Navigating the New Aged Care Act

From 1 November 2025, many aged care providers may need to operate under both the Aged Care Act 2024 and the Corporations Act 2001. This guide explains the pathways, duties and controls that matter most.

1 November 2025: How to Get It Right

The new Aged Care Act commencing on 1 November 2025 changes the whistleblowing and reporting landscape in material ways. It introduces broader protections, wider reporting pathways, heavier record-keeping and communication obligations, and very real penalties for getting it wrong. From 1 November 2025, many providers may need to operate under two overlapping regimes: the Aged Care Act 2024 (Cth) (Aged Care Act) and the Corporations Act 2001 (Cth) (Corporations Act), for incorporated entities. Treating this as a simple policy refresh is a fast route to breaches, staff confusion, reputational damage and regulatory pain.

This deep-dive outlines the common pitfalls we're seeing as providers prepare for the new framework, and the practical steps to manage risk without overwhelming your people.

Key takeaways

Many providers will need to manage two overlapping whistleblowing regimes from 1 November 2025.
Aged care workers, responsible persons and the registered provider itself can all be internal recipients under the new framework.
A single, clear "front door" such as a managed hotline can reduce confusion and protect confidentiality.
Monthly whistleblower updates, record-keeping and two-way anonymous communication are operational requirements, not nice-to-haves.
Training, governance and case management tooling need to match the new obligations.

Two Regimes, One Organisation: The Compliance Maze

The challenge

Providers that are incorporated under the Corporations Act must meet obligations of both the Aged Care Act whistleblowing framework and the Corporations Act framework. These regimes do not map neatly.

Aged Care Act: Applies to all registered aged care providers, regardless of corporate structure. It deliberately casts a wider net of who can make a disclosure, who can receive a disclosure and what can be reported on.
Corporations Act: Applies to incorporated entities with more restricted definitions on who, how and what can be reported.

Policy Design Fork in the Road

Do you create two separate policies, or one integrated policy that clearly delineates which rules apply in which scenarios? Either can work, but only if it's explicit, simple for frontline staff, and backed by training and tools. The worst outcome is a blended, vague policy that leaves all stakeholders guessing.

External reporting under the new framework: The new Aged Care Act contemplates four external reporting channels, each with different triggers and expectations:

Aged Care Quality and Safety Commissioner - the primary regulatory channel.
Department of Health and Aged Care system governor/designated officials - for systemic issues.
Police - for suspected criminal conduct.
Independent aged care advocates - an additional channel that raises real implementation questions for providers (for example, how to recognise, route and respond).

Pitfall to avoid: Failing to map when an issue stays internal versus moves to an external channel, and who decides, creates delay, double-handling and regulatory risk.

Internal Reporting Sprawl: Big Risk, Little Guidance

The Act's internal recipient categories are intentionally broad:

The registered provider (as an entity)
Aged care workers (employees, contractors, volunteers)
Responsible persons (executives, board members and others)

That breadth sounds consumer-friendly, but operationally it's hazardous. It means many untrained people could become first-line recipients of protected disclosures they are not equipped to handle.

Sector Realities Amplify the Risk

Demanding, shift-based roles (nights, weekends, public holidays) where time and support are limited.
Minimal compliance experience amongst frontline staff.
A small, overstretched compliance function that could be swamped if every concern lands in their queue.

Practical answer: Establish a clear "primary front door" for all concerns in the form of a managed hotline backed by a skilled triage team, so that frontline staff can direct (or, with consent, lodge on behalf of) the reporter. That prevents missteps, preserves confidentiality, and reduces the load on scarce experts.

Legal Protections and Organisational Duties: What's New (and Non-Negotiable)

Protections for Reporters

Immunity from civil, criminal and administrative liability for legitimate disclosures, with two key limits: no protection for people involved in the misconduct itself, or for vexatious or frivolous reports.
Confidentiality and anonymity rights.
Reprisal protection that can extend to family members and associates of whistleblowers.

Provider Obligations with Operational Bite

Monthly updates to whistleblowers on case progress and steps taken.
Comprehensive record-keeping of every disclosure, action, decision and outcome.
Training for aged care workers and responsible persons on roles, pathways and protections.
Platform-based case management that can preserve an indelible audit trail and support two-way anonymous communication.

Penalties with Teeth

Identity disclosure breaches: up to $10,000 (30 penalty units at $330 each).
Detriment or threats of detriment: up to $165,000.
Courts will scale penalties to the severity of the breach.

Pitfall to avoid: Trying to satisfy these obligations with emails, shared drives and ad-hoc spreadsheets. It will not scale, and it will not stand up in an audit or investigation.

Internal vs External Reporting: Getting the Pathways Right

A robust model draws a bright line between internal handling and external escalation, while making it simple for residents, families and workers to speak up safely.

Design Principles

One clear entry point (hotline or online portal) that is visible, accessible and mobile-friendly.
Rules-aligned triage that recognises criminality, systemic issues and care-quality concerns, and escalates to the right external channel where required.
Informed consent workflows for staff who lodge on behalf of residents or families.
Anonymous two-way chat so investigators can clarify facts without exposing the whistleblower.

