Rules Mate
PlaybooksBottom-funnel persona playbook

Compliance playbook for NDIS providers

The whole regulatory stack for registered NDIS providers — NDIS Act 2013, NDIS Practice Standards (verification + certification audit tiers), NDIS Code of Conduct, NDIS Worker Screening Check, restrictive-practices authorisation by state + behaviour support plans, reportable-incident notifications within 24 hours / 5 business days, NDIS Pricing Arrangements + Price Limits, 18-month audit cycle, banning orders and civil penalties for unregistered conduct, NDIA fraud reporting, Privacy Act + state health-records Acts, AHPRA for clinical staff, child-safety obligations, and Modern Slavery for larger providers.

20 obligations3 deadlines21 cross-linked articles

Key deadlines — next 12 months

  • Every 18 monthsCertification or verification audit
  • Within 24 hoursReportable incident — initial notification
  • Within 5 business daysReportable incident — final report
  • 1 July annuallyUpdated Pricing Arrangements + Price Limits
  • MonthlyRestrictive-practices use upload
  • Within 30 daysNDB assessment of suspected breach

Does this apply to me?

Answer yes to any of the below and the obligations in this playbook are likely relevant.

  • 1Are you registered with the NDIS Quality and Safeguards Commission as a provider of NDIS supports or services?
  • 2Do you provide a support listed in the Schedule of Price Limits — including support coordination, plan management, therapeutic supports, personal care, supported independent living, specialist disability accommodation (SDA), or assistive technology?
  • 3Do you employ workers who deliver supports to NDIS participants (NDIS Worker Screening Check required)?
  • 4Do you use any restrictive practice (chemical, mechanical, physical, seclusion, environmental) for a participant — triggering state restrictive-practices authorisation + a positive behaviour support plan?
  • 5Do you provide supports to children or young people aged under 18 (child-safe obligations + state working-with-children checks)?
  • 6Is your consolidated revenue at or above AUD $100M (Modern Slavery Act 2018 reporting threshold)?

Plain English summary

The NDIS regulatory framework is layered: the NDIS Act 2013 (Cth) sits over the NDIS Practice Standards (the operational quality regime), the NDIS Code of Conduct (the individual-worker behavioural regime), the Quality and Safeguards Rules (the registration regime), and the NDIS Pricing Arrangements + Price Limits (the funding-rules regime). The NDIS Quality and Safeguards Commission administers all of them.

Registration is the first decision. Providers are either Verification (single-class providers of low-risk supports like plan management) or Certification (multi-class providers of higher-risk supports including SIL, SDA, behaviour support). Verification providers have a lighter audit. Certification providers face a full quality audit against the NDIS Practice Standards every 18 months.

Reportable incidents (death of a participant; serious injury; abuse, neglect, exploitation; unlawful sexual or physical contact; unauthorised restrictive practice) must be notified to the NDIS Commission within 24 hours (initial) and 5 business days (full). Restrictive practices require a positive behaviour support plan + state-level authorisation under each state's Senior Practitioner regime (which differs materially state by state). The NDIS Worker Screening Check replaced state-based checks from 1 February 2021 — all risk-assessed roles require the NDIS clearance.

This playbook lists every obligation a registered NDIS provider faces today, the section of the Act it sits under, who is accountable, the cadence, the maximum penalty, and a regulator-direct source. Cross-link to the compliance calendar and the penalty estimator.

Obligation checklist

Every obligation cites the Act and section. Source URLs link to the regulator's portal — Rules Mate does not republish statutory text.

  1. 1

    National Disability Insurance Scheme Act 2013 (Cth), s 73E — registration

    If you provide a 'registrable' NDIS support (Specialist Disability Accommodation, Supported Independent Living, behaviour support, plan management, support coordination, therapeutic supports, personal care among others), be registered as an NDIS provider through the NDIS Quality and Safeguards Commission's portal.

