NDIS Provider Compliance: What Registered and Unregistered Providers Must Know

The National Disability Insurance Scheme (NDIS) has created a significant compliance environment for businesses providing disability support services. With the NDIS Quality and Safeguards Commission (NDIS Commission) actively auditing providers, the consequences of non-compliance — deregistration, banning orders, and criminal penalties — are severe.

Whether you are a registered NDIS provider or an unregistered one, this guide covers what you need to have in place.

Registered vs Unregistered Providers

Registered Providers

Registered NDIS providers have been approved by the NDIS Commission to deliver specific support types. Registration is required to deliver:

• Specialist disability accommodation
• Support coordination
• Specialist behaviour support
• Plan management
• Supports for participants with complex needs

Registered providers must comply with the NDIS Practice Standards, undergo periodic certification audits (by an approved quality auditor), and meet ongoing reporting obligations.

Unregistered Providers

Unregistered providers can deliver many NDIS supports — but only to participants who are self-managed or plan-managed (not agency-managed). They must still comply with the NDIS Code of Conduct, which applies to all providers.

Many small businesses start as unregistered providers for simplicity, but growth into agency-managed participants requires registration.

The NDIS Code of Conduct

The NDIS Code of Conduct applies to all NDIS providers and workers, whether registered or not. It requires providers and workers to:

1. Act with respect for individual rights to freedom of expression, self-determination, and decision-making
2. Respect the privacy of people with disability
3. Provide supports and services in a safe and competent manner with care and skill
4. Act with integrity, honesty, and transparency
5. Promptly take steps to raise and act on concerns about matters that might affect the quality and safety of supports provided
6. Take all reasonable steps to prevent and respond to all forms of violence against, and exploitation, neglect, and abuse of, people with disability
7. Take all reasonable steps to prevent and respond to sexual misconduct

Breaches of the Code of Conduct can result in banning orders — preventing an individual from working in the NDIS — and are taken very seriously by the NDIS Commission.

NDIS Worker Screening

All NDIS providers — registered and unregistered — must ensure that workers who deliver supports are screened before commencing work with NDIS participants. This is one of the most common compliance gaps for small providers.

NDIS worker screening checks are conducted by each state and territory's screening unit. The check assesses whether a person poses an unacceptable risk to people with disability.

Who must have a current screening check:

• All workers (including volunteers) in risk-assessed roles — these are roles that involve direct contact with NDIS participants, or access to their personal information
• Providers must not deploy a worker in a risk-assessed role without a current clearance

What counts as a risk-assessed role:

• Direct delivery of NDIS supports (including support workers, cleaners, gardeners, and others providing in-home supports)
• Roles with access to participant records or financial information
• Management roles that involve oversight of support delivery

Employing a worker without a valid screening check in a risk-assessed role is a serious compliance breach.

NDIS Practice Standards (Registered Providers)

Registered providers must meet the NDIS Practice Standards, which are divided into:

• Core standards — applying to all registered providers
• Supplementary standards — applying to specific support types (e.g., specialist disability accommodation, specialist behaviour support)

Core standards cover:

• Rights and responsibility for participants
• Governance and operational management
• Provision of supports
• Support provision environment

Providers are audited against these standards by an NDIS-approved quality auditor. New providers undergo an initial certification audit before or shortly after registration. Ongoing providers undergo audits at defined intervals (verification audits for lower-risk providers, certification audits for higher-risk ones).

Incident Management and Reporting

Registered providers must have an incident management system and report reportable incidents to the NDIS Commission. Reportable incidents include:

• Death of a participant
• Serious injury of a participant
• Abuse or neglect of a participant
• Unlawful sexual or physical contact
• Unauthorised use of restrictive practices

Incidents must be reported to the NDIS Commission within 24 hours for the most serious events, or within 5 business days for other reportable incidents.

Failure to report incidents is a serious compliance breach. The NDIS Commission has enforcement powers including compliance notices, enforceable undertakings, suspension, and deregistration.

Restrictive Practices

Any use of restrictive practices (physical restraint, chemical restraint, mechanical restraint, seclusion, or environmental restraint) must:

• Be authorised through the applicable state or territory process
• Be part of a behaviour support plan prepared by a registered specialist behaviour support provider
• Be reported to the NDIS Commission
• Be implemented by trained workers only

Unregistered use of restrictive practices — or use without a behaviour support plan — is unlawful and can result in criminal prosecution.

Financial Management

NDIS providers — particularly those acting as financial intermediaries for participants — must manage participant funds in strict accordance with NDIS rules:

• Claims must only be made for services actually delivered
• Services must be delivered in accordance with the participant's plan
• Pricing must comply with the NDIS Price Guide and Catalogue
• Fraudulent claiming is a criminal offence under federal law

The NDIS Commission and the National Disability Insurance Agency (NDIA) actively monitor claiming patterns and investigate irregularities.

Employment Law Obligations for NDIS Providers

NDIS providers also have significant employment law obligations, particularly given the workforce model in the sector. The applicable modern awards include:

• Social, Community, Home Care and Disability Services Industry Award 2010 (SCHADS Award) — the primary award for most disability support workers

The SCHADS Award has complex provisions including:

• Sleepover and active overnight rates
• Broken shift allowances
• Travel time between clients
• Minimum engagement periods for casuals and part-time workers
• Specific overtime and penalty rate structures

The Fair Work Ombudsman has identified the SCHADS Award as one of the most complex and frequently misapplied awards in Australia. Providers regularly underpay workers on travel time, sleepover rates, and minimum engagement provisions.

Worker Safety

NDIS providers have WHS obligations to support workers — including obligations around:

• Violence and aggression from participants or their families
• Manual handling risks (transfers, personal care)
• Lone worker risks (working in private homes without supervision)
• Psychosocial hazards (burnout, emotional labour, vicarious trauma)

A WHS management plan that accounts for these specific risks is essential for NDIS providers.

How Reguladar Helps

NDIS providers face compliance obligations across multiple overlapping regulatory frameworks: the NDIS Commission's Quality and Safeguards Framework, employment law (including the complex SCHADS Award), privacy law, and WHS. Managing all of these independently is extremely challenging for small providers.

Reguladar maps your obligations across all these domains in a single compliance dashboard — including NDIS-specific obligations like worker screening expiry dates, incident reporting timeframes, and audit obligations — so you always know where you stand.

Manage your NDIS compliance obligations in one place. Start your free compliance check at Reguladar and see exactly what applies to your provider business today.