> _ P402 METER · MEDICAID MCO · PRIOR AUTHORIZATION GOVERNANCE
Governance
for the work
AI does next.
Metered AI governance for prior authorization review, built for a multi-state government-program health plan operating across Medicaid, D-SNP, and Marketplace.
Prior authorization is the proof point. It is document-heavy, regulator-bound, and high-stakes. Decision clocks are set by CMS. PHI handling is set by HIPAA. State program rules vary. The reviewer makes the coverage decision, not the model. P402 Meter shows what governed AI assistance looks like in that environment: per-operation receipts tied to client-level budget controls, a human review gate before any export, and an oversight packet ready for audit.
Synthetic dataNo PHIAdmin / non-clinical useHuman approval requiredURAC-aligned audit posture
P402 does not make medical decisions. Every prior-authorization outcome shown here is illustrative; a licensed clinician must adjudicate the real case.
01The Problem
AI is entering utilization review without a governance substrate.
Medicaid managed care plans, D-SNPs, and Marketplace issuers are being asked to do more prior authorization, faster, with more reason-specificity, under stricter clocks. At the same time AI vendors are pitching workflow tools with no per-action cost attribution and no link to reviewer governance. The gap is structural.
72h
Expedited decision clock (CMS-0057-F)
Specific denial or RFI reason required, regardless of channel (API, portal, fax, phone, mail, email). API requirements largely begin January 2027. Operational requirements begin January 2026.
HIPAA
PHI handling, BAA, audit trail
Production AI in PA must respect HIPAA Privacy, Security, and Breach Notification rules. Business associate contracting and access controls are not optional.
N states
Variable Medicaid program rules
Each state Medicaid program has its own utilization management policy, required documentation, reviewer roles, and appeal-packet format. One AI workflow cannot hardcode them.
$0
Per-operation AI cost attribution
AI vendor invoices arrive monthly with no breakdown by line of business, workflow, case, or agent. Compliance and finance cannot tie spend to a decision or a reviewer.
02The Solution
Every AI operation produces a receipt. Budgets live in policy.
P402 sits between the AI agents and the AI providers. Each metered operation (documentation extraction, completeness check, criteria mapping, reviewer-summary draft, RFI reason, escalation recommendation, evidence export) is evaluated against a 5-level budget hierarchy before it runs, and produces an operation receipt after it runs. Real USDC.e settlement on Tempo mainnet at session close binds the receipts to an on-chain proof. The reviewer makes the coverage decision.
The workflow in one sentence
Synthetic PA packet feeds 7 governed AI operations, each gated by client, line-of-business, workflow, case, and agent budgets. Per-operation receipts carry policy and mandate status. A human review gate (approve for sign-off, request more information, escalate) precedes oversight packet JSON export with a compliance trace, and USDC.e settles on Tempo.
5
Budget hierarchy levels
Client · LOB · Workflow · Case · Agent
7
Governed AI operations
One receipt per operation
0
Autonomous denials
Reviewer action required before export
03Compliance Anchors
What this demo models, and what it deliberately does not.
Each anchor below maps to something visible in the live demo, not claimed in theory. The boundaries are as load-bearing as the features.
