If you trace CPSA quality findings back to their root, a striking number land in the same place: document and records control. Not because facilities lack policies — because the wrong version was in use, no one could show who approved it, or the record that proves the work happened couldn't be found.
It's the least glamorous part of a Quality Management System, and the part assessors lean on hardest. Here's what the standard actually asks for.
What CPSA expects
The standards treat your documentation as a controlled system in its own right. In plain language, that means:
- Written quality policies that describe the system — its scope, the roles responsible for it, and how your documents are structured — accessible to staff who are trained on how to use them.
- Review and approval before issue. Documents are reviewed and approved by the medical director or designate before they're put into use, and re-reviewed at defined intervals — not whenever someone remembers.
- A document control log. A register — manual or electronic — that lists every controlled document by a unique identifier, its current valid version, and where it's distributed. Only authorized people can change it.
- The current version, everywhere it's used. Authorized, up-to-date documents are available at the point of use, with a fallback for when an online system is down.
- Obsolete documents removed. Superseded versions are promptly pulled from use, clearly marked, and archived so they can't be picked up by mistake.
- A controlled revision process. Changes are reviewed and approved before use, and the process considers how a change to one document affects others.
- Unique identification on every document — title, a unique identifier on each page, the revision date and/or number, page x of y, and the authority for issue.
- Records control. Quality and operational records have defined identification, collection, indexing, access, storage, maintenance, and confidential disposal — and are legible, readily retrievable, secure, and accessible only to authorized staff.
- Defined retention. How long each record type is kept, based on the service, best practice, and statutory or legal requirements.
Why paper and shared drives fail here
A binder and a folder of Word files can technically hold all of this. The problem is they can't control it:
- No version history. You can't prove what the policy said last March, or who approved this version.
- Two versions in circulation. A printout at the front desk and a newer file on the drive — and no log to tell you which is current.
- No approval trail. "The medical director reviewed it" isn't evidence unless the system captured who, and when.
- Retention by memory. Records get deleted early, or kept forever with no policy behind it.
You can survive a survey on paper. Staying ready between surveys on paper is where it breaks down.
What "getting it right" looks like
- A single source of truth — one place where the current version lives, so there's never a question of which is in use.
- An approval workflow that records the reviewer and date automatically, and re-prompts at your defined interval.
- Automatic version control that keeps the history and retires the old version the moment a new one is approved.
- Controlled access so only authorized people edit, and an audit trail that captures every change.
- Retention rules applied by the system, not by memory.
How Zosimos helps
Document control is exactly where purpose-built software earns its keep. PolicyHUB — our electronic policy library, launching soon — is built to the QMS document-control requirements: full version history, multi-step review-and-approval workflows, in-browser editing, controlled distribution with issued hard-copy tracking and recall, role-based access control, complete audit trails, and per-category retention. It turns the most failure-prone part of the standard into the most reliable. And because policy without practice still fails, our consulting team helps you write the quality policies and records framework underneath it.
See our CPSA NHSF accreditation support, or get in touch if uncontrolled documents are already a known risk in your facility. Next in this series: non-conformance, CAPA and adverse events.