What the NDIS Practice Standards actually require from your software

The NDIS Practice Standards set out the quality outcomes that registered NDIS providers must achieve. They are not a checklist — they are a framework of outcome indicators that auditors assess through interviews, record reviews, and participant feedback. Understanding which modules apply to your registration and what evidence each module requires is the first step in evaluating whether your software is actually supporting compliance or merely sitting alongside it. The Standards are divided into core modules applicable to all registered providers and specialist modules that apply depending on the supports delivered.

The Rights and Responsibilities module — core to all registrations — requires that participants are informed of their rights, that they have access to independent advocacy, and that their privacy is protected. In software terms, this means maintaining records of how consent was obtained, documenting that privacy notices were provided, and ensuring that access controls prevent staff from viewing records outside their authorised scope. Role-based access control isn't a feature nice-to-have; it is the mechanism by which you demonstrate that participant privacy is actively managed, not just promised in a policy document.

The Support Provision Environment module requires documented evidence that participant needs are assessed, that supports are planned and agreed to, and that plan implementation is monitored against agreed goals. Goal documentation must exist, be linked to service agreements, and show evidence of review. In practice, auditors look for whether the software allows goals to be recorded with target dates and review schedules, whether progress notes are linked to goals, and whether there is a mechanism for flagging when a goal review is overdue. Systems that store goals as free-text fields with no structured tracking cannot generate the evidence trail the Standards require.

The Incident Management module applies to all providers and is among the most closely audited. It requires a formal incident management system, mandatory reporting of reportable incidents to the NDIS Commission, documented investigation processes, and evidence that learnings are fed back into practice. The module is operationally demanding: a reportable incident notification must reach the Commission within 24 hours of the provider becoming aware, a five-day follow-up report must document preliminary investigation findings, and a final report must close out the investigation within a legislated timeframe. Software must support each of these workflow stages with status tracking, automated reminders, and audit-ready documentation.

Specialist modules introduce additional requirements. The High Intensity Daily Personal Activities module requires documented evidence of specific competencies for staff delivering high-intensity supports. The Behaviour Support module requires that behaviour support plans are developed by a qualified practitioner, that all staff supporting the participant have read and understood the plan, and that implementation is monitored. The Specialist Disability Accommodation module requires tenancy agreements, property inspection records, and vacancy management documentation. Each of these creates structured data requirements — not just storage of documents, but workflows that ensure the right people have the right information at the right time, with an evidence trail that survives an audit.