Login

u/Few-Opening6935

▲ 0 r/AusLegal

Small NDIS provider trying to understand what is actually “reasonable” for data/security compliance

I am working within a small NDIS based organization and am building an internal system for automating operational workflows within the organization

we’re not building or selling a SaaS product, this is purely for internal organisational use.

we obviously handle alot of sensitive participant information and are trying to understand what level of infrastructure/compliance is realistically expected under Australian privacy and NDIS obligations for organisations at our scale

A lot of online discussions jump straight to enterprise HIPAA style infrastructure, expensive compliance platforms, or fully custom AWS setups, which honestly seem operationally excessive for a smaller provider like us

We already operate under the Privacy Act, APPs, NDIS Practice Standards, have internal access controls, retention policies, breach procedures etc, and our privacy policy explicitly discloses the use of operational systems and AI assisted tools under controlled conditions.

The question is more around:

  • what is considered “reasonable steps” in practice for infrastructure/security?
  • whether managed platforms like Render/Railway are realistically acceptable for internal systems
  • and where the actual legal/compliance boundary tends to sit for smaller NDIS organisations

Would appreciate hearing from anyone familiar with privacy, health tech, NDIS compliance, or Australian operational/legal expectations in practice

reddit.com
u/Few-Opening6935 — 5 days ago
▲ 1 r/regulatoryaffairs+1 crossposts

How are small healthcare/NDIS orgs handling compliance without paying for massive enterprise infrastructure?

I'm working within an NDIS based Organisation in Australia

I have been using render for quite a while now and it works great And I tried to actually build, deploy and test a system to manage our operations on render And it works great

But the thing is that my scale is not that much (100 users) and I would Probably be satisfied with the pro tier

But to get the HIPAA Compliant workspace I would have to spend approximately $500 And that is way too much because I only need like $20 worth of compute

And even if I try to process data based on the other compliance and security certifications (because HIPAA doesn't apply to us APPs do) Render still has that clause within it's policies That we are not allowed to process any PHI without a signed BAA And we would be breaching the policy if we do actually do that

Before you guys come at me with a pitchfork, I am looking for guidance right now And would really appreciate some support from experienced peeps around how and where I can actually deploy my systems without breaking the bank (and hopefully not blow my brains out managing infrastructure)

reddit.com
u/Few-Opening6935 — 5 days ago