits statutory notifications promptly, reports safety events through LFPSE consistently, responds to complaints with documented outcomes, and maintains current workforce data is sending a signal: this is an organisation with systems in place. The data does not need to be perfect. It needs to be present, structured, and current.

A provider that sends nothing, no notifications except when legally forced, no LFPSE submissions, no workforce returns, is also sending a signal: this is an organisation without functioning systems, or worse, one that has events to report and is not reporting them. CQC's risk model treats silence as an indicator, not an absence. Services that are not engaging with the monitoring process are more likely to need assessment.

What does continuous assessment mean for your systems?

If CQC readiness is continuous, then evidence production must be continuous. That has practical implications for how providers structure their data.

Statutory notifications must be automated

Statutory notifications have legal deadlines. A death must be reported without delay; a safeguarding allegation within defined timeframes. For providers using manual processes, where someone remembers to complete a CQC notification form after logging an incident in a separate system, delays are inevitable. An automated workflow solves this: when an incident of a notifiable type is logged in the incident management system, a notification is generated and queued for submission. The compliance lead reviews and submits, but the system ensures nothing is missed and the timeline is documented.

Incident data must be structured for external reporting

LFPSE and CQC monitoring both consume incident data. If incidents are logged in free-text Word documents or unstructured spreadsheets, converting them into reportable formats takes manual effort. If incidents are logged in a structured system with standardised categories, severity scales, and outcome codes, the data is already in a format that feeds external reporting. This is the same data that powers internal governance dashboards. Structuring incident data once serves two purposes: internal visibility and external compliance.

Workforce data must be current, not quarterly

CQC's risk model uses workforce signals. High vacancy rates, rising agency usage, and turnover spikes all trigger concern. If workforce data is compiled quarterly for a board report, it is three months stale by the time CQC sees it, and three months stale when the governance team discusses it. A connected data layer that pulls staffing data from the HR system and rota into a dashboard provides current workforce metrics, the same data CQC's risk model would see, so the governance team can act before a concern becomes a finding.

Feedback must be aggregated and actionable

Patient complaints arrive through email, phone, online reviews, formal complaints, and survey responses. If each channel is monitored separately, patterns are invisible. A complaint about waiting times by email, a negative online review about communication, and a formal complaint about discharge planning may all point to the same systemic issue, but only if the data is aggregated. Categorising complaints across all channels turns fragmented signals into a structured view. The governance team sees themes, not individual items, and when CQC asks what you have learned from patient feedback, the answer is data-driven.

What do the numbers say about the risk?

In GreenM's analysis of CQC's published assessment data, the governance and monitoring gap is systemic. Well-led is the weakest key question, with 38.4% of assessments at Requires Improvement or Inadequate. Safe follows at 36.1%. Only 1.8% of services achieve Outstanding on Well-led. In the same analysis, "monitoring" appears in 4,393 negative assessment narratives, "governance" in 3,783, and "systems" in 9,879.

The services rated Good or Outstanding on Well-led are, overwhelmingly, the ones with systematic data flows. Not necessarily the ones with the most expensive software, but the ones where leadership can demonstrate real-time visibility into what is happening across the organisation.

How do you move from reactive to continuous?

The transition from event-based compliance, scrambling before an inspection, to continuous evidence production does not require a complete systems overhaul. It requires four changes.

  1. Connect your incident system to your notification workflow. When a notifiable incident is logged, the notification process begins automatically and the timeline is documented. Nothing depends on someone remembering.

  2. Structure your incident data for dual use. Internal governance and external reporting (LFPSE, CQC notifications) draw from the same data. Structure it once so categories, severity scales, and outcome codes align with LFPSE standards.

  3. Automate workforce data collection. Connect your HR system or rota to a central dashboard and update daily, not quarterly. Use the same data for internal governance meetings and external workforce returns.

  4. Aggregate feedback channels. Bring complaints, surveys, reviews, and informal feedback into one view, categorised and trended automatically, reviewed monthly at governance meetings with documented actions and outcomes.

Each step is a data integration task, not a software procurement task. The systems already exist. They need a layer that connects them and makes the data flow continuously, not on demand.

Can continuous assessment work in your favour?

Yes, and most providers overlook this. If your data is structured and flowing, CQC's monitoring works for you. Consistent statutory notifications, regular LFPSE submissions, stable workforce returns, and low complaint volumes all contribute to a positive risk profile. A positive risk profile means less frequent on-site assessment, less intensive scrutiny when assessment does occur, and a stronger starting position for rating reviews.

The organisations that fear continuous assessment are the ones without structured data. The ones that benefit are those whose daily operations automatically produce the evidence CQC is looking for. The question is not whether CQC is monitoring your service. It is whether your service is generating the signals that tell the right story.

Frequently asked questions

What is CQC's continuous assessment model?

It is CQC's practice of monitoring every registered provider year-round through remote data signals, rather than only at inspection. Statutory notifications, LFPSE data, complaints, workforce returns, and partner intelligence feed a risk model that decides when and where to assess.

What data does CQC monitor between inspections?

Statutory notifications, Learn from Patient Safety Events submissions, patient complaints and public feedback, workforce data such as turnover and vacancy rates, partner intelligence from local authorities and commissioners, and provider portal submissions.

Is it risky to report few incidents to CQC?

Yes. CQC's risk model treats silence as an indicator. A service reporting nothing, when comparable services report regularly, looks either like an organisation without functioning systems or one not reporting events it should. Consistent, structured reporting signals control.

What are CQC statutory notifications?

They are events a provider is legally required to report under the Care Quality Commission (Registration) Regulations 2009, including deaths (Regulation 16) and other incidents such as serious injuries and abuse allegations (Regulation 18). CQC tracks their timeliness and content as part of monitoring.

How can continuous assessment work in a provider's favour?

When data flows consistently, it builds a positive risk profile. That can mean less frequent on-site assessment, less intensive scrutiny during assessment, and a stronger starting position for rating reviews.

CQC monitors your service continuously, not just at inspection. If your systems are not producing structured data between assessments, you are sending the wrong signals. GreenM connects your existing systems into a data layer that produces CQC evidence automatically: statutory notifications, incident trends, workforce metrics, and feedback patterns, all flowing from daily operations. Book a CQC data audit to see what CQC sees when it looks at your service.

Alexey Litvin

CEO and Founder
|
Founded GreenM in 2014. Healthcare AI for US and UK providers
Founded GreenM in 2014. Over the past decade, has worked with healthcare leaders across the US and UK, building data platforms and AI systems for clinical and operational environments.
LinkedIn →
Placeholder
Placeholder
Follow us for weekly insights on AI in healthcare
folLow greenm

More Healthcare AI Insights