What should I consider when choosing the right practice management software or clinic management software?

When choosing the right practice management software or clinic management software, prioritise ease of use, ISO 27001 certification (not merely alignment), UK data residency, independent audit with ongoing surveillance, and scalability. Verify formal certification, confirm UK data centres, and assess real-world workflow support.

What is the difference between ISO 27001 certified and ISO 27001 aligned?

ISO 27001 certification requires formal independent audit by an accredited certification body, with ongoing surveillance audits and three-year recertification. Alignment means self-assessment without independent verification. For healthcare, certification provides independently verified assurance.

Why does UK data residency matter when choosing practice management software?

UK data residency means patient data is stored within UK jurisdiction, simplifying UK GDPR compliance, aligning with NHS Digital guidance, and avoiding legal complexity of international transfers.

Private Practice Compliance | TouchPoints.health

Private Practice Compliance: What UK Consultants Need to Know

Starting a private practice can be a professionally rewarding step a UK consultant can take. You gain control over your time, your patient relationships, and the shape of your working life. But private practice also brings with it a set of legal and regulatory obligations that are entirely separate from what your NHS employer manages on your behalf.

The good news is that these obligations are manageable once you understand them. The bad news is that too many consultants step into private work without a clear picture of what is required, and discover the gaps only when something goes wrong. This guide walks you through every major compliance area, with links to the relevant regulators and official sources so you can act with confidence rather than guesswork.

ICO Registration and UK GDPR

Why this matters

Every time you create a patient record, store contact details, or share clinical information with another provider, you are processing personal data. In private practice, unlike in the NHS where your Trust acts as data controller, you are the data controller yourself. That brings direct legal responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Patient health data is classified as "special category" personal data under UK GDPR, meaning it carries the highest level of protection and the most serious consequences for mishandling. A data breach in a private practice is not an NHS information governance issue for someone else to resolve; it is your responsibility, and the Information Commissioner's Office (ICO) may investigate and fine you directly.

Registering with the ICO

If you process personal data electronically for business purposes, you are almost certainly required to pay an annual data protection fee to the ICO and register as a data controller. For most single-consultant practices, this falls into the lowest fee tier, currently between £35 and £60 per year depending on your organisation's size and turnover. The fee is modest, but failure to pay it is a legal offence and can result in an enforcement notice, a fine of up to £4,350, and reputational damage that is very publicly visible, since the ICO publishes its register of fee payers online.

You can check whether you need to register and complete the process directly at: ico.org.uk/for-organisations/data-protection-fee

ICO registration requires annual renewal. The ICO will send reminder notifications, but you are responsible for ensuring your registration does not lapse.

Practical GDPR obligations for private practitioners

Registration is only the first step. As a data controller, you are required to have a lawful basis for processing patient data. For clinical care, the lawful basis is typically that processing is necessary for medical purposes under Article 9(2)(h) of the UK GDPR.

If you have a website, you must also maintain a Privacy Notice that informs patients how their data is used, stored, shared, and disposed of. You must be able to respond to Subject Access Requests (SARs), which give patients the right to obtain a copy of the data you hold about them, within one month of the request being received. You must have in place a data breach response procedure, since breaches involving special category data may need to be reported to the ICO within 72 hours of you becoming aware of them.

If you use a practice management software provider, a cloud storage service, or any third-party platform that processes patient data on your behalf, you are required to have a Data Processing Agreement in place with that provider. This is a contractual requirement under UK GDPR and one that is frequently overlooked by consultants managing their own practices.

Full UK GDPR guidance for organisations is available at: ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources

Medical Indemnity: A Legal and Professional Obligation

The legal requirement

The Health Care and Associated Professions (Indemnity Arrangements) Order 2014 introduced a statutory requirement for all practitioners registered with UK healthcare regulators to have an indemnity arrangement that provides appropriate cover for their type of practice. This is not optional guidance; it is a legal obligation. The GMC's Good Medical Practice (updated in 2024) reinforces this, stating clearly that doctors must have adequate and appropriate insurance or indemnity covering the full scope of their practice.

The GMC has the power to check whether you have adequate cover in place, and can remove or refuse a licence to practise if you do not. You will also find it virtually impossible to obtain practising privileges at any private hospital without evidence of appropriate indemnity cover.