    Who's responsible
    CEO / Managing Director
    Frequency
    Continuous (re-registration cycle every 3 years; audit cycle every 18 months for certification)
    Penalty
    Providing registrable supports while unregistered is a civil penalty contravention (up to ~$1.565M for body corporate); banning orders.
  2. 2

    NDIS (Practice Standards — Core Module) Rules 2018

    Comply with the Core Module of the NDIS Practice Standards — rights and responsibilities; provider governance and operational management; provision of supports; provision of supports environment. Demonstrate during the 18-monthly audit cycle.

    Who's responsible
    Board / CEO + Quality Manager
    Frequency
    Continuous; certification audit every 18 months
    Penalty
    Non-conformance findings; conditions on registration; revocation; banning orders.
    Full obligation page →
  3. 3

    NDIS (Practice Standards — Supplementary Modules) Rules 2018

    If providing the relevant support, comply with the supplementary modules: high-intensity daily personal activities; specialist behaviour support; implementing behaviour support plans; early childhood supports; specialist disability accommodation (SDA); specialist support coordination.

    Who's responsible
    Quality Manager + Service Leads
    Frequency
    Continuous; verified at 18-monthly audit
    Penalty
    Non-conformance findings; conditions on registration; revocation.
  4. 4

    NDIS Code of Conduct (NDIS (Code of Conduct) Rules 2018)

    Comply (and ensure every worker complies) with the NDIS Code of Conduct: act with respect, act with integrity, provide supports safely and competently, act promptly to address risk. Code applies to registered and unregistered providers + their workers.

    Who's responsible
    CEO + every worker
    Frequency
    Continuous
    Penalty
    Civil penalty up to ~$15,000 per individual breach + ~$78,200 per body corporate breach; banning orders.
  5. 5

    NDIS (Practice Standards — Worker Screening) Rules 2018

    Every worker in a risk-assessed role must hold an NDIS Worker Screening Check clearance issued by the state Worker Screening Unit. Engage workers only after clearance is verified through the NDIS Worker Screening Database.

    Who's responsible
    HR + Operations
    Frequency
    Per worker; clearance valid 5 years; ongoing monitoring
    Penalty
    Civil penalty for engaging unscreened worker in risk-assessed role; conditions/revocation of registration.
    Full obligation page →
  6. 6

    NDIS Act 2013 (Cth), s 73Z + NDIS (Incident Management and Reportable Incidents) Rules 2018

    Maintain an incident management system; notify the NDIS Commission of reportable incidents within 24 hours (initial notification) and provide a 5-business-day final report. Reportable incidents: death; serious injury; abuse/neglect; unlawful sexual contact; unlawful physical contact; unauthorised restrictive practice.

    Who's responsible
    Incident Manager + CEO
    Frequency
    Event-driven
    Penalty
    Civil penalty up to ~$1.565M (corporate) per failure to notify; conditions/revocation.
    Full obligation page →
  7. 7

    NDIS (Restrictive Practices and Behaviour Support) Rules 2018

    Use restrictive practices only when authorised by the relevant state Senior Practitioner / authorisation pathway, with a positive behaviour support plan in place. Routine reporting to NDIS Commission of regulated restrictive practices used. State regimes vary materially (NSW, VIC, QLD, WA, SA, TAS, NT, ACT).

    Who's responsible
    Behaviour Support Practitioner + Service Manager
    Frequency
    Per use; monthly reporting
    Penalty
    Unauthorised use is itself a reportable incident; civil penalty exposure; potential criminal exposure under state law.
    Full obligation page →
  8. 8

    NDIS Pricing Arrangements and Price Limits 2026 (annual NDIA determination)

    Charge no more than the price limit for each support under the Schedule of Price Limits. Apply the current annual Pricing Arrangements + Price Limits (effective 1 July each year) including travel rules, cancellation rules, and provider-travel rules.