CMS-0057-F · Prior Authorization Decision Timing
✓Expedited 72-hour clock and standard seven-calendar-day clock surfaced in the State Program Policy Profile per line of business
✓Specific denial or RFI reason generated as structured text, never as a final adverse determination, always as a draft for human review
✓Per-operation timestamps build a status trace that can support API, portal, fax, phone, mail, or email channels
✓FHIR Prior Authorization API readiness shown as a mock surface; production deployment is a separate integration scope
✓Annual PA metrics export shown as a future-ready handoff for public reporting requirements
HIPAA Privacy, Security, and Breach Notification
✓Synthetic records only; every case ID, member ID, and provider name begins with SYN-
✓No upload control accepts user files; no free-text field requests real patient data; no PHI persists in browser state
✓Production deployment requires BAA, access controls, encryption, retention policy, and incident response controls; stated in the demo, not assumed
✓HIPAA Safety Boundary panel is always visible above the export; the boundary is part of the product
Medicaid Managed Care · State Program Policy Profiles
✓State program rules are modeled as a configurable State Program Policy Profile, not hardcoded universal claims
✓Each profile exposes program name, line of business, request category, decision clocks, required documents, reviewer role, escalation role, and appeal-packet relevance
✓Default display labels the source as "Demo placeholder" with sourceVerified = false; production deployment requires verified policy source documents and state-specific legal review
✓Transparency posture: panels speak in the language of Medicaid enrollees, providers, and audit reviewers, not vendor-jargon
Medicare Advantage · D-SNP UM Equity Support
✓Health Equity panel surfaces dual-eligible, disability, language-access, and geographic-access flags as synthetic markers
✓Panel supports prior authorization policy impact review and an annual UM equity analysis export placeholder
✓Panel is primary in D-SNP mode and collapsed-by-default in Medicaid MCO mode; it supports review, not decision automation
✓Plan committee review is the boundary; the panel never produces a clinical decision
P402 Governance Trust Stack
✓AP2 mandates carry client-level spending authority; per-operation receipts evaluate policy and mandate status before they fire
✓5-level budget hierarchy enforced at the tenant, line of business, workflow, case, and agent level. Receipts are evidence, budgets are policy
✓ERC-8004 trustless agent identity on Base (cross-chain) registers the AI agent and supports reputation-aware routing
✓Replay protection on EIP-3009 nonces; oversight packet binds receipts, hierarchy state, criteria mapping, draft reason, human decision, and compliance trace
04Technology
Three layers. One settlement substrate. One governance overlay.
TempoSettlement substrate that makes per-operation receipts economically real
·USDC.e (TIP-20) as native stablecoin. Settlement at under $0.000001 per tx via FeeAMM, versus roughly $2.85 on ETH mainnet and the $0.30 Stripe minimum
·Session-close reconciliation: one real Tempo tx per session aggregates the per-operation receipts into a single onchain proof; no per-operation gas burn
·TIP-20 transfer uses the standard ERC-20 interface. No msg.value, no native gas token separate from stablecoins; gas paid via FeeAMM in USDC.e
·Every settlement is independently verifiable in the Tempo block explorer (explore.tempo.xyz). The receipt and on-chain tx hash are part of the oversight packet
MPPMachine-payment layer that makes the receipts programmable
·Machine Payment Protocol (mppx) orchestrates the per-operation payment authorization and the session-close TIP-20 transfer on Tempo
·Authorization: Payment header pattern (dual-402 challenge/response) supports machine-to-machine payment authorization
·Pre-funded TEMPO_TREASURY_PRIVATE_KEY wallet submits the session-close transfer on behalf of the metered session; AP2 mandates carry the client-level authority
·Proof Replay mode activates automatically when the treasury key is unset. Full demo runs without any real funds, with pre-recorded proof references
GeminiIntelligence layer scoped to assistance, never to coverage decisions
·Gemini 3.1 Flash drives documentation extraction, completeness check, criteria mapping (synthetic categories), and the reviewer-summary draft. Each operation produces a typed receipt
·Gemini 3.1 Pro runs the post-session compliance trace narrative, explaining what was extracted, what is missing, and which categories require reviewer validation
·Output is always labeled as extracted fields, draft summary, completeness check, criteria mapping, suggested next action, or reviewer rationale draft; never as a final decision
·There is no autonomous denial path. There is no primary "Deny" action. Any adverse-determination reason is treated as a draft for human review
·Multimodal intake supports synthetic image/PDF packets; production deployment must use the payer's licensed medical policy in place of the synthetic criteria categories
05Why Medicaid PA
Medicaid prior authorization is where governed AI assistance has to land first.
