CQC Regulation 17 for Dental Practices: Why 82% of Failures Are Governance

When dental practice owners think about CQC inspections, they tend to think about clinical standards. Infection control. Radiography. Safeguarding. These are important, and they are visible. But the data tells a different story about what actually causes enforcement action.

Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 requires that providers have "systems or processes" that ensure they can assess, monitor, and improve the quality and safety of their services. In plain English: you need documented governance systems, and those systems need to work.

The reason Regulation 17 appears in so many enforcement actions is that governance underpins everything else. If your infection control procedures are not documented in SOPs, that is a governance failure. If your complaints procedure is not written down and followed, that is governance. If your staff training records are incomplete, governance. If you cannot produce an audit trail for controlled substances, governance.

What Regulation 17 actually requires

The regulation is deceptively broad. It requires providers to operate effectively systems and processes to ensure:

1. Assessment and monitoring of risk. You need documented risk assessments that are reviewed regularly. For a dental practice, this covers clinical risks, infection control risks, radiation protection risks, health and safety risks, and information governance risks.
2. Quality and performance assessment. Clinical audits must be conducted, documented, and acted upon. Common dental audits include radiography quality, antimicrobial prescribing, record-keeping, and infection prevention and control.
3. Accurate and complete records. Not just clinical records (which your dental software handles) but governance records: SOPs, policies, training logs, equipment maintenance schedules, incident reports, complaints files, and audit reports.
4. Seeking and acting on feedback. Patient feedback must be collected, recorded, analysed, and used to drive improvements. Friends and Family Test or equivalent.
5. Evaluating and improving practice. When something goes wrong, you need a documented process for investigating, learning, and changing practice. This means incident reporting, significant event analysis, and documented action plans.

The governance gap in dental software

Modern dental practice management software is excellent at clinical operations. Appointment scheduling, patient records, charting, treatment planning, NHS claim submissions: these are mature, well-built systems. Dentally, Software of Excellence, Exact, and others handle the operational side of running a dental practice.

But none of them were built for governance documentation. Here is what your dental software does not do:

• Manage SOPs with version control, review scheduling, and staff acknowledgment tracking
• Maintain a structured complaints register with response deadlines and outcome tracking
• Track staff training across mandatory and role-specific categories with expiry alerts
• Conduct and document clinical audits with action plans
• Record and investigate significant events and near misses
• Maintain radiation protection files (IRR17 compliance documentation)
• Generate evidence portfolios for CQC inspection preparation
• Track equipment maintenance schedules and calibration records
• Document risk assessments with review dates
• Produce the suite of policies the CQC expects (safeguarding, whistleblowing, complaints, IG, lone working, fire safety)

This governance documentation lives in Word documents, Excel spreadsheets, paper folders, and the practice manager's memory. It is fragmented, hard to audit, and almost impossible to keep current across a multi-site dental group.

What CQC inspectors actually look for

CQC dental inspections follow the five key questions: Safe, Effective, Caring, Responsive, and Well-Led. Regulation 17 sits primarily under "Well-Led," but its tentacles reach into every domain. Inspectors typically ask to see:

• A current set of SOPs covering all clinical and non-clinical activities
• Evidence that SOPs are reviewed at least annually and acknowledged by all relevant staff
• A complaints procedure with examples of how complaints have been handled and what changed as a result
• Staff training records showing mandatory training is current (safeguarding, BLS, infection control, radiography updates)
• Clinical audit records from the past 12 months with completed action plans
• An incident and significant event log with evidence of learning and practice change
• Risk assessments that are dated, signed, and reviewed
• Equipment maintenance logs and calibration certificates
• IRMER/IRR17 documentation (written procedures, dose reference levels, quality assurance programme)
• Evidence that patient feedback is collected, analysed, and acted upon

The inspection is fundamentally a documentation exercise. Inspectors cannot observe your governance systems in action during a brief visit. They assess governance by examining your records. If the records do not exist, the governance does not exist, regardless of what actually happens in practice.

The cost of getting it wrong

CQC enforcement for Regulation 17 breaches follows a graduated approach:

• Requirement notice. The practice must address specific shortfalls within a defined timeframe (usually 1-3 months). This is the most common outcome and appears on the public inspection report.
• Warning notice. More serious breaches require immediate action. Failure to comply can lead to further enforcement.
• Conditions on registration. The CQC can impose conditions that restrict the practice's operations until compliance is achieved.
• Prosecution. In the most serious cases, the CQC can prosecute the registered person. Fines for Regulation 17 breaches can exceed 50,000.

Beyond the formal enforcement, there is the reputational cost. CQC inspection reports are public. A "Requires Improvement" or "Inadequate" rating under Well-Led is visible to every prospective patient who searches for your practice. In an era where patients increasingly check CQC ratings before choosing a dentist, a governance failure has direct commercial consequences.

How to close the governance gap

The solution is not to hire a compliance manager (most single-site practices cannot justify the cost) or to spend every weekend updating Word documents (unsustainable). The solution is to treat governance documentation as a system, with the same rigour you apply to clinical record-keeping.

That means:

1. Centralise all governance documents in a single system, not scattered across hard drives, email inboxes, and filing cabinets.
2. Automate review scheduling. SOPs should flag themselves when they are due for review. Training records should alert when certificates are expiring. Risk assessments should have defined review dates.
3. Build audit trails automatically. Every document change, every staff acknowledgment, every complaint response should generate a timestamped audit record that the CQC can inspect.
4. Use AI to draft initial documents. A well-informed AI can produce a first draft of an SOP, a complaint response, or an incident investigation that a dentist can review and approve in minutes rather than writing from scratch in hours.