Full GMC guidance on insurance and indemnity is here: gmc-uk.org: Insurance, indemnity and medico-legal support

What NHS indemnity does and does not cover

This is one of the most commonly misunderstood areas of private practice compliance. Your NHS Trust provides indemnity for clinical negligence arising from work carried out as part of your NHS contract, through state-backed schemes such as the Clinical Negligence Scheme for Trusts (CNST). That indemnity does not extend to private work, even if you carry out private consultations on NHS premises, and it does not cover regulatory proceedings, GMC hearings, coroner inquests, or disciplinary investigations.

As soon as you see a private patient, you need separate indemnity in place for that activity. This is true even if your private sessions represent a small fraction of your overall working week.

Discretionary vs contractual cover

When choosing an indemnity arrangement, consultants need to understand the difference between discretionary cover, offered by the three traditional Medical Defence Organisations (MDOs), and contractual insurance, offered by commercial insurers regulated by the Financial Conduct Authority (FCA).

Discretionary cover means that the MDO has the right, but not the obligation, to support a claim. In practice, MDOs very rarely decline to assist, but the absence of a contractual guarantee means you have no legal right to call on that support. Contractual insurance, by contrast, is a legally binding policy that sets out exactly what is covered and obligates the insurer to honour valid claims.

The Government has consulted on reforming the indemnity market in recognition of concerns about discretionary cover, and that consultation is ongoing. In the meantime, it is worth understanding which type of product you currently hold and whether it adequately covers your practice.

Choosing the right level of cover

Your indemnity should cover the full scope of your practice, including every specialty area you work in, every type of procedure you perform, and your estimated private income for the year. You must inform your insurer or MDO of material changes to your practice, such as expanding into a new procedure area or significantly increasing your caseload, since failing to do so could leave you without effective cover at the moment you need it most.

You should also consider whether your policy includes run-off cover, which protects you against claims arising from past work after you have retired or changed insurer. Medical negligence claims are frequently brought years after the incident in question, and a policy that expires without run-off provision can leave you personally liable for those historic claims.

TouchPoints.health has exclusive relationships with indemnity providers and can assist you in finding appropriate cover, just ask during your demo with us.

Record-Keeping: What You Must Keep and for How Long

Your obligations as a data controller

The GMC's Confidentiality guidance makes clear that you, as the data controller for your private practice, are responsible for ensuring records are created accurately, stored securely, transferred safely, protected against unauthorised access, and disposed of in accordance with data protection law. These obligations apply regardless of whether your records are paper-based, electronic, or a combination of both.

Good Medical Practice 2024 reinforces this, stating that doctors must maintain clear, accurate and contemporaneous records of clinical encounters. In the event of a complaint or claim, clinical records will almost always be the primary evidence, and records that are incomplete, inaccurate, or written up some time after the consultation will significantly undermine your position.

GMC Good Medical Practice 2024: gmc-uk.org/professional-standards/the-professional-standards/good-medical-practice

How long to keep private practice records

There is no specific statutory regulation that sets retention periods for private clinical records. However, the GMC's Confidentiality guidance at paragraph 130 states that you should follow the NHS health departments' guidance on record retention even if you do not work in the NHS. In practice, this means consulting the NHS England Records Management Code of Practice 2021, which is the current authoritative framework for retention schedules across health and care records in England.

The Code sets minimum retention periods. For adult clinical records, the general minimum is eight years from the date of last treatment. For records relating to children and young people, records should be kept until the patient's 25th birthday, or until their 26th birthday if they were 17 when treatment ended, to ensure records are retained through the full period during which a negligence claim could be brought. Records relating to maternity care should be kept for 25 years.

These are minimums. Medical Protection recommends that if you become aware of a complaint, an adverse event, or the possibility of litigation, you should extend the retention period for those records accordingly. Complaint files should be kept separately from clinical records and retained for at least ten years from the closure of the complaint process.

NHS England Records Management Code of Practice 2021: transform.england.nhs.uk: Records Management Code of Practice

Secure disposal

When records reach the end of their retention period, you have a legal obligation under the Data Protection Act 2018 to dispose of them securely. For paper records, this means cross-cut shredding or engaging an accredited confidential waste contractor. For electronic records, secure deletion or physical destruction of storage media is required. Improper disposal of patient records is a data protection breach and can result in ICO enforcement action.

GMC Registration and Revalidation

Maintaining your GMC registration and licence to practise sits at the foundation of everything else. Without a current licence, you cannot legally practise medicine in the UK in any setting, public or private.

Revalidation is the process by which licensed doctors demonstrate to the GMC, through regular appraisals and evidence of continuing professional development, that they are up to date and fit to practise. Revalidation takes place every five years and requires an annual appraisal with a responsible officer. As a private practitioner, you will need to identify a designated body for your revalidation, since you may not have automatic access to one through an NHS employer.