Medicaid managed care plans run high-volume PA workflows under variable state rules, tight decision clocks, and significant audit exposure. The reviewer-time cost is real, the documentation-completeness problem is real, and the compliance reporting burden is real. The governance gap is also real; that is what P402 closes.
✓Governance is the product, not the wrapper
Budget controls, reviewer gates, audit packets, and compliance traces are not features added to a chat workflow. They are the workflow. The model surfaces work; the governance routes who gets to act on it.
✓Decision clocks make traceability load-bearing
The CMS-0057-F clocks (72h expedited, seven calendar days standard) are the operational unit. Every operation receipt carries a timestamp, every status change is visible, and the oversight packet captures the trace.
✓State rules are configuration, not assumption
State A's Medicaid program is not State B's Medicaid program. The State Program Policy Profile is configurable per row; production deployment requires verified policy source documents and state-specific legal review.
✓Reviewer authority is not negotiable
No autonomous denial. No autonomous medical-necessity determination. No coverage decision without a qualified reviewer. The export packet is gated on a human action and the action is recorded in the compliance trace.
06Architecture
Eight API routes. One settlement model. One governance overlay.
Each route handles one step of the workflow. Settlement-producing routes write directly to Tempo. The governance overlay (receipts, hierarchy, oversight packet) is derived from the same ledger events the settlement layer emits, one source of truth.
/api/meter/packetIngest synthetic PA packet, SHA-256 hash, persist asset
/api/meter/work-orderGemini extraction produces a typed WorkOrder plus line-of-business context
/api/meter/sessionsOpen metered session with case + agent budget caps
/api/meter/walletCheck Tempo settler wallet balance and signer address
/api/meter/chatSSE stream · per-operation receipts · session-close Tempo settle
/api/meter/escrowERC-8183 escrow for specialist handoff (Phase 3; returns 503 on Tempo Phase 1)
/api/meter/trustERC-8004 agent identity + reputation read
/api/meter/auditCompliance trace narrative + cost-per-operation breakdown
07Buyer Context
The buyer is a multi-state government-program health plan.
Not a developer. Not a generic enterprise. A health plan that runs PA workflows across Medicaid managed care, Medicare D-SNP, Marketplace, and CHIP-adjacent operations, under specific state program rules and federal oversight, with a real audit and appeal burden. Primary stakeholders: VP Utilization Management, Director Prior Authorization, CMO staff, Compliance and Audit leadership, Medicaid plan operations, and the enterprise AI governance team.
Legacy
Operating cost per case in the legacy workflow
UM nurse or physician advisor time for a standard PA decision is materially higher per case than the AI-metered path; complex behavioral-health, post-acute, or specialty cases run significantly higher.
Sub-penny
Governed AI assistance per case
Seven metered operations against per-agent caps. Every cent attributable to a line of business, workflow, case, and agent. Settlement on Tempo.
Full oversight packet
Audit-ready export per case
Receipts, hierarchy state, documentation completeness, criteria mapping, draft reason, human decision, and compliance trace as JSON, copyable, gated on reviewer action.
What changes for the plan
·AI spend attributable to client, line of business, workflow, case, and agent, not a monthly black-box invoice
·CMS-0057-F decision clocks tracked per case with timestamped operations and structured reason text
·State Program Policy Profiles as configuration: no hardcoded universal claims, no surprise compliance debt
·HIPAA boundary visible in the workflow: synthetic in demo, BAA-bounded and access-controlled in production
·Reviewer authority preserved end-to-end. The export packet does not finalize without a human action
·D-SNP UM equity review support: dual-eligible, disability, language and geographic access flags surfaced for committee review
08Reviewer Walkthrough
Five steps. Under three minutes.
Everything on this page is verifiable in the live demo. Here is the sequence.