    Who's responsible
    CFO + Service Managers
    Frequency
    Annual update each 1 July
    Penalty
    Overcharging is a serious quality and safeguards failure; conditions/revocation; potential fraud referral.
    Full obligation page →
  9. 9

    NDIS (Provider Registration and Practice Standards) Rules 2018 — audit cycle

    Certification providers undergo a full quality audit every 18 months by an Approved Quality Auditor (AQA). Verification providers undergo a verification audit on the same cycle. Mid-term surveillance audits at 9 months.

    Who's responsible
    Quality Manager + Board
    Frequency
    Every 18 months (certification) or 18 months (verification, lighter)
    Penalty
    Audit non-conformance: corrective action plan; conditions; revocation; banning orders.
    Full obligation page →
  10. 10

    NDIS Act 2013 (Cth), s 73ZN — banning orders

    The NDIS Commissioner may make a banning order against a provider or worker who has contravened the NDIS Act, the NDIS Code of Conduct, or related rules — including for unregistered conduct, fraud, or safety risk. Maintain robust worker conduct, complaints, and incident systems to prevent triggers.

    Who's responsible
    CEO + Board
    Frequency
    Continuous
    Penalty
    Banning order — temporary or permanent prohibition from providing supports. Publishable on the public register.
  11. 11

    NDIS Act 2013 (Cth), s 182 — fraud reporting + NDIA Fraud Reporting and Scams Helpline

    Report suspected NDIS fraud to the NDIA Fraud Reporting and Scams Helpline. Maintain internal anti-fraud controls (claim verification, separation of duties, billing review). Cooperate with NDIA Fraud Fusion Taskforce investigations.

    Who's responsible
    CFO + Compliance Lead
    Frequency
    Event-driven
    Penalty
    Fraud offences: criminal — up to 10 years imprisonment + civil penalty; banning orders.
    Full obligation page →
  12. 12

    Privacy Act 1988 (Cth), Sch 1 — Australian Privacy Principles

    NDIS providers handle health information, which is sensitive information under the Privacy Act. Comply with all 13 APPs — privacy policy (APP 1), collection notice (APP 5), use/disclosure (APP 6), security (APP 11). The small business exemption does not apply where you handle health information.

    Who's responsible
    Privacy Officer + Service Managers
    Frequency
    Continuous
    Penalty
    Up to $50M / 3× benefit / 30% turnover for serious or repeated interferences.
    Full obligation page →
  13. 13

    Privacy Act 1988 (Cth), Pt IIIC — Notifiable Data Breach scheme

    Notify the OAIC and affected individuals of eligible data breaches involving participant personal or health information. Assessment within 30 days of becoming aware.

    Who's responsible
    Privacy Officer + Incident Response Lead
    Frequency
    Event-driven
    Penalty
    Up to $50M / 3× benefit / 30% turnover.
    Full obligation page →
  14. 14

    State health-records Acts — Health Records Act 2001 (Vic) / Health Records and Information Privacy Act 2002 (NSW) / Health Records (Privacy and Access) Act 1997 (ACT)

    In Victoria, NSW, and the ACT, comply with the state health-records regime in addition to the Commonwealth Privacy Act. Distinct obligations on access, correction, transfer of records on closure, and unique-identifier handling.

    Who's responsible
    Privacy Officer
    Frequency
    Continuous
    Penalty
    Civil penalty per state regime; complaints to state Privacy Commissioner.
  15. 15

    Health Practitioner Regulation National Law (NSW) Act 2009 — AHPRA registration

    Clinical staff (registered nurses, allied health, psychologists, occupational therapists, physiotherapists, social workers in regulated fields) must hold AHPRA registration. Confirm registration before engagement and on an ongoing basis. Mandatory-notification obligations for clinical conduct.

    Who's responsible
    HR + Clinical Lead
    Frequency
    Per clinician; annual renewal
    Penalty
    Unregistered conduct: criminal offences under National Law; AHPRA enforcement; banning under NDIS regime.
    Full obligation page →
  16. 16

    State Working-With-Children Check Acts (each state) — child-safe obligations

    If you provide supports to children, every worker in a child-related role must hold the relevant state Working With Children Check (Blue Card QLD; Working With Children Check NSW; Working With Children Check VIC; etc). Comply with the National Principles for Child Safe Organisations.

