Duty of Care · Healthcare Ops
Healthcare decisions that stay authorised under change.
No Stamp → No Ship for duty-of-care decisions.
PA denials, UM overrides, discharge decisions, and access grants are judged later by appeals bodies, auditors, and regulators — after policy, criteria, and vendors have changed. If it can't be verified, refreshed, and withdrawn by link, it isn't shippable.
- Verifiable denial/settlement/override decisions by Status Link
- Refresh on policy/model/vendor/evidence change
- WITHDRAWN stop-rely propagation wherever checked
- Minimal disclosure + dispute-ready IDA Evidence Pack
Fail-closed•Append-only•Scope-bounded
Not a certification. Scope-limited verification. Acceptance depends on counterparty/programme requirements.
Why healthcare buyers are moving now
Appeals pressure, timeline enforcement, AI governance, and resilience risk are converging.
Appeals arrive after everything changes
Denial and override decisions are challenged months later — after policies, vendors, criteria, and staffing have changed. Reconstruction is expensive and error-prone.
Timeline SLAs are tightening
Prior authorization modernization is compressing response windows. Missing deadlines under external scrutiny creates regulatory and reputational exposure.
Policy/model/vendor drift silently invalidates prior approvals
A criteria update, vendor model retrain, or workflow change can make yesterday's approval indefensible today — and nobody knows until the appeal lands.
Screenshots and portal views fail in cross-party review
External reviewers, advocates, and auditors need verifiable, portable evidence — not screenshots, PDFs, or portal access that expires.
Cyber and vendor incidents require immediate stop-rely
A breach or outage at a delegated vendor means prior decisions may be compromised. Without withdrawal semantics, stale authorisations circulate silently.
AI governance expectations are rising fast
Automated and AI-assisted clinical admin decisions face growing demands for traceability, controllability, and human accountability.
Privacy constraints block raw record sharing
PHI minimization rules prevent dumping case files to external reviewers. Counterparties need proof of what happened — not the underlying data.
Manual reconstruction burns clinical and legal capacity
Every appeal, audit, or investigation triggers manual evidence assembly across multiple systems. Repeat reconstruction is the silent cost multiplier.
Good Proof provides scope-limited verification evidence and stop-rely semantics. It is not a certification.
What a Stamp proves (and what it doesn't)
Proves (within lane scope)
- Decision class + outcome (approve/deny/override/discharge/escalate/access grant)
- Decision-time timestamp
- Signer/authority reference
- Scope boundaries + expiry window
- Validity state (VALID / NEEDS_REFRESH / WITHDRAWN / NOT_VERIFIED)
- Policy/criteria/version identifiers at decision time
- Evidence window for appeals/audit/disputes
Does NOT prove
- Clinical correctness or medical necessity truth
- Treatment outcome correctness
- Model/algorithm correctness
- Certification or regulatory compliance
- Raw PHI payloads by default
In disputes: Status Link = reliance state now. IDA Evidence Pack = fileable snapshot for decision-time record.
Not a certification. Scope-limited verification. Acceptance depends on counterparty/programme requirements.
Why this lane exists
In healthcare ops, disputes are authority + timing disputes.
The question is not only "what decision happened," but: was it permitted, in scope, with which policy/version, and should reliance continue now?
Logs and portals don't travel across counterparties. Good Proof converts brittle process trust into a contract-referenceable control rail.
Integration in 3 touchpoints
1
Issue
At decision issuance (PA approve/deny, UM override, discharge/escalation, restricted access grant) → require a Stamp.
2
Communicate
Include Status Link in outbound notices (provider/patient/appeals/audit) → link travels with the decision.
3
Rely
At reliance points (service authorization, discharge execution, continued denial, transfer) → verify Status Link (fail-closed).
High-impact gating only. Everything else runs normally.
Patient safety + recourse model
Fail-closed for reliance. Care-first override for urgent harm scenarios.
Fail-closed execution by default for all gated decision classes.
Emergency/urgent care override can proceed under programme-defined criteria.
Override automatically creates mandatory post-action review and stamp workflow.
All overrides are append-only and visible in governance/audit trails.
Explicit recourse/appeal path for affected parties — programme-configured.
Safety override is care-first, not control-bypass. Every override is auditable.
Global Coverage
Regulatory reality
No hype, no compliance claims — Healthcare is being pushed toward decision transparency, auditability, and defensible governance.
