Does this satisfy CMS-0057-F?
Yes. The Da Vinci PAS, CRD, and DTR FHIR endpoints CMS will require by January 1, 2027 are already in production. They are public, documented, and exercised by automated tests against the example bundles HL7 publishes alongside the rule.
Does this satisfy the 2024 MA Final Rule?
Yes. When traditional Medicare publishes a coverage rule for a service, our system follows it first — before any commercial or internal criterion. That ordering is part of the platform’s code path, not a runtime configuration the operator could accidentally bypass.
What about HIPAA’s audit-trail requirement?
Every action the system takes — every case status change, every reviewer override, every determination dispatch — is recorded in a tamper-evident log. If a record were altered after the fact, we can prove it. The log is append-only by policy and by database constraint; nobody (including an internal administrator) can edit or delete a row without that change itself becoming visible.
What happens when a reviewer disagrees with the AI?
The reviewer overrides the AI. Every override carries the reviewer’s identity, the time, and a written reason of at least 20 characters — the audit row preserves all three. The platform never finalises a determination on its own; a licensed reviewer must sign every outcome. Denials require at least one specific guideline-cited reason mapped to an unmet criterion before finalize is permitted.
What records do you keep, for how long?
Case artefacts (intake records, supporting documents, criteria results, determination letters, audit log entries) are retained for ten years from the date of service — satisfying the Medicare Advantage record-retention floor at 42 CFR 422.504(d)(2). No tenant-initiated hard delete is permitted before that horizon; deletion is a soft-delete with retention policy.
What about PHI handling and AI?
Clinical text is sent only to large-language-model endpoints that operate under a countersigned Business Associate Agreement (AWS Bedrock or Azure OpenAI in their BAA-eligible configurations). Public LLM APIs — OpenAI, Anthropic public, third-party proxies — are blocked at the platform’s configuration boundary, not by reviewer discipline.
Can we revoke access?
Yes — per user, per organization, immediate. Revocation is recorded in the audit log like every other identity event. The platform does not allow long-lived static tokens; access is mediated through short-lived sessions tied to a verified identity.
What about content licensing risk?
AuthMatch does not redistribute licensed third-party clinical-criteria content. The corpus we ingest is public-domain CMS content (NCDs, LCDs, and MAC Articles). Organizations that license third-party content separately can upload their own copies into a tenant-scoped library — under their own license, never ours. No content audit finding originates from us.
| Control | Citation | How AuthMatch satisfies it |
|---|---|---|
| Tamper-evident audit log | 45 CFR 164.312(b) | Append-only, per-record cryptographic linkage; alteration becomes visible. |
| Role-based access controls | 45 CFR 164.312(a)(1) | Every action gated on a verified identity; reviewer / senior-reviewer / medical-director / compliance-admin / tenant-admin separation. |
| Per-organization data segregation | 45 CFR 164.502(b)(1) | Every database query is scoped to the organization that owns the record; cross-organization reads are not permitted by either policy or platform rule. |
| Encrypted at rest and in transit | 45 CFR 164.312(a)(2)(iv), 164.312(e)(2)(ii) | AES-256 storage encryption; TLS 1.2+ on every external transport; KMS-managed keys. |
| Business Associate Agreement coverage | 45 CFR 164.504(e) | BAA on file with each tenant before any PHI is processed. PHI uploads from tenants without a countersigned BAA are rejected at the platform layer. |
| Reviewer-override rationale + identity | 42 CFR 422.566 (MA appeals reasonableness) | Every override records reviewer identity, timestamp, and a written reason ≥20 characters in the audit log. |
| Coverage-rule precedence (MA cases) | 88 FR 22120 · 42 CFR 422.101(b)(6) | Traditional Medicare coverage criteria take precedence over commercial or internal criteria when both apply. |
| Da Vinci PAS / CRD / DTR endpoints | 89 FR 7987 · 42 CFR 422.122(b) | FHIR R4 endpoints in production today; conformance test suite exercised against HL7-published example bundles. |
| Ten-year record retention | 42 CFR 422.504(d)(2) | Soft-delete only; case artefacts retained ten years from date of service. |
| Pinned guideline at intake | Internal · case version-pinning | The guideline that controls a case is recorded with the case at intake. Subsequent CMS revisions never retroactively change a case’s controlling rule. |
- No automatic determinations. The AI prepares draft criteria and a recommended outcome. A licensed reviewer signs every decision. There is no platform code path that finalises a case without a reviewer signature.
- No third-party content redistribution. Licensed third-party clinical-criteria libraries are not included or repackaged. Organizations that license those libraries themselves upload their own copies under their own license.
- No PHI to non-BAA endpoints. Clinical text never reaches an AI service that is not operating under a HIPAA BAA. Public AI APIs are blocked at the configuration layer.
- No cross-tenant training. Tenant clinical documents never enter a fine-tuning corpus or a shared embedding cache that crosses organizational boundaries.
- No silent guideline drift. The controlling rule for a case is pinned at intake. CMS may revise an NCD next month; cases adjudicated this month remain bound to the rule they were opened under.
- No fabricated citations. Criteria the AI cannot anchor to specific text in the patient’s documents are flagged as indeterminate. The reviewer is required to make the determination — the AI does not invent a citation to fill the gap.
The corpus the matcher consults is published live at /policy-library. Every public-domain source is listed with its row count and the timestamp of its most-recent refresh. There is no hand-curated marketing copy on that page; the data is rendered directly from the platform database.
For a synthetic walkthrough — sample case intake, controlling-guideline pinning, reviewer override flow, audit-chain verification — schedule a 30-minute compliance review.
Corpus 3,242 rows · most-recent refresh 19 hours ago · verify on /policy-library