    Who's responsible
    HR + Child Safety Officer
    Frequency
    Per worker; renewal per state cycle
    Penalty
    State criminal offences for engagement without clearance; NDIS Commission conditions; banning orders.
    Full obligation page →
  17. 17

    Aged Care Act 2024 (Cth) — overlap for providers spanning aged care

    Providers operating both NDIS and aged care services must comply with both regulators. Aged Care Act 2024 commenced 1 July 2025 — Strengthened Aged Care Quality Standards apply to in-home and residential aged care supports.

    Who's responsible
    CEO + Quality Manager
    Frequency
    Continuous (if applicable)
    Penalty
    Aged Care Quality and Safety Commission enforcement; civil penalty exposure.
  18. 18

    Modern Slavery Act 2018 (Cth), s 5 — reporting entity

    Where consolidated revenue is AUD $100M or more: lodge an annual Modern Slavery Statement on the Modern Slavery Statements Register within 6 months of the end of the reporting period. Apply diligence to supply chain (PPE, cleaning, agency staff, overseas-recruited workers).

    Who's responsible
    CFO + Company Secretary
    Frequency
    Annual
    Penalty
    Public listing on register; civil penalties proposed under Modern Slavery Amendment Bill 2024.
    Full obligation page →
  19. 19

    Fair Work Act 2009 (Cth) + Social, Community, Home Care and Disability Services Industry Award

    Comply with the SCHADS Award (or relevant Enterprise Agreement): minimum rates, allowances (sleepover, on-call, broken shift), public holiday loadings, casual conversion (s 66B FWA), right to disconnect (s 333M FWA — small business: 26 August 2025).

    Who's responsible
    HR + Payroll
    Frequency
    Continuous
    Penalty
    Civil penalties; Fair Work Ombudsman enforcement; underpayment criminalised under Closing Loopholes from 1 January 2025.
  20. 20

    Work Health and Safety Act 2011 (model) — primary duty of care

    As a PCBU, ensure (so far as is reasonably practicable) the health and safety of workers and others affected by the conduct of the business — including risk-assessing in-home services, manual-handling, occupational violence, lone-working, vehicle safety, infection control.

    Who's responsible
    WHS Manager + Service Leads
    Frequency
    Continuous
    Penalty
    Category 1: up to ~$3.85M (corporate) + 5 years imprisonment for individuals; industrial-manslaughter exposure in most states.

Deadlines

Pulled from the Rules Mate compliance calendar. Click through for the full deadline page.

Forms and regulator portals

Direct links to the lodgement forms and regulator portals. Rules Mate does not host copies — we link to the official source.

  • NDIS Commission — provider registration portal

    Apply to become a registered NDIS provider or vary registration.

    Open portal →

  • NDIS Commission — reportable incident notification portal

    Lodge 24-hour and 5-business-day incident reports.

    Open portal →

  • NDIS Worker Screening Check — state portals

    Apply for or verify NDIS Worker Screening clearances.

    Open portal →

  • NDIS Commission — regulated restrictive practices reporting

    Monthly upload of regulated restrictive practice use.

    Open portal →

  • NDIA Fraud Reporting and Scams Helpline

    Lodge suspected fraud or sham invoicing reports.

    Open portal →

  • OAIC — Notifiable Data Breach notification

    Report an eligible data breach affecting participant information.

    Open portal →

  • AHPRA — practitioner registration

    Register or verify clinical practitioner registration.

    Open portal →

Free tools that help

Interactive Rules Mate tools matched to this persona.

Privacy Act 2026 readiness

Use tool →

NDB notification timer

Use tool →

Modern Slavery statement scaffold

Use tool →

Modern Slavery threshold

Use tool →

Compliance calendar builder

Use tool →

Penalty estimator

Use tool →

Whistleblower policy builder

Use tool →

What changes 2025–2026

1 July annually — NDIS Pricing Arrangements + Price Limits update

The NDIA determines updated price limits, travel rules, and provider-travel rules. Re-rate every booking and price book.