US
CMS PA modernization pressure (operational provisions 2026; APIs generally 2027); rising appeals and timeline SLA scrutiny
EU
EHDS governance expectations for cross-border sharing; AI Act traceability requirements for high-risk health systems
UK
Duty of candour + record-keeping expectations for notifiable safety incidents; DRCF AI governance direction
Canada
ML-enabled device and clinical decision support governance expectations tightening
Australia
AI/medical device software oversight signals tighter governance expectations; TGA guidance evolving
Asia hubs
AI governance frameworks emphasize traceability and controllability; cross-border data sharing scrutiny rising
Middle East
Health-data governance tightening; stronger expectations for accountable automated decisioning and defensible records
Africa
Care-access governance rising; greater scrutiny on decision traceability and audit-ready records across regional bodies
Good Proof doesn't certify compliance. It makes outputs verifiable, refreshable, withdrawable by link.
Jurisdictional Configuration
Country overlays can be configured per programme
Examples include programme-specific mapping for UAE, Saudi Arabia, South Africa, Kenya, Nigeria, and other jurisdictions where disclosure, retention, appeal handling, language support, and verifier-access requirements differ.
Configure scope boundaries, evidence windows, redaction matrix, and verifier checklist per jurisdiction.
Not legal advice. Final legal mapping is owned by programme counsel.
Healthcare capability surface (before execution)
What the Stamp covers — defined per programme, verified before rely.
Policy/criteria pack + version
Clinical decision criteria and threshold configuration
Workflow/tool surface + version
Authority/delegation object
Evidence window definition
Escalation and appeal routing rules
Material surface change → NEEDS_REFRESH
Compromise/integrity failure → WITHDRAWN
What gets stamped in Healthcare
Examples of high-impact action classes (define per programme):
Prior Authorization & Coverage
- PA approvals/denials (and denial rationale category)
- Coverage eligibility determinations tied to care access
- Step therapy and formulary exception decisions
UM & Clinical Decisions
- Medical necessity / utilisation management overrides
- Care pathway deviations + escalation decisions
- Discharge, transfer, and level-of-care changes that carry liability
Access & Eligibility
- Access grants to restricted services or protected pathways
- Eligibility removals and reinstatement decisions
- High-risk workflow gates (where 'no human saw this' is unacceptable)
Appeals & Exceptions
- Appeal outcomes and reinstatement decisions (so reversals are provable)
- Exception/break-glass approvals with mandatory expiry
- Post-incident closure decisions where liability lands on people
If it affects care access, coverage, safety, or livelihood and can be challenged later — stamp it.
What you get (two artefacts, one standard)
Status Link (authoritative now)
A counterparty-verifiable link that returns current validity within scope.
- Returns: status, scope, expiry, verified_at, signer, verify_url
- Fail-closed: unreachable = NOT_VERIFIED
- Built for contracts, runbooks, tickets, and automated gates
IDA Evidence Pack (snapshot then)
View full details →A time-stamped snapshot you can forward, file, and cite.
- Built for appeals, audits, disputes, and procurement
- Append-only history; withdrawal ≠ erasure
- Excludes prompts, logs, PHI by default
PDFs are great for filing. Status Links keep them current.
If it gets challenged, does it survive?
PDFs are great for filing. Status Links keep them current. Dashboards don't travel. Counterparties need a link they can check today.
VALID
Proceed within scope.
Rely on it.
NEEDS REFRESH
Re-verify before rely.
Policy/criteria changed.
WITHDRAWN
Stop relying immediately.
Returned wherever checked.
NOT VERIFIED
No proof exists.
Block or escalate.
VALID = valid within scope (not a guarantee of outcome correctness).
Fail-closed: unreachable verification returns NOT_VERIFIED. Block or escalate, never assume validity.
When status changes — and what it means
Status triggers define when a Status Link moves to NEEDS_REFRESH or WITHDRAWN.
NEEDS_REFRESH
Re-verify before you rely.
Policy/criteria version change (payer rules, UM guidelines, pathway rules)
Vendor model retrain, rule-pack update, or configuration change
Threshold/escalation parameter update (risk tier, coverage interpretation)
Workflow/tool-surface version change
Authority/delegation change affecting lane scope
Evidence-window expiry
Material case-context update within defined evidence window
Data source change (eligibility feeds, clinical coding rules, vendor services)
NEEDS_REFRESH means "re-verify before you rely," not "schedule a meeting."
WITHDRAWN
Stop-rely signal. Action must not proceed.
