As the independent sector grows and clinical workforce models evolve, many institutional providers are carrying indemnity risk they haven’t fully mapped – or priced, says George Maughan, THEMIS’ director of insurance services.
The expansion of private healthcare in the UK has been rapid and, in many respects, poorly matched by the governance frameworks that underpin it. Clinic groups, independent hospitals, and corporate providers have grown their consultant networks, absorbed salaried clinical staff, and extended their service lines – often without a corresponding review of how medical malpractice liability is actually held, distributed, and covered across the organisation.
The result is a structural vulnerability that sits at the intersection of employment law, indemnity architecture, and regulatory expectation. In plain terms: a hospital or clinic may be legally liable for the clinical acts of practitioners working within its walls – but recent Supreme Court authority shows that whether liability actually attaches depends heavily on how the working relationship is structured, not merely on whether the practitioner holds their own indemnity.
This article sets out the core mechanics of vicarious liability in the healthcare context, identifies the audit gaps that most commonly arise in institutional settings, and makes the case for a structured indemnity review as an essential board-level governance function.
The mechanics of vicarious liability in healthcare
Vicarious liability is the principle by which an employer, bears responsibility for the wrongful acts of those acting in its service. In the clinical context, this means that where a patient suffers harm as a result of negligent treatment delivered by a practitioner operating within an institutional setting, the institution itself may be exposed to a clinical negligence claim, irrespective of whether the practitioner is a salaried employee or an independent consultant with their own indemnity.
The traditional distinction between employees and independent contractors has been the subject of two significant Supreme Court decisions, and institutions are at real risk of misreading what they mean when read together. In Cox v Ministry of Justice [2016], the Court held the Ministry of Justice vicariously liable for the negligence of a prisoner working under supervision in a prison kitchen – despite the prisoner having no employment relationship whatsoever. The judgment confirmed that liability can attach to a relationship that merely resembles employment, provided the work is carried out as an integral part of the defendant’s activity and the defendant created the relevant risk by engaging the individual to do it. At the time, Cox was widely read as broadening institutional exposure.
Four years later, in Various Claimants v Barclays Bank plc [2020], the Supreme Court pulled back. Barclays had engaged an independent doctor, Dr Bates, to carry out pre-employment medical examinations of job applicants; he was later alleged to have sexually assaulted a large number of the claimants during these examinations. Because Dr Bates had since died and his medical defence organisation declined to indemnify claims of this nature, Barclays was the only viable defendant. The lower courts found Barclays liable, but the Supreme Court unanimously reversed that finding. Lady Hale held that the basic common law principle – that the engager of a genuine independent contractor is not liable for that contractor’s wrongdoing – had never been displaced. Because Dr Bates ran his own practice, served other clients, and was paid fee-for-service rather than retained, he was found to be in business on his own account, and no vicarious liability arose.
Reading the two cases together: Barclays does not extend Cox – it restrains it. The threshold question is now whether the practitioner is genuinely in business on their own account. Only where that is unclear does the broader Cox-style analysis of control, integration, and risk-creation come into play.
For private hospitals and clinic groups, the practical implication cuts both ways, and it is more nuanced than is often assumed. A consultant who holds practising privileges but maintains a genuinely separate practice, serves other institutions and private patients, and bears their own commercial risk has a real prospect of being treated as a true independent contractor post-Barclays – which may relieve the institution of vicarious liability, but says nothing about whether the patient is adequately protected if that consultant’s own indemnity proves inadequate or discretionary. Conversely, the more an institution standardises a practitioner’s working pattern – exclusive or near-exclusive use of institutional branding, referral pathways, equipment, support staff, and clinical governance structures – the more the relationship resembles Cox, and the weaker any independent contractor defence becomes, regardless of how the engagement is labelled commercially.
The result is that institutions cannot assume Barclays operates as a general shield. Many practising privileges models in the independent sector are, by clinical governance design, considerably more integrated than the arm’s-length relationship that protected Barclays – which means many institutions are operating closer to Cox than they may appreciate.
Where the gaps typically arise
A structured audit of vicarious liability exposure in an institutional setting will commonly surface one or more of the following failure points:
- Inadequate verification of practitioner indemnity
Practising privileges processes typically require practitioners to attest that adequate indemnity is in place. However, attestation is not verification. Institutions commonly accept self-declaration without confirming policy type, indemnity limits, scope of coverage, or whether the cover in question is contractual (insurance-backed) or discretionary. A practitioner covered by a medical defence organisation on a discretionary basis offers the institution no guarantee that a claim will be met – the MDO retains the right to decline assistance at its absolute discretion.