1 July 2025 — Aged Care Act 2024 commenced

For providers spanning aged care and disability, the new aged-care regime commenced. Strengthened Aged Care Quality Standards apply to in-home and residential aged care.

Ongoing — NDIS Provider and Worker Registration Reforms (Pricewaterhouse Coopers / Sam Bell review)

The NDIS Review recommended significant changes to provider registration tiers, worker registration, and 'foundational supports' funding. Watch for legislative implementation through 2025-2026.

10 December 2026 — Privacy Act ADM transparency + Children's Online Privacy Code

APP entities making automated decisions affecting individuals must disclose in the APP 1 Privacy Policy. NDIS providers using AI-driven rostering or risk-assessment tools are captured.

30 May 2025 — Cyber Security Act ransomware reporting

Entities above $3M turnover (and critical-infrastructure entities) must report ransomware payments to Home Affairs within 72 hours.

Ongoing — NDIA Fraud Fusion Taskforce

The Fraud Fusion Taskforce continues to investigate sham invoicing, ghost staff, and over-claiming. Expect coordinated NDIS Commission + NDIA action on fraud-adjacent quality failures.

In-depth reading

21 Rules Mate articles tagged to this playbook.

Frequently asked

Verification or certification — how do we know which audit applies?

Verification applies to single-class providers of lower-risk supports — plan management, low-risk assistive technology, equipment supplies. Certification applies to providers of higher-risk supports (SIL, SDA, behaviour support, personal care, support coordination, therapeutic supports). The Commission assigns the audit type when you apply for registration. Most multi-disciplinary providers are certification.

Restrictive-practices authorisation — is it a single national process?

No. Authorisation is a state matter under each state Senior Practitioner / Restrictive Practices regime. NSW (Restrictive Practices Authorisation), VIC (Senior Practitioner), QLD (Disability Services Act + Forensic Disability Act), WA, SA, TAS, NT and ACT each have distinct pathways. The behaviour-support practitioner regime is national; the authorisation regime is state. Run both.

What counts as a reportable incident vs an internal incident?

The reportable categories are: death of a participant; serious injury; abuse or neglect; unlawful sexual or physical contact; unauthorised restrictive practice (regulated or unregulated). All other incidents are internal — record in your incident management system but no 24-hour Commission notification. Marginal cases (e.g. a participant fall with no serious injury) require a documented assessment.

Worker screening — is the state-based check enough?

No. The NDIS Worker Screening Check is a national clearance issued through state Worker Screening Units against the NDIS-specific risk criteria. State Working-With-Children checks and police checks alone do not meet the NDIS worker-screening obligation for risk-assessed roles. Clearance valid for 5 years; ongoing monitoring runs in the background.

Do unregistered providers escape the NDIS Code of Conduct?

No. The NDIS Code of Conduct applies to both registered and unregistered providers + their workers. Unregistered providers cannot deliver registrable supports, but they remain bound by the Code and can be subject to banning orders. The Commission's enforcement footprint in the unregistered space is growing.

Privacy small-business exemption — does it apply to small NDIS providers?

No. The small-business exemption (under $3M turnover) does not apply to providers that handle 'health information' — which all NDIS providers do. From the first participant, you are an APP entity subject to all 13 APPs and the NDB scheme.

What's the NDIS overlap with the upcoming foundational-supports reforms?

The NDIS Review recommended a tiered structure: 'foundational supports' funded by states + Commonwealth for participants with lower-support needs, with the NDIS preserved for higher-support needs. Implementation legislation is progressing. Watch for transitional rules — providers spanning foundational and NDIS will need dual-regime compliance for a period.

Free assessment

Get a personalised obligation list

2-minute structured check tailored to your business.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Last verified: 9 June 2026

Rules Mate provides citation-first reference material, not legal advice. Always consult a qualified professional for specific obligations.