NDIS Incident Management and Reporting: A Provider's Guide to Compliance

Incident management is one of the most scrutinised areas in any NDIS audit. The NDIS Quality and Safeguards Commission has clear, non-negotiable timelines for reporting certain events — and providers who miss them, even unintentionally, face serious consequences including conditions on registration, enforceable undertakings, and civil penalties.

This guide explains exactly which incidents must be reported, when they must be reported, and what your internal records must look like to demonstrate compliance.

---

What Is a Reportable Incident Under the NDIS?

Under the NDIS (Incident Management and Reportable Incidents) Rules 2018, registered NDIS providers are legally required to notify the NDIS Commission of specific events that occur in connection with the delivery of supports or services to participants.

A reportable incident is any of the following that occurs in connection with the delivery of NDIS supports:

• The death of an NDIS participant
• Serious injury of an NDIS participant
• Abuse or neglect of an NDIS participant
• Unlawful sexual or physical contact with, or assault of, an NDIS participant
• Sexual misconduct committed against, or in the presence of, an NDIS participant
• The use of a restrictive practice in relation to an NDIS participant where the practice has not been authorised

Two separate reporting timelines apply depending on the nature of the incident.

---

The Two Reporting Timelines: 24 Hours vs 5 Business Days

Understanding which timeline applies to which incident is not optional — it is a core compliance obligation. Confusing them is one of the most common audit findings.

24-Hour Reportable Incidents

Certain incidents are so severe that the NDIS Commission requires initial notification within 24 hours of the provider becoming aware of the event.

These incidents include:

• Death of an NDIS participant — regardless of whether it occurred during a support session or was discovered later by a worker
• Serious injury — including injuries that require hospitalisation, surgery, or ongoing medical treatment (e.g., fractures, internal injuries, significant head trauma)
• Abuse or neglect — whether physical, psychological, emotional, financial, or sexual in nature
• Unlawful physical or sexual contact — including assault, sexual assault, or any contact of a criminal nature against a participant
• Sexual misconduct — including inappropriate grooming behaviour, exposure, or exploitation

The 24-hour notification must be submitted to the NDIS Commission via the myNDISProvider portal. This initial notification does not need to be a completed investigation — it is a preliminary alert that the event has occurred. A full written report is required within five business days.

What "within 24 hours" means in practice: The clock starts when any worker, manager, or representative of the provider becomes aware of the incident — not when a formal report is written, not when a manager is notified, and not when the incident is verified internally. Awareness triggers the obligation.

5-Business-Day Reportable Incidents

Other incidents require notification within five business days of the provider becoming aware of the event.

These include:

• Unauthorised use of a restrictive practice — for example, using physical restraint, chemical restraint, mechanical restraint, seclusion, or environmental restraint without proper state/territory authorisation or behaviour support plan approval
• Any reportable incident that did not initially require 24-hour notification but that becomes apparent as meeting the criteria upon further review

The five-business-day window allows providers time to gather more information about the incident context before notifying the Commission. However, this does not mean investigation must be complete — notification should occur as soon as it is clear a reportable incident has taken place.

---

The Full Investigation Report: What Must Be Submitted

Whether a 24-hour or five-business-day notification applies, all reportable incidents require a full written report submitted to the NDIS Commission within five business days of the provider becoming aware of the incident.

The full report must include:

• A description of the incident, including date, time, and location
• The name of the participant(s) involved
• The name(s) of any staff members or other persons involved
• The immediate actions taken in response to the incident
• Any actions taken to safeguard the participant
• Whether police or other emergency services were contacted
• Whether the participant's family or nominees were notified
• What internal investigation process is underway or planned

Providers are strongly encouraged to document this information at the time of incident, not retrospectively. Reconstructed timelines are a significant audit risk.

---

Internal Incident Management: Your Obligations Beyond Reporting

Reporting to the Commission is only one part of your legal obligation. Registered providers must also maintain an internal incident management system that meets the requirements of the NDIS Practice Standards.

Incident Register

Your incident register must:

• Record all incidents that occur in connection with service delivery — not just reportable ones
• Be kept up to date and accessible to your organisation's management
• Include near-misses and events that did not cause harm but indicated risk
• Be reviewed regularly as part of your quality management processes

Root Cause Analysis

For serious incidents, particularly those reported to the Commission, providers are expected to conduct a root cause analysis that:

• Identifies why the incident occurred
• Examines contributing factors (staffing, environment, systems, communication failures)
• Results in documented corrective actions
• Is reviewed to confirm corrective actions were implemented

Participant Notification

Providers must notify the affected participant (and, where appropriate, their family or nominated representative) about serious incidents. This notification should be documented, including the date, method, and what was communicated.