Private practitioners who do not hold an NHS post need to make specific arrangements for their responsible officer and may need to register with NHS England as their designated body. Failure to complete revalidation within the required timeframe results in your licence being lapsed, which means you can no longer practise.

Financial and Tax Compliance

Compliance in private practice extends beyond clinical regulation into business and financial obligations. Once you begin earning private income, you are responsible for declaring that income to HMRC and paying the appropriate tax. Most consultants structure their private practice either as a sole trader or through a limited company, and the tax implications of each approach are different.

As a sole trader, private income is added to your NHS earnings and taxed accordingly through self-assessment. The higher your total income, the more significant the tax liability becomes, and many consultants find that working with an accountant who specialises in medical practices pays for itself many times over in legitimate tax efficiency.

If you operate through a limited company, corporation tax applies to company profits, and you take income through a combination of salary and dividends. There are also IR35 considerations to be aware of if you provide services through an intermediary structure, particularly if your private work resembles an employment relationship.

You must register for self-assessment if you are not already, and you may need to register for VAT if your private income exceeds the VAT threshold, which is currently £90,000 per year. Note that medical services provided by a registered doctor are generally exempt from VAT under Schedule 9 of the VAT Act 1994, but not all services consultants provide will necessarily qualify for exemption, and you should seek specific advice if you are uncertain.

HMRC self-assessment registration: gov.uk: Self Assessment tax returns

Complaints Handling

Private practitioners are not subject to the NHS complaints procedure, but you are not without obligations. Your patients have a right to raise concerns about their care, and you have a professional obligation under Good Medical Practice to deal with complaints promptly, openly, and fairly.

The Independent Sector Complaints Adjudication Service (ISCAS) provides an independent adjudication scheme for private healthcare complaints, and if you are registered with a private hospital or clinic that subscribes to ISCAS, your practice will fall within its scope. Even if you practise entirely independently, you should have a written complaints procedure that your patients are made aware of.

If you are CQC-registered as a provider, you are required to have a formal complaints policy as part of your regulatory obligations, and you must investigate complaints and keep records of them. CQC inspectors will ask to see your complaints log and evidence of how complaints have been handled.

GMC guidance on responding to complaints: gmc-uk.org: Openness and honesty when things go wrong

TouchPoints.health: A Platform Built to These Standards

TouchPoints.health has been developed specifically to meet the requirements set out in this guide. It is a cloud-based practice management platform designed for UK private doctors, consultants and clinics, built around the principle that effective software should support clinical care without adding complexity.

The platform integrates scheduling, patient records, clinical correspondence, billing, analytics, and outcome reporting in a single system. It has been designed for ease of use, with intuitive workflows that require minimal training. Most practice teams can begin using the core system productively within a single onboarding session, with advanced features accessible as needed.

TouchPoints.health is ISO/IEC 27001 certified, with an independently audited Information Security Management System that undergoes regular surveillance. Certification documentation is available on request, and the platform maintains active compliance with the ongoing audit requirements that certification entails.

All patient data is stored in UK data centres, ensuring compliance with UK GDPR and supporting the information governance requirements of private practices. Data residency is contractually guaranteed, with no offshore processing or ambiguous cloud hosting arrangements. Backup and disaster recovery infrastructure is similarly UK-based.

The platform is built to scale with growing practices. It supports single-consultant practices through to multi-site clinics, with flexible user management, multi-specialty support, and modular functionality that can be added as requirements evolve. Data portability is supported through standard export formats, ensuring that practices retain full control of their information.

TouchPoints.health is actively developed in response to user feedback and regulatory change, with regular updates that reflect real-world practice needs. The development team works closely with practising clinicians and practice managers to ensure that new features support clinical workflows rather than complicate them.

Get Started with TouchPoints.health

If your practice is evaluating practice management software, we invite you to see how TouchPoints.health meets the standards set out in this guide. Request a demonstration focused on your specific workflows, review our ISO 27001 certification, and speak with existing users about their experience.

Visit www.touchpoints.health to request a demonstration, or contact our team directly to discuss your practice's requirements. We provide transparent information about our platform, our security controls, and our data governance arrangements, and we welcome detailed questions from practices conducting thorough vendor evaluation.

TouchPoints.health is designed for practices that take information governance seriously, that value ease of use, and that need a platform built to support UK private healthcare. If those priorities align with yours, we would welcome the opportunity to show you how the platform works in practice.