One hour. Six surfaces. One record.

Patricia volunteers at a community organization in New Orleans. She also works part time at a coffee shop near the Tulane campus. Most weeks, the volunteer hours plus the part-time hours combine cleanly to satisfy her community engagement requirement.

One Wednesday she misses her volunteer check-in window. The bus is late; the food bank's geofence times out before she reaches it. The system flags the missed check-in. The next morning, a statutory notice arrives in her CivicPath app. The cure-period countdown begins. The timeline below shows what happens next.

The coordinator runs the volunteer program where Patricia logs hours. They confirm her attendance, validate the work performed, and attest her hours through the partner attestation portal. Each attestation carries a cryptographic integrity hash and signature attribution; an attestation cannot be silently altered after it lands in the ledger.

The coordinator also manages the organization's capacity and waitlist. When the state runs out of placement capacity statewide and Patricia or another beneficiary lands on the waitlist, the cure-period countdown legally suspends. This design choice is informed by federal court precedent on Medicaid work-requirement waivers, including Gresham v. Azar, 950 F.3d 93 (D.C. Cir. 2020) and Stewart v. Azar, 366 F. Supp. 3d 125 (D.D.C. 2019). The protection renders on screen for the beneficiary and is visible to the coordinator in the partner portal. Site accessibility metadata (ADA, transit, parking) lets beneficiaries filter for sites they can physically reach.

Some states may elect a self-certification regime within the data-first hierarchy that H.R. 1 §71119 permits, where the partner-attestation pathway becomes optional rather than required. The platform's data model already accommodates self-reported submissions; credit-gating logic is configurable per state. FWA mitigations in the self-certification variant include perjury attestation under state welfare-fraud statutes, statistically-valid random-sample QA review modeled on the Arkansas Works framework at 95% confidence with ±3% variance (aligned with PERM and MEQC patterns), risk-based audit on anomaly signals, and cross-reference with state quarterly wage records via the federally-required Income and Eligibility Verification System. Implementation detail under NDA.

A caseworker reviews Patricia's cure submission. The case-worker review phase is role-gated; only authorized staff (caseworker, supervisor, state administrator, or super administrator) can advance the procedure. There is no path through the procedure that lets an unauthorized actor advance the case.

The caseworker also runs the alternative-eligibility check before disenrollment is even reachable. They have the audited authority to approve retroactive restoration if a disenrollment turns out to have been wrongful. The original disenrollment record is preserved on the append-only ledger; the restoration is added as a new event with reason and timestamp. See /safeguards for the full set of beneficiary protections this chapter exercises.

Patricia's part-time employer at the coffee shop submits her hour attestations through the employer portal. Each attestation captures the signer's name, title, IP address, and signature timestamp. Cryptographic integrity hashes prevent post-submission alteration. Employer-attested hours are cross-referenced against state quarterly wage records via the federally-required Income and Eligibility Verification System where the state's data-sharing path is open.

About half of Medicaid expansion adults are working. This chapter establishes the work-pathway angle alongside Patricia's volunteer pathway. When employer-reported hours and beneficiary-reported hours diverge, the discrepancy surfaces for case-worker review with a formal dispute path. The employer cannot directly affect compliance status; attestations feed verified-only credit gates rather than auto-credited credits.

A Managed Care Organization compliance officer sees Patricia's compliance trajectory in real time across the member population. The dashboard shows status changes, cure-period countdowns, and alt-eligibility outcomes the moment they happen. Webhook signals push directly into the plan's care-management system for compliance, exclusion, disenrollment, and appeal events.

The plan pulls the same compliance calculation the beneficiary sees in CivicPath. There is no divergence between beneficiary-facing and plan-facing views of the same record. Cross-tenant access is enforced before any data is returned; PHI reads are audited on every endpoint. The plan can intervene with care management before the cure period expires, turning what could be a coverage loss into a care touchpoint.

Three years after Patricia's cure period, an auditor pulls her record. Maybe federal CMS asked for a sample. Maybe the case is one of many produced under subpoena. The append-only ledger and deterministic replayability mean the same inputs produce the same outcome. The full procedural history is reconstructable.

Every notice has a timestamped delivery receipt. Every transition is role-attributed. Every disenrollment decision is audit-reviewable for the legal life of the record. Hash-chained appeal events make tampering visible. Cross-link to /platform for the architectural depth that makes this audit posture defensible at fair hearing.