01
Pick a line of business
The Line of Business selector switches between Medicaid MCO (default: behavioral health inpatient extension), Medicare D-SNP (post-acute SNF extension), and Marketplace (outpatient imaging PA). The State Program Policy Profile, the synthetic packet, the compliance panels, and the receipt case IDs all update.
02
Review the synthetic packet and the state program profile
The Synthetic Prior Authorization Packet shows case ID, member ID (SYN-…), urgency, requested service, provider, and packet summary. The State Program Policy Profile shows decision clocks, required documents, reviewer role, and escalation role. The HIPAA Safety Boundary panel is visible throughout.
03
Run the demo and watch the AI Operation Stream
Seven metered operations stream in order: documentation extraction, completeness check, criteria mapping, reviewer summary, RFI reason, escalation recommendation, evidence export. Each one writes a receipt with policy + mandate status and an evidence hash. The Client Budget Controls panel updates per-agent and per-case spend in real time.
04
Inspect the receipts and the Tempo settlement proof
The Operation Receipt Ledger lists each receipt with agent, cost, policy status, and evidence hash. Click any row to expand the JSON. The Tempo Settlement Proof panel shows the session-close USDC.e transfer tx hash; every receipt carries it as settlementTxHash for traceability.
05
Select a reviewer action and export the oversight packet
The Human Review Gate offers three actions: approve for reviewer sign-off, request more information, escalate to physician advisor. There is no primary Deny. The Oversight Packet export remains disabled until a reviewer action is recorded. Copy the JSON: it carries the full receipt set, budget hierarchy state, documentation completeness, criteria mapping, draft reason, human decision, and a compliance trace with realPhiProcessed: false.
09How the Demo Runs
Three modes. Same governance overlay.
P402 Meter adapts automatically to the environment. The governance overlay (receipts, hierarchy, human review gate, oversight packet, HIPAA boundary, CMS readiness panel) runs identically in every mode. Only the source of the model output and the on-chain settlement change.
Live Mode
GOOGLE_API_KEY + TEMPO_TREASURY_PRIVATE_KEY setReal Gemini 3.1 Flash and Pro calls. Pre-funded Tempo wallet submits one real USDC.e TIP-20 transfer at session close. Tempo Explorer link goes live immediately. Every receipt carries the session-close settlementTxHash.
Proof Replay
Default (no keys required)Pre-recorded stream replays a prior live PA session. Receipts, hierarchy, criteria mapping, compliance trace, and oversight packet behave identically. Reviewer must still select an action to enable export.
Quota Fallback
Auto (free-tier Gemini limit hit)If Gemini returns a 429 or quota error mid-session, the system silently switches to Proof Replay. A thin amber notice appears. Governance and compliance panels remain unchanged.
Receipt and Tempo settlement flow (per session)
1. AI operation runs; cost calculated against the 5-level budget hierarchy·2. Receipt written: agent, model, caseId, costUsd, policyStatus, mandateStatus, evidenceHash·3. Repeat for the 7 governed operations; session-close triggered·4. Tempo settler submits a single USDC.e ERC-20 transfer() on Tempo mainnet (Chain ID 4217)·5. waitForTransactionReceipt confirms after 1 block; FeeAMM gas paid in USDC.e·6. Reconciliation event written: settlementTxHash + settlementBlock; every receipt is stamped with it·7. Reviewer selects an action; oversight packet JSON exported with the on-chain settlement reference and a compliance trace
See it live
The demo is the proof.
Seven governed AI operations. Per-operation receipts. A 5-level budget hierarchy. A reviewer gate before export. CMS-0057-F clocks, HIPAA boundary, and a State Program Policy Profile in the workflow. Real USDC.e settlement on Tempo. Synthetic records only; no PHI processed.
P402 Meter · Medicaid MCO PA Governance · Tempo Mainnet · Synthetic DemoTempo × MPP × Gemini 3.1
P402 Router · p402.io · Production deployment requires payer security review, BAA, and state-specific legal review.