The audit is the product

The nH-Predict case turned on a number that should stop every health-AI team cold. UnitedHealth used the algorithm to project when to cut post-acute care, and the 2023 federal class action alleges that roughly 90% of its denials were overturned on appeal. Set aside the question of whether the model was good. Ask the operational one: when the suit landed, what could the plan actually produce to show how any one of those decisions was made?

That is the question we kept coming back to. Around the same time, ProPublica reported that Cigna's PXDX system let physicians batch-reject claims without opening the file. The common failure in both stories is not the automation. It is that the trail went dark. The reasoning behind a denial existed somewhere, briefly, and then it was gone — reconstructable only through discovery, if at all.

So we built HealthNext around a different premise. The audit is not the compliance tax you pay after shipping the feature. The audit is the feature.

What “built in” actually has to mean

Most systems generate an audit log the way a building generates a fire report — after something goes wrong, someone assembles a narrative from whatever telemetry happened to be retained. That narrative is editable by construction. It lives in a database the operator controls. A regulator reviewing it is, in the end, trusting the operator's word that the log reflects what happened.

We did not want to ask anyone to trust our word. So every governed action in HealthNext — every chart read, every retrieval over policy, every draft recommendation, every human sign-off — is written to a record with three properties, and the three only matter together.

Append-only. A governed decision can be added to the record, never altered or deleted. The chain is write-once. There is no code path that edits a prior entry, because the data structure does not permit one.

Ed25519-signed. Each record is signed with the deployment's own key. Change a single byte and the signature no longer verifies. The tampering does not get hidden — it gets advertised.

Offline-verifiable. This is the one that took the most work and matters the most. An auditor verifies the chain against a public key, with a dependency-free verifier, on their own machine. No call back to HealthNext. No login to our dashboard. No moment where the proof routes through a server we control.

A board report that can only be confirmed by calling the vendor is not evidence. It is a press release with a checkmark on it.

The obvious objection

Here is the fair pushback: this is over-engineering. Most payers will never get sued over a specific automated denial, and the ones who do will settle on aggregate statistics, not a single record. Why pay the complexity cost of cryptographic signing for a guarantee almost nobody will exercise?

Because the guarantee changes behavior long before anyone exercises it. When the record is mutable, the temptation under pressure is to make the log say the convenient thing — and everyone in the room knows it could be done. When the record is append-only and signed, that conversation never starts. The integrity is not a feature you reach for during the lawsuit. It is a constraint that shapes every decision before there is one. A control that can be quietly switched off is not a control; it is a setting. We made it structural so it cannot become a setting.

And the cost is lower than it looks, because we are not bolting the audit onto a finished workflow. The workflow emits the record as it runs. The same motion that resolves a prior authorization produces the proof that it was resolved correctly. There is no second system to keep in sync, because there is no second system.

What this buys a diligence team

A payer's compliance team can take a HealthNext record and re-verify it themselves — the chain, the signatures, the human sign-off on every adverse step — without us in the loop. California's SB 1120, in effect since January 2025, requires a licensed human to make medical-necessity decisions. We do not just assert we comply; the record shows the named human who held each call, sealed before the decision ran.

That is the whole posture. We are not asking a regulator to believe a dashboard is green. We are handing them the math and letting them check it cold. The work speaks, and then the record proves the work spoke.

If you want to see a governed run produce one of these records and verify it yourself, that is what the live demo is for — and the reasoning behind the human gate is in who holds the call.