Confirmed integrity incident affecting lane validity
Unauthorized workflow/policy modification discovered
Compromise of signer or delegation boundary
Severe misconfiguration in scope boundary
Post-review reversal requiring immediate stop-rely
Legal/regulatory hold requiring execution halt
Fail-closed: Wherever the Status Link is checked, if WITHDRAWN → block or escalate.
What's inside the IDA Evidence Pack
Decision-time snapshot for appeals, audit, and filing.
Decision summary + lane scope boundary
Decision-time timestamp + evidence window
Policy/criteria identifiers + version references
Workflow/tool surface identifiers + version references
Authority reference
Verification transcript + timestamps
Redaction matrix (what is intentionally excluded)
Minimal disclosure by default. Programme-scoped if required, with auditable access trails. No raw PHI by default.
What counterparties can verify without logging into your perimeter
Current validity state: VALID / NEEDS_REFRESH / WITHDRAWN / NOT_VERIFIED
Scope boundaries and expiry window
Authority/signer reference
verified_at timestamp
Forwardable IDA Evidence Pack (programme-scoped)
Optional signed verify response (programme-scoped)
Privacy-preserving by default (no raw PHI)
No login, portal, NDA, or system integration required
Who can verify: payers, providers, appeals bodies, patient advocates, auditors, regulators — as applicable and programme-defined.
AI-Agent Era
AI-agent era controls
Prompts can drift. Reliance controls must not.
Material change in policy/vendor/model/configNEEDS_REFRESH
Integrity or boundary breachWITHDRAWN
Timeout/unreachable verification routeNOT_VERIFIED (fail-closed)
Exception lane requiring human finalityGuardian path (optional)
Good Proof does not decide outcomes; it controls whether high-impact actions are safe to rely on.
Prompts can be hijacked. Status can't.
Hard gates + revocation reduce blast radius and make outcomes defensible in disputes, audits, and investigations.
No Stamp → block or escalate
Material change triggers → NEEDS_REFRESH
WITHDRAWN returned wherever the Status Link is checked
Guardians are programme-scoped human finality for exception lanes only
Who uses this in Healthcare
Commercial and public-sector buyers with high-impact decision accountability.
Commercial buyers
Clinical Ops / UM Teams
Pain: Appeals arrive after criteria, vendors, and staffing have changed. Reconstruction is manual and expensive.
Outcome: Every high-impact decision carries a verifiable Status Link + decision-time IDA snapshot.
Book a Healthcare Stamp SprintPrior Auth Operations
Pain: Timeline SLA breaches and denial challenges expose the organisation to regulatory and reputational risk.
Outcome: Gate PA decisions with Stamp issuance; Status Link travels with the notice for counterparty verification.
Book a Healthcare Stamp SprintAppeals & Grievances
Pain: Reconstructing 'what was true then' across changed systems is the single biggest time sink.
Outcome: Append-only history + live status accelerate defensible reviews without manual evidence assembly.
Book a Healthcare Stamp SprintCompliance / Audit / Legal
Pain: Screenshots and portal views fail under external challenge. Evidence doesn't travel.
Outcome: A contract-referenceable verification object with scope, expiry, signer authority, and status.
Book a Healthcare Stamp SprintPatient Safety / Risk
Pain: Investigations stall when 'what was true then' and 'what is true now' diverge.
Outcome: Care-first override with mandatory post-action review; append-only trail for governance.
Book a Healthcare Stamp SprintCIO / Security / Enterprise Architecture
Pain: Adding controls often means system replacement risk and integration overhead.
Outcome: Lane-scoped gate check at issuance, notification, and reliance points; no rip-and-replace.
Book a Healthcare Stamp SprintProcurement / Vendor Risk
Pain: Contract clauses lack machine-checkable verification semantics for delegated vendors.
Outcome: Procurement-ready clause template + Schedule A with status-linked operating rules.
Book a Healthcare Stamp SprintExternal Verifiers
Includes: payers, providers, patient advocates, appeals bodies, auditors, regulators (as applicable)
Pain: Verification often depends on portal access, NDAs, or manual attestations.
Outcome: Verify by link by default without internal system access. Privacy-preserving by default.
Public-sector and quasi-public buyers
State/national health programme authorities
Pain: Eligibility and coverage decisions are challenged across agencies and jurisdictions.
Outcome: Status-linked governance evidence with configurable redaction and retention.
Book a Healthcare Stamp SprintPublic hospital networks and health systems
Pain: Discharge, transfer, and access decisions face multi-agency scrutiny.