---

Common Compliance Failures

The following are the most frequently cited incident management failings identified during NDIS Commission investigations and audits:

1. Delayed awareness-to-notification pipeline Incidents are reported by a support worker to a team leader but are not escalated to the person responsible for Commission notifications within the required timeframe. This systemic delay — even if each individual link in the chain acted reasonably — can constitute a breach.

2. Misclassifying incident severity Providers sometimes report a serious injury as a minor incident because the participant did not go to hospital immediately, or because the injury appeared less serious than it turned out to be. When additional medical information emerges later, providers are obligated to re-assess and re-report if necessary.

3. Unauthorised restrictive practices reported late or not at all Some providers are unaware that a behaviour support plan must specifically authorise every type of restrictive practice used, and that using any unauthorised practice — even briefly, even with good intent — is a reportable incident that falls within the five-business-day window.

4. Incomplete internal records The Commission's investigators frequently find that incident reports submitted to the portal are inconsistent with internal records, or that internal records are incomplete, unsigned, or written days after the event occurred.

5. No follow-through on corrective actions Identifying a corrective action in a root cause analysis and then failing to implement or document it is treated as a compliance failure in itself.

---

Restrictive Practices: A Closer Look

Restrictive practices are one of the most complex areas of incident management. Providers must understand the distinction between authorised and unauthorised use.

Authorised Restrictive Practices

A restrictive practice is authorised when:

• It is included in a behaviour support plan developed by a registered behaviour support practitioner
• It has received the relevant state or territory authorisation (for example, from the Senior Practitioner in Victoria or the Queensland Civil and Administrative Tribunal in Queensland)
• It is used in accordance with the plan and only to the extent required

Even authorised restrictive practices must be reported and documented in accordance with your state or territory requirements.

Unauthorised Restrictive Practices

Any use of a restrictive practice that falls outside the above — including "emergency" use not covered by a plan — must be reported to the NDIS Commission within five business days. There is no exception for situations where a worker believed they had no choice.

---

What NDIS Commission Auditors Look For

When auditors examine your incident management compliance, they are looking for three things:

1. Completeness — Were all incidents captured, including near-misses and lower-severity events that did not reach the Commission threshold?

2. Timeliness — Is there documentary evidence that notification occurred within the required window, and that investigation and corrective actions followed promptly?

3. Integrity — Are internal records consistent with Commission submissions? Are they contemporaneous (written at the time) rather than reconstructed? Are they signed, timestamped, and traceable to a specific worker or manager?

The third point is where many providers struggle. A well-meaning record written three days after an incident with no timestamp looks very different in an audit to one submitted within hours with a clear author trail.

---

Building an Audit-Ready Incident Management System

There is no single prescribed format for an NDIS-compliant incident management system. What the Commission looks for is consistency, completeness, and evidence that your system is actively used — not just documented in a policy that sits in a folder.

Practical steps for building a robust system:

• Train all staff on what constitutes a reportable incident and how to escalate immediately
• Create a clear internal escalation pathway with named roles and response timeframes
• Use standardised incident report templates that capture all required fields at the time of the event
• Review your incident register at least monthly at a management level
• Ensure your behaviour support practitioner reviews any restrictive practice data quarterly
• Store all incident documentation in a secure, access-controlled system with timestamped entries

---

Keeping Your Records Secure and Audit-Ready

One of the most effective ways to protect your organisation during an NDIS Commission audit is to maintain a secure, timestamped documentation trail — one that proves not just what was recorded, but exactly when it was recorded and by whom.

Platforms like Provider Shield are designed with this in mind, giving NDIS providers a structured environment to capture compliance documentation, generate timestamped records, and maintain a clear audit trail that holds up under Commission scrutiny. When an auditor asks whether your records are contemporaneous and traceable, the answer should be demonstrable — not just stated.

---

Summary

Incident Type	Notification Timeline	Full Report Due
Death of a participant	24 hours	5 business days
Serious injury	24 hours	5 business days
Abuse or neglect	24 hours	5 business days
Unlawful physical/sexual contact	24 hours	5 business days
Sexual misconduct	24 hours	5 business days
Unauthorised restrictive practice	5 business days	5 business days

NDIS incident management is not a box-ticking exercise. The rules exist because the people receiving your supports deserve safety and accountability. Providers who build systems that genuinely capture, investigate, and learn from incidents are not just compliant — they deliver better services.

If you are unsure whether your current incident management system would withstand an audit, now is the right time to find out — before the Commission does it for you.