- Misalignment between individual and institutional indemnity
Even where practitioners hold valid insurance, the scope of that policy may not align with the institution’s own indemnity position. Individual policies may carry limits that are inadequate relative to the severity of claims arising in the institutional context – particularly in high-acuity specialties such as obstetrics, oncology, and complex surgery. Where a claim exceeds the practitioner’s individual limit, or where the institution is drawn into proceedings as a co-defendant, a coverage gap can emerge that the institution is left to fill.
- Evolving workforce models and blurred employment status
The modern independent sector workforce is characterised by hybrid arrangements: practitioners who hold NHS contracts and private practice in parallel; locum and agency staff placed across multiple sites; practitioners engaged through service companies or corporate structures; and an emerging cohort of clinical entrepreneurs operating at the interface of digital and in-person care. Each of these models introduces complexity that standard indemnity frameworks were not designed to handle, and each creates a potential gap between the institution’s assumption of coverage and the legal reality.
- Run-off and historic liability
Claims-made indemnity policies – which cover claims notified during the policy period, regardless of when the incident occurred – require continuous renewal and, on cessation, the purchase of run-off cover to protect against late-notified claims. Institutions that have undergone mergers, acquisitions, or changes to their clinical service model may carry unresolved run-off obligations from predecessor arrangements. Where a practitioner’s individual policy has lapsed and no run-off was secured, the institution may find itself as the only financially viable defendant.
The regulatory dimension
The CQC’s Fit and Proper Persons framework, and its broader inspection methodology, takes an increasingly close interest in indemnity governance as an indicator of organisational competence. A registered provider that cannot demonstrate systematic verification and management of the indemnity arrangements of its clinical workforce is at risk of regulatory findings that go beyond the clinical incident itself.
Similarly, NHS standard contracts and many commissioning arrangements now impose explicit indemnity requirements on independent providers delivering NHS-funded activity. The gap between contractual obligation and operational practice is, in many institutions, material.
Regulatory note: The CQC’s Well-Led domain explicitly expects boards to have visibility of risk management frameworks. Indemnity governance is increasingly within scope of that expectation.
Conducting the audit: A framework
An effective vicarious liability audit should address the following areas:
- Workforce mapping: identify all categories of clinical practitioner delivering care within the organisation, including those engaged through third-party arrangements, and classify by employment status and nature of engagement.
- Indemnity verification: for each category, confirm the type of indemnity held (contractual insurance vs discretionary MDO membership), the policy limits, the scope of cover, and the currency of the arrangement.
- Gap analysis: compare individual practitioner indemnity against the institution’s own policy to identify scenarios in which the institution may bear unhedged exposure – in particular, high-value claims, co-defendant scenarios, and run-off gaps.
- Policy review: assess whether the institution’s own medical malpractice or professional indemnity policy explicitly addresses vicarious liability, and on what terms – including sub-limits, exclusions, and the insurer’s right of recovery.
- Governance documentation: ensure that indemnity requirements are embedded in practising privileges agreements, service contracts, and supplier frameworks, and that verification processes are documented and periodically reviewed.
The output of the audit should be a risk register entry with clear ownership at board level, a remediation plan for any gaps identified, and a defined review cycle that keeps pace with workforce and regulatory change.
The institutional indemnity market in 2026
The market for institutional medical malpractice indemnity has matured significantly in recent years, with specialist MGAs and insurers developing products that are purpose-built for the independent sector’s workforce complexity. Corporate and group indemnity structures can provide a consolidated layer of cover that sits above individual practitioner arrangements, addressing the alignment gaps that audit typically surfaces.
For institutions that have historically relied on individual practitioner attestation as their primary risk management mechanism, the development of institutional-grade indemnity solutions represents both a risk management improvement and a commercial opportunity – reducing the administrative burden of verification while providing a more defensible governance position.
In summary
Vicarious liability is not a theoretical risk for hospitals and clinic groups – it is a live exposure that is frequently underestimated and undermanaged. The combination of evolving workforce models, a more sophisticated claims environment, and heightened regulatory scrutiny makes an indemnity audit not merely good practice, but a governance imperative. Institutions that undertake this work proactively are better placed to manage the risk, satisfy regulators, and – when things go wrong – demonstrate the due diligence that boards are increasingly expected to evidence.
