If your practice sees NDIS participants, or if you are thinking about becoming a registered NDIS provider, the compliance landscape can feel complicated at first. The NDIS Quality and Safeguards Commission has fairly detailed requirements, and the registration and re-registration process involves an independent audit. But once you understand the structure, it is actually quite logical.
This guide covers the essentials: what NDIS registration involves, the difference between verification and certification audits, the Practice Standards your practice needs to meet, and how to keep your compliance in good shape between registration renewals.
Why NDIS Registration Matters for Healthcare Providers
Not all providers who support NDIS participants need to be registered. For some lower-risk support types, a provider can operate as an unregistered provider if participants are self-managing or plan-managing their funding. But registration opens up the full participant market, allows you to deliver certain higher-risk support categories, and signals to referrers and participants that you have been independently assessed against the NDIS Practice Standards.
For GP practices, allied health clinics, physiotherapy practices, occupational therapy services, speech pathology, psychology, and other healthcare providers, NDIS registration is often worth pursuing for the credibility alone, let alone the funding access it enables.
The NDIS Practice Standards: What You Are Actually Measured Against
The NDIS Practice Standards are the framework that sets out what the NDIS Quality and Safeguards Commission expects from registered providers. They are organised into a core module and a series of supplementary modules based on the support types you deliver.
The Core Module applies to all registered providers and covers:
Rights and Responsibilities -- participants must be treated with dignity and respect, and providers must have clear processes for supporting their rights, including complaints and feedback mechanisms.
Governance and Operational Management -- your practice needs documented governance structures, risk management processes, financial management policies, and workforce management systems.
Provision of Supports -- this covers how you assess, plan and deliver supports in partnership with participants, including support planning, transitions, and continuity of supports.
Support Provision Environment -- your premises and equipment must be safe and appropriate for the supports you deliver.
Beyond the core, there are supplementary modules for more complex or higher-risk support types. For most healthcare providers delivering therapeutic supports, the Core Module plus the relevant supplementary module will apply. The NDIS Commission publishes the full list of registration groups and which modules each one requires, and this is worth checking carefully when you first apply.
Verification vs Certification Audit: Understanding the Difference
The type of audit your practice needs depends on which registration groups you are applying for. This distinction matters because it significantly affects cost, preparation time and the depth of assessment involved.
Verification audits are document-based reviews conducted by an approved quality auditor. The auditor checks that your practice has the policies, procedures and evidence required under the Practice Standards. There is no site visit and no staff interviews. Verification applies to lower-risk registration groups where the supports delivered are less complex and the potential for harm to participants is more limited.
Certification audits are significantly more thorough. They involve a site visit, interviews with practice leaders and staff, observation of service delivery, and review of participant records. The auditor assesses not just whether your documentation exists, but whether your practice is genuinely operating in line with the Standards in day-to-day practice. Certification applies to higher-risk registration groups and is a more substantial undertaking that requires more time and preparation.
Both audit types are conducted by auditors approved by the NDIS Commission, not by the Commission itself. You choose your auditor from the Commission's approved list and pay for the audit directly. Costs vary between auditors, so getting quotes from a few before you commit is sensible.
One important detail for certification pathway providers: you will also face a midterm audit at approximately the 18-month mark. The midterm audit focuses specifically on governance and operational management, and it catches a lot of providers off guard if they have let their compliance maintenance slide since initial registration. If you are on the certification pathway, the 18-month mark deserves as much preparation attention as the initial registration audit.
The Registration Process Step by Step
The initial NDIS provider registration process runs through the NDIS Commission's online portal (myplace for providers). At a high level, it involves:
- Creating an account and submitting your registration application, including the registration groups you want to be approved for.
- The Commission reviews your application and confirms which audit type is required.
- You engage an approved quality auditor and complete the required audit.
- The auditor submits their report to the Commission.
- The Commission reviews the audit report and makes a registration decision.
- If approved, you receive a Certificate of Registration valid for three years.
The audit is the part where most practices spend the majority of their preparation time, and for good reason. If your policies and procedures are not in place, or if staff cannot demonstrate that they understand their obligations, the audit will surface those gaps.
Getting your documentation in order before you engage an auditor is the most valuable thing you can do to control the timeline and cost of the process. Tools like ClinicComply are built specifically for this -- mapping your evidence directly to the Practice Standards so nothing gets missed before audit day.
Re-Registration: The Ongoing Compliance Cycle
NDIS registration is not a one-time achievement. Your Certificate of Registration lasts for three years, after which you need to renew. Re-registration involves another audit, and the bar does not drop because you are renewing rather than registering for the first time.
The common mistake is treating re-registration the same way many practices treat RACGP accreditation: as a project that kicks off in the months before the deadline. That approach almost always produces a stressful, compressed preparation exercise. Policies that have not been reviewed since the last registration. Incident records that have not been maintained consistently. Worker screening details that have lapsed or are no longer up to date.
The practices that move through re-registration smoothly are the ones that have been maintaining their compliance continuously. Policy reviews happen on a schedule. Incident reporting is done correctly at the time, not reconstructed. Worker screening status is tracked so renewals don't slip. When the auditor arrives, there is evidence to show rather than a paper trail to rebuild.
Worker Screening: A Compliance Requirement That Often Gets Overlooked
Every worker in your practice who delivers NDIS supports, or who has more than incidental contact with NDIS participants, needs a valid NDIS worker screening check. This is separate from a Working With Children Check or a standard police check. The NDIS worker screening check is administered by the worker screening unit in each state and territory, and it needs to be renewed periodically.
Tracking worker screening status across your team is a compliance obligation that sits with the practice, not with individual workers. If someone's screening lapses and they continue delivering supports, that is a compliance breach. Keeping a centralised record of all screening expiry dates, and having a process for renewing them in advance, is the kind of system that prevents this from becoming a problem.
Incident Reporting Under the NDIS
Registered NDIS providers are required to report certain incidents to the NDIS Commission within specified timeframes. Reportable incidents include death of a participant, serious injury, abuse, neglect, unlawful sexual or physical contact, and use of unauthorised restrictive practices. The timeframes are strict: serious incidents must be notified to the NDIS Commission within 24 hours of the provider becoming aware of them. Unauthorised restrictive practices must be reported within five business days. Missing these deadlines is itself a compliance breach, separate from the incident itself.
Most healthcare providers will never deal with the most serious categories of reportable incidents. But all providers need a documented incident management system that covers how incidents are identified, recorded, managed and reported, and how your practice learns from them. Having this system in place and demonstrably used in practice is an audit requirement, not optional documentation.
Keeping NDIS Compliance Manageable
The NDIS Practice Standards are not designed to be overwhelming. They are designed to ensure that participants receive safe, quality supports from providers who have genuine systems behind their services. Most of what they require, a well-run healthcare practice would already be doing in some form.
The challenge is documentation and consistency. Auditors cannot assess what they cannot see. If your practice has solid clinical governance, good risk management, and a genuine commitment to participant rights, the task is making sure all of that is documented, current and accessible.
ClinicComply maps your NDIS Practice Standards compliance across a live checklist, so you always know which requirements are met, which are in progress and where your gaps are. Deadlines for policy reviews and worker screening renewals are tracked automatically, so nothing slips between registration cycles. Start your free 30-day trial at cliniccomply.com.au.