NDIS Quality and Safeguards compliance for registered NDIS providers
Registered NDIS providers operate under the National Disability Insurance Scheme Act 2013 (Cth), the NDIS Practice Standards, and the NDIS Code of Conduct. This guide sets out 10 obligations covering registration, quality, worker screening, behaviour support, incident reporting, and complaints — administered by the NDIS Quality and Safeguards Commission.
Coverage
Registered NDIS providers delivering supports and services. Unregistered providers must still comply with the NDIS Code of Conduct. NDIS workers are individually bound by the Code of Conduct. Providers delivering specialist behaviour support or restrictive practices must hold specific registration.
Legal basis
National Disability Insurance Scheme Act 2013 (Cth); NDIS (Quality Indicators for Registered NDIS Providers) Guidelines; NDIS (Practice Standards — Worker Screening) Rules 2018; NDIS (Incident Management and Reportable Incidents) Rules 2018; NDIS (Provider Registration and Practice Standards) Rules 2018; NDIS Code of Conduct.
The obligations
Hold NDIS registration at the required class
Providers delivering specified supports (including specialist behaviour support, implementing behaviour support plans, specialist disability accommodation, and high-intensity personal activities) must hold NDIS registration. Registration is class-specific.
Meet the NDIS Practice Standards
Registered providers must meet the four core modules (rights and responsibilities, provider governance, provision of supports, provision of supports environment) and any supplementary modules relevant to the registration classes held.
Comply with the NDIS Code of Conduct
All NDIS providers (registered and unregistered) and workers must comply with the Code of Conduct — acting with respect, integrity, care, honesty, and providing safe and quality services.
Operate a compliant incident management system
Registered providers must have a documented incident management system that identifies, records, manages, and resolves incidents affecting NDIS participants.
Report reportable incidents within required timeframes
Reportable incidents (death, serious injury, abuse or neglect, unlawful sexual or physical contact, unauthorised use of restrictive practices) must be notified to the Commission within 24 hours, with a detailed report within 5 business days.
Operate an accessible complaints management system
Providers must have complaints and feedback processes that are culturally appropriate, accessible, confidential, and clear about the right to complain to the Commission. Complaints outcomes must be documented and used for service improvement.
Only deploy workers who have current NDIS Worker Screening clearance
Workers in risk-assessed roles must hold an acceptable NDIS Worker Screening check before starting work. Providers must keep records of worker clearances and verify status regularly.
Regulate the use of restrictive practices
Restrictive practices may only be used as authorised by the relevant State/Territory behaviour support authorisation regime, with a behaviour support plan, and with ongoing reporting to the Senior Practitioner at the Commission.
Report monthly on the use of restrictive practices
Providers that use restrictive practices must lodge monthly reports with the Commission on the type, duration, and circumstances of use — even where authorised.
Cooperate with Commission audits and investigations
Registered providers undergo certification or verification audits depending on the classes held. Providers must cooperate with investigations, compliance monitoring, and random audits — including providing access to records, staff, and participants.
What happens if you do not comply
Non-compliance can result in compliance notices, banning orders for individuals, suspension or revocation of registration, and civil penalties up to thousands of penalty units. Serious misconduct can attract criminal referral. Unregistered providers can still be banned under Code of Conduct jurisdiction.
Reporting requirements
Reportable incidents within 24 hours (initial) and 5 business days (detailed). Monthly restrictive practice reports. Periodic audits (certification or verification) every 3 years. Change of circumstances (key personnel, ownership) reported promptly. Complaints outcome reporting as directed by the Commission.
What firms should do today
- Map every registration class to the Practice Standards modules and maintain evidence per module
- Build a 24-hour reportable-incident workflow with a named accountable officer
- Maintain worker screening status monitoring with automatic re-verification
- Align behaviour support plans with State/Territory authorisation and monthly restrictive practice reporting
- Integrate complaints outcomes into continuous improvement cycles
- Pre-prepare for certification audits by running internal reviews against the Practice Standards
Compliance with Quillio
Quillio drafts reportable incident notifications, behaviour support plans, Practice Standards evidence packs, worker screening procedures, and audit responses aligned to current NDIS Commission guidance. Australian-hosted infrastructure keeps participant information in jurisdiction. See /practice-areas/commercial-lawyers or start a free trial.
This guide is general information about NDIS Quality and Safeguards obligations — not legal or clinical advice. Registration classes, authorisation regimes, and Practice Standards are fact-specific. Obtain specialist disability sector advice before relying on any exemption or responding to Commission action.
Build compliance into your stack.
Quillio is built around AU compliance from the ground up — SOC 2 Type II + ISO 27001 + Australian data sovereignty. The free trial requires no sales call.
Start your free trial