Outcome: Scope-bounded verification with withdrawal propagation for safety-critical lanes.
Book a Healthcare Stamp SprintRegulatory and oversight bodies
Pain: Oversight depends on system-bound evidence and inconsistent logs.
Outcome: Verifier-checkable status with portable Evidence Pack for cross-agency review.
Book a Healthcare Stamp SprintWhere budget comes from
Usually funded from existing risk, compliance, and operations lines — not new category spend.
Appeals/disputes operations
Trigger: Rising appeal volume, timeline SLA breaches, or repeat reconstruction cost
Why it fits: Decision-time snapshots eliminate manual evidence assembly; Status Link accelerates review.
UM transformation budget
Trigger: PA modernization execution, API-led transparency requirements, or vendor transition
Why it fits: Stamp issuance gates at decision points; refresh triggers track policy/vendor drift automatically.
Compliance/audit defensibility
Trigger: External review findings, audit readiness gaps, or new reporting obligations
Why it fits: Contract-referenceable verification objects with scope, expiry, and signer authority.
Patient safety + incident governance
Trigger: Safety event, near-miss investigation, or duty-of-candour obligation
Why it fits: Care-first override with mandatory post-action review and append-only audit trail.
Third-party risk and procurement
Trigger: Vendor concentration risk, delegated vendor change, or procurement renewal
Why it fits: Machine-checkable contract clause with fail-closed enforcement and stop-rely semantics.
Cyber/resilience remediation
Trigger: Vendor outage, breach affecting clinical admin lane, or resilience test finding
Why it fits: WITHDRAWN propagation stops reliance wherever the Status Link is checked; no silent stale trust.
Start with one high-impact lane and prove appeal/audit friction reduction before expansion.
24-month horizon
Future pressure radar
What's coming — and why building verifiable controls now reduces exposure later.
Higher automation intensity in clinical admin
AI-assisted PA, UM, and triage decisions will face growing demands for decision-level traceability — not just model-level governance.
Increasing external reviewer expectations
Appeals bodies, advocates, and auditors will expect portable, machine-checkable evidence — not portal screenshots or narrative PDFs.
Stricter traceability and change-control scrutiny
Policy/vendor/model changes that silently invalidate prior decisions will face more rigorous governance expectations.
Higher third-party concentration risk
Delegated vendor chains in clinical admin create single points of failure; stop-rely semantics become a procurement baseline.
More cross-party verification demands
Counterparties will increasingly require verification without portal access, NDAs, or manual attestation workflows.
Agentic and multi-system workflow complexity
As clinical admin workflows span more tools and vendors, identity/role context will not equal execution permission — VALID-in-scope checks become critical.
Who buys, who approves, who relies
Make internal alignment easy.
Economic buyerCOO / Operations / Transformation
Risk ownerCompliance / Legal / Patient Safety / Risk
Technical ownerCIO / Enterprise Architecture / Security
Daily usersClinical Ops, UM, PA, Appeals, Case Management
Healthcare lane menu
Start with one lane. Prove it in 30 days. Expand when counterparties rely on the Status Link.
What ships every time: Status Link (authoritative now) + Evidence Pack (snapshot then).PDFs are great for filing. Status Links keep them current.
PA Denials & Coverage Decisions
Gate high-impact PA decisions with scope + expiry + refresh/withdraw triggers. Make denials defensible under appeal.
Book a Healthcare Stamp SprintUM Overrides & Clinical Escalations
Stamp medical necessity overrides and care pathway escalations so they survive retrospective review.
Book a Healthcare Stamp SprintDischarge & Transfer Decisions
Make discharge, transfer, and level-of-care changes verifiable with decision-time evidence and live status.
Book a Healthcare Stamp SprintAccess & Eligibility Gates
Stamp restricted pathway access grants and eligibility removals. WITHDRAWN propagates stop-rely wherever checked.
Book a Healthcare Stamp SprintAppeals & Exception Outcomes
Make appeal outcomes, reinstatements, and exception approvals provable and portable for cross-party review.
Book a Healthcare Stamp SprintHow it works (simple)
1
Stamp the surface
Policy + workflow + authority + evidence-window scope defined per programme.
2
Gate high-impact execution
Pre-execution Status Link check. VALID or block/escalate.
3
Revoke fast
WITHDRAWN propagates stop-rely wherever the Status Link is checked.
Make the gate machine-checkable, not meeting-checkable.
A Global Human Layer
Our Mind Chill Guardian Story
A global human layer that software can't fake.
