NDIS 24-Hour Rule: From Panic to Playbook
If you deliver NDIS supports, the clock starts the moment a reportable incident is suspected. Here’s how one small provider turned confusion into a clear, documented playbook—so remote teams can act fast, records stay audit-ready for 7 years, and compliance becomes muscle memory.
1) Introduction: The Night the Clock Started Ticking
“It’s 9:14 pm—who’s on call?” Jess, owner of a small NDIS provider, stared at her phone. A support worker had reported a serious allegation. Under the NDIS (Incident Management and Reportable Incidents) Rules 2018, providers must notify the NDIS Commission within 24 hours of reportable incidents and keep related records for at least 7 years. The fear? Misclassification and missed deadlines. The opportunity? Build a system that works even after hours. As Jess later told her team: “Document your business or get out.”
2) The Misclassification Trap (and How to Escape It)
Know what is reportable—and what is managed locally
- Reportable: death, serious injury, abuse or neglect, unlawful sexual or physical contact, sexual misconduct, or unauthorised restrictive practice.
- Usually managed locally: near-misses with no harm, or matters unrelated to NDIS supports.
- Golden rule: any allegation or reasonable suspicion of the above must be reported and escalated to police where required.
“If you might tell a regulator later, tell them now—and tell the police if the law requires.”
Remember: Providers must operate under relevant Australian laws and NDIS Commission rules. When in doubt, escalate and document.
3) Map the 24-Hour Notification Flow
From first report to Commission notification
- Immediate safety first: protect the participant, call emergency services or police as required, and preserve evidence.
- Triage: determine if it’s reportable using a simple decision tree (accessible to all staff, including remote workers).
- On-call escalation: a named senior decision-maker within 15 minutes. No voicemail dead ends.
- Notify the NDIS Commission within 24 hours: lodge via the portal, record reference numbers, and schedule follow-up reporting.
- Communicate and support: inform participants/representatives appropriately and document all steps.
Pro tip:
Create a one-page “Single Source of Truth” SOP: who’s on call, how to classify, how to report, and where records live.
4) Document or Drown: Build the System People Actually Use
Compliance isn’t a binder; it’s a playbook people can follow under pressure. Jess rebuilt her incident management system so remote workers could execute without guesswork.
Make it usable
- Clear roles (RACI): who identifies, who decides, who reports, who reviews.
- Templates: incident form, 24-hour notification checklist, police escalation script.
- Checklists and timers: automated alerts for the 24-hour deadline and follow-up reports.
- Version-controlled wiki: one SOP, one source of truth—no competing PDFs.
- Micro-learning: 5-minute refresher videos and scenario quizzes.
As the NDIS Commission expects, registered providers must implement and maintain a system to record and manage incidents—so design it for real life.
5) After-Hours Drill: Turn Stress into Speed
Jess scheduled a 30-minute tabletop exercise at 9:14 pm (when problems often surface). The team practiced the call tree, classification, and a mock notification.
What they tested
- Who answers after hours (and who backs them up)
- How quickly they identified “reportable” vs “manage locally”
- How they contacted police, when required
- How they captured evidence and created a timestamped record
- How they prepared the 24-hour notification draft in under 60 minutes
The result: fewer bottlenecks, less panic, and a repeatable rhythm.
6) The 7-Year Rule: Audit Your Incident Register Like an Assessor
Make your records audit-strong
Under the Provider Payment Assurance Program, you must keep full and accurate records of supports delivered; gaps can cost you. Jess led a monthly audit of the incident register for completeness and evidence of follow-up.
What to verify
- Incident details, dates/times, and decision rationale
- Evidence preserved and communications logged
- Police/authority escalation where required
- NDIS Commission notification reference numbers and timelines
- Actions taken, outcomes, and participant support provided
- Retention controls to keep records for at least 7 years (aligned to applicable records authorities)
They sampled files, spot-checked fields, and closed gaps. By the end of this month, the team could demonstrate completeness and follow-up—no scrambling.
7) Closing the Loop: Prevention, Training, and Assurance
Compliance isn’t just reporting—it’s prevention. The team embedded root-cause analysis and trend reviews, aligned policies with the NDIS Commission’s information management expectations, and prepared for questions from internal audits or the Commission, which handles complaints about quality and safety.
Make it stick
- Monthly trends dashboard and risk register updates
- Scenario-based refresher training for remote staff
- Policy reviews against NDIS and relevant Australian laws
- Independent spot checks: “trust, but verify”
By now, the challenge was effectively solved: faster decisions, correct classification, complete records, and timely notifications.
8) Your 30-Day Compliance Sprint (Start Today)
Turn intent into action. In the next 30 days:
- Test your 24-hour notification process—including after-hours escalation.
- Audit your incident register for completeness and evidence of follow-up.
- Update your SOPs so they form a single source of truth accessible to all staff.
- Brief your team on reportable vs local management—when in doubt, escalate and document.
- Schedule a mini internal audit to simulate external scrutiny.
Compliance within the NDIS means following the rules set by the NDIA and the NDIS Commission—and proving it with clear, durable records. Build the playbook once; use it every day.