As the CQC continue to develop their strategy for 2021, we are seeing a number of practical changes in their approach. It is no secret that they are undertaking more activity based on risk and focusing efforts on services where they perceive concerns have arisen, or patient safety is at risk. It is perhaps then no surprise then that we are seeing more and more negative inspection reports, downgraded ratings, and signs of enforcement activity hit our desks.
It certainly looks to us as if the CQC are becoming heavier handed with enforcement. In particular, it seems they are turning to criminal enforcement more often, and more quickly than we have seen historically. We are, for example, seeing a rise in the number of requests by the CQC for documents or information in contemplation of criminal proceedings which appear to be, for want of a better word, fishing expeditions.
The CQC can bring criminal prosecutions for a number of offences, ranging from extremely serious, to some relatively low level matters. These can have significant implications for provider organisations and any individual(s) concerned. Fines can be unlimited and, in some cases, people could end up in prison. Even where no prosecution ultimately follows, criminal investigations can still be time consuming, stressful, stigmatising, and costly for those involved.
There are (quite rightly) a number of procedural safeguards built in to the law which give some protections to those subject to criminal investigation or prosecution. These include certain rules which dictate how a prosecuting authority can and should behave, such as how they can gather evidence and whether a prosecution should be brought at all. In addition, when an individual seeks legal advice, the information and advice they share with legal advisers can be protected against disclosure by “legal privilege”. These all help to offer some safeguards against self-incrimination.
The CQC are in general terms expected to afford largely the same safeguards in the exercise of their criminal prosecution powers as say the Police do when investigating crimes, and the CPS do when deciding whether to bring charges or not but the CQC’s regulatory remit means that they can sometimes, in practice, bypass these safeguards, at least in the early information gathering stages.
The Police have no right, for example, to enter a premises and take records without consent without obtaining a Court Order (i.e. a warrant) but the CQC can make various requests under the guise of their regulatory functions. The CQC have relatively broad powers to seek information of providers. They can, for example, request that providers given them documents, data and information under section 64 of the Health And Social Care Act 2008, or request “explanations” under section 65 of the same Act. Refusal of a request under section 64 or 65 without reasonable cause can be an offence in itself.
The CQC may also request information of a provider in pursuance of investigations under section 10 of the same Act if it believes an organisation or individual might be carrying out regulated activity for which they do not have proper CQC registration. In addition, providers are to notify the CQC of certain events, such as deaths and allegations of abuse and there is an expectation that providers will be candid, open and transparent with their regulator, which may include cooperating with informal requests for information.
A key problem with this is that every time a provider cooperates with requests for information, or shares information, data or documents with the CQC to meet some regulatory requirement, they could be incriminating themselves in a future criminal investigation or prosecution. They could even provide something to the CQC that could prompt an entirely new investigation into a matter the CQC had no prior knowledge of. The CQC may also share information with other organisations, including the police and safeguarding authorities, where they may otherwise not have the right to access them directly from a provider.
Given that the CQC are actively seeking to use the “full force” of its powers going forwards and have publicly announced that they will be using more “intelligence” and “data”, and be cooperating more with external agencies, in the exercise of their functions, it is not unforeseeable that the CQC will start looking to bring more and more prosecutions and will be turning more and more to records, data and information they have been provided with outside of formal criminal investigations to seek to identify shortfalls and failings which could, in turn, instigate criminal investigation or prosecution by the CQC, or even by others.
Providers need not be paranoid, but should be cautious. They would be advised to:
- Ensure that regulatory and legal requirements are being met, and keep good records. Ensure whistleblowing policies, complaints, and safeguarding policies are fit for purpose, and encourage a culture of openness within the organisations and with those who use and input into services. The CQC are focussing activity in many cases to respond to complaints or reports which may indicate risk. Providers can assume that there will be more and more criminal investigations and prosecutions arising as a result of complaints and whistle blowing. The more issues can be dealt with at local level or informally (where this is appropriate of course), the less reason the CQC should have to come looking for information in the first place.
- Assume that everything given to the CQC could (and might) be used against them. This is not to say that a refusal to cooperate is always appropriate – in many cases it will be necessary and sensible to provide the CQC with what they ask for – and we certainly do not discourage providers from being open and transparent with their regulator, or meeting legal requirements, where they exist. Providers should, however, think very carefully each time information or evidence is provided and should not assume that the CQC are entitled to information or records just because they say so. In some scenarios, providers will have to cooperate, but in some they might not. Providers should also anticipate that the CQC will share records with other bodies, such as the police and safeguarding authorities and should take suitable safeguards where they can.
- When providing information, take the time to consider information and records before they are sent and if there are any red flags which might indicate poor care and treatment, be alive to them. In some cases it might be appropriate to refuse to cooperate, but this should not be done lightly, and any such decision should be carefully recorded. Providers should balance the risks of disclosure before handing over information and evidence and keep a record of anything that is provided. If shortfalls are identified, it would be worthwhile ensuring that they are thoroughly and appropriately addressed before the CQC come knocking.
- Seek legal advice as early as possible. This can help providers to strike the right balance between providing information which is necessary, and protection from self-incrimination from the earliest possible stage. Legal advisers can also help providers understand where they can, and should, lawfully refuse to cooperate to requests for information or evidence in whole or in part or what safeguards might be able to be put in place to mitigate the risks of cooperating, or not, as the case may be.
- Keep abreast of CQC strategy developments. It looks as if the CQC want to make information flows and their own access to information even easier. In a recent webinar on its 2021 strategy, for example, the CQC noted that they would like even more information sharing with providers. They went so far as to suggest that they would like to have real-time access to providers’ records to facilitate access on an as needed basis. If the CQC do try and push some records sharing mechanism like this the sector’s way, then providers should be extremely cautious about what might follow. Granting the CQC free and real time access to all records is likely to be an incredibly risky approach and will significantly exacerbate the risk of self-incrimination and further undermine the safeguards in place to prevent it.
All this is not intending to suggest that there is no merit in a sector specialist having powers to prosecute and, granted, there will be times when the CQC will need access to records quickly and without the hindrance of undue bureaucracy and formality, so that they can act quickly to protect people. We are certainly not suggesting that providers should stop being open, candid and transparent with their regulator or should stop providing information to the CQC when it is suitable and/or necessary to do so.
However, providers should never assume that the CQC will always remain “on side,” or that a good relationship with the regulator cannot take a sour turn very quickly, and that self-incrimination is a real possibility.
We tend to choose very carefully what information we share with the Police and for the most part, will limit the information they give to the minimum necessary. Providers don’t necessarily tread as carefully with their regulators, and indeed, are often encouraged to over-share in the interests of having an open and transparent relationship. This is all very well until something goes wrong and a provider finds themselves the subject of a criminal investigation or prosecution. It might be the time for providers to start being a little more aware of the prospect of self-incrimination.
If providers are unsure of what information they should or shouldn’t share with the CQC, have received information requests which concern them, or believe they may be subject to current or future investigation or prosecution by the CQC, Ridouts can assist.