When liability lands on a person, the sign-off should too.
Conflict-checked · Rotation-based · Audit-traceable · Programme-scoped
When Guardians are used (only when required)
Most decisions remain automated. Humans step in only where human finality is required: exception approvals, disputes, high-risk overrides, or post-incident outcomes with human liability.
Mind Chill Guardians provide programme-scoped human finality for exception lanes only, minimizing PHI handling, with anti-rubber-stamp controls: conflict checks, rotation, sampling audits, and multi-review thresholds for high-risk lanes.
From calming minds to defending outcomes
Mind Chill began in 2017 as immersive art built to reduce anxiety and create calm at scale. Then the same feeds that buried calm and rewarded outrage started training the systems that now make real decisions. We didn't want more rhetoric. We wanted receipts.
The moment it clicked
A message arrived: someone's child felt safer because of what they experienced. Around the same time, lived experience inside our own community made one thing obvious: the nuance that matters in high-impact decisions can't be reliably reduced to a prompt. So we designed a human layer for the edge cases—structured, scope-bound, and auditable.
Guardians are not a "panel." They're a network.
Mind Chill Guardians come from different countries, backgrounds, and lived realities. That diversity is not branding—it's risk reduction. It makes decisions harder to game, easier to challenge, and more credible under scrutiny.
Receipts over rhetoric
Operational Guardians plug into Good Proof lanes as a controlled finality mechanism: conflict checks, rotation, multi-review where required, and an audit trace tied to a Status Link. Minimal disclosure by default. If a decision is appealed months later, you can show what happened, within scope, without dumping sensitive payloads.
Why buyers choose Guardians
Lived experience at the edge cases (not a generic helpdesk)
Conflict-checked + rotation-based (anti-rubber-stamp by design)
Multi-review on high-risk lanes (when the programme requires it)
Audit-traceable outcomes (defensible in appeals, audits, procurement)
Minimal disclosure by default (proof, not payloads — especially PHI)
Procurement-ready clause
Template language for your legal team.
"For [High-Impact Decision Classes], Supplier shall issue a Good Proof Stamp prior to action. Buyer may verify status via the Status Link. Stamps returning NOT_VERIFIED, NEEDS_REFRESH, or WITHDRAWN shall block or escalate per programme SOP."
Schedule A (template — programme terms)
Definitions + operating rules procurement teams can copy/paste.
1. Definitions
- High-Impact Decision Class: a decision type with scope, evidence window, and refresh rules defined in the Order Form.
- Status Link: the verification endpoint returning validity state + scope boundaries.
- Evidence Window: programme-defined period during which evidence is considered current.
- Evidence Pack: the time-stamped snapshot artefact for filing and disputes.
- Scope Boundary: programme-defined limits (lane, action class, expiry, version references) for a Stamp.
2. Required states
- VALID→ may proceed within scope.
- NEEDS_REFRESH/ NOT_VERIFIED / WITHDRAWN → must block or escalate per lane rules.
- Fail-closed:timeout/unreachable ⇒ NOT_VERIFIED.
3. Withdrawal / stop-rely semantics
- WITHDRAWN is returned wherever the Status Link is checked.
- No execution may proceed on WITHDRAWN.
4. Privacy/redaction defaults
- Evidence Packs exclude PHI, prompts, and logs by default.
- Redaction matrix defined per programme and jurisdiction.
5. Emergency override governance
- Programme-defined override criteria with mandatory post-action review.
- Append-only override trail for governance and audit.
6. Technical safeguards
- HTTPS-only verifier endpoint
- Official verifier host allowlist
- Redirects forbidden
SLA placeholders (complete per programme)
Verifier availability target: [___]%. Response-time target: [___] ms. Support turnaround: [___] hours.
Not legal advice. Template language for your legal team. Bracketed variables to be completed by the parties.
What you get in 30 days
One decision class, production-ready controls.
One high-impact decision class scoped and documented
Capability surface documented (policy + workflow + authority + evidence window)
Pre-execution gate integrated at issuance/reliance points
Refresh and withdrawal triggers configured
Counterparty verification route tested end-to-end
One redacted IDA specimen generated
SOP inserts + verifier checklist delivered
Go/no-go rollout recommendation
Due Diligence FAQs
Make duty-of-care decisions shippable.
Start with one decision class. Gate it end-to-end. Expand when counterparties rely on the Status Link.
Not a certification. Scope-limited verification. Acceptance depends on counterparty/programme requirements.