Investigations and Case Management: What Good Looks Like

From first contact to closure, every step should be time-stamped, documented and reviewable:

Intake and risk triage (safety, criminality, vulnerability, regulatory triggers).
Containment and immediate actions (protect the resident, secure evidence).
Investigation plan (scope, roles, timelines, escalation criteria).
Regular monthly communications to the whistleblower.
Findings and outcomes (substantiated/unsubstantiated, remediation, referrals).
Root-cause analysis and learning loop into quality systems.

Tool Matters: Core+ | The Engine Behind Every Program

All of our programs are powered by Core+, a secure, cloud-based ethics reporting and case management platform designed for 24/7 access across any device. Fully customisable, Core+ adapts to your organisation's structure, industry and legal obligations.

Built for trust and security, it enables two-way anonymous communication, keeping reporters safe while allowing genuine dialogue and follow-up. The integrated case management system captures every interaction with indelible audit logs, ensuring compliance and transparency.

With search, reporting and dashboard capabilities, Core+ gives your team real-time insights to strengthen risk management, track trends and demonstrate due diligence - everything you need to manage disclosures confidently and compliantly.

Roles and Accountability: Set Your Governance Now

Responsible persons (executives, board) need briefings tailored to both regimes: duties, decision rights, escalation thresholds, reporting lines.
Clinical and operational leaders require playbooks that simplify complexity into "if this, then that" flows.
Frontline workers need bite-size training they can actually use at 3am on a public holiday.

Pitfall to avoid: Generic e-learning that teaches definitions but not what to do next.

The Most Common Go-It-Alone Pitfalls

Vague, blended policy that confuses regimes and recipients.
No single front door: reports scatter to managers, reception, HR and supervisors.
Well-meaning mishandling by untrained staff (breaching confidentiality, asking improper questions, delaying escalation).
Email-based case handling with no audit trail or anonymous channel.
Missed monthly updates and poor record-keeping.
Overloading the compliance team because front-line triage doesn't filter or route properly.
Unprepared leaders who make ad-hoc calls under pressure.

How Core Integrity Helps and De-Risks Your Program

Make the Hotline Your Primary Front Door: Our managed Speak Up Integrity Hotline catches reports before they are mishandled, supports anonymous two-way communication, and guides triage against both regimes.
Dual-Regime Program Reviews: Rapid, structured reviews to test your readiness under the Aged Care Act and Corporations Act, policy, processes, training, tooling and governance.
Executive and Board Briefings: Short, high-impact sessions for responsible persons focused on decisions, thresholds and personal accountability.
Clinical, Operational Leader and Frontline Worker Training: Practical, hands-on sessions with clear "if this, then that" process flows.
Policy and Template Suite: A practical, regime-delineated policy framework plus intake scripts, triage flows, monthly-update templates and investigation checklists.
Core+ Platform: Secure, cloud-based ethics reporting and case management platform designed for 24/7 access across any device. Enables two-way anonymous communication, an integrated case management system with indelible audit logs, and search, reporting and dashboard capabilities.
Investigation Support: Specialist investigators who understand clinical settings, resident vulnerability and evidentiary standards.

Outcome: Less risk, less noise for your compliance team, and a defensible, humane response for residents and families.

Quick Readiness Checklist

Clear, regime-delineated policy (or two policies) that staff can actually use.
Single front door hotline or portal visible to workers, residents and families.
Scripts and flows for frontline staff, including after-hours.
Platform with anonymous chat, audit trail and monthly-update automation.
Training tailored to responsible persons, leaders and frontline workers.
External escalation map (Commissioner / Department / Police / Advocates).
Board reporting with trend analysis and systemic-risk insights.

Final Thought

The intent of the reform is right: make it safer and easier to speak up, and ensure providers act. But the breadth of the Aged Care Act's whistleblowing framework, combined with ongoing Corporations Act duties where applicable, creates real operational traps. You do not need a bigger compliance team; you need a smarter operating model: one front door, clear pathways, fit-for-purpose tooling and people trained to use them. We can help.

FAQ

What changes for aged care providers on 1 November 2025?

From 1 November 2025, the new Act broadens who can disclose, who can receive disclosures and what can be reported. It also increases record-keeping, monthly update and training obligations, with penalties if providers get it wrong.

Do incorporated providers need to follow both Acts?

Yes. If an aged care provider is incorporated, it may need to comply with both the Aged Care Act whistleblowing framework and the Corporations Act framework. The two regimes do not map neatly, so providers need a clear policy that shows which rule applies in each scenario.

Why is a managed hotline important?

A single front door reduces confusion and keeps disclosures out of ad-hoc channels such as manager inboxes or shared drives. It also helps preserve confidentiality, supports triage, and gives frontline staff a safe way to direct or lodge concerns on behalf of others.

What penalties are there for getting it wrong?

Breaches can attract penalties including up to $10,000 for identity disclosure breaches and up to $165,000 for threats of detriment. Courts can scale penalties to the severity of the breach.