Provenant
Per-row provenance · Recursive verification
Evidence layer · Oncology

Negotiated-rate evidence, built to be challenged.

Provenant ingests hospital-disclosed oncology rates, normalizes them across institutions, and surfaces dispersion with per-row, cryptographically signed provenance. Every figure recomputes from its source in a single command — no vendor-held secret, no network access required.

7 institutions 278 normalized rows Ed25519-signed packs Recomputable from a clean checkout

The price-transparency market serves operators — hospitals and payers benchmarking their own contracts.

Provenant serves the expert who must defend a number under cross-examination. Same public data; a different evidentiary standard.

§ 01The Evidence

One payer. Four cancer centers.
One procedural code.

For a single high-volume oncology procedure, one national commercial payer's negotiated rate ranges across an order of magnitude — and every figure traces back to a signed source file.

19.07×
Max-over-min spread · single payer · single code
Institution UnitedHealthcare rate Pack tier
Stanford Health Care $22,041.00 litigation-grade
Cedars-Sinai Medical Center $14,341.63 litigation-grade
Memorial Sloan Kettering $10,824.00 litigation-grade
MD Anderson Cancer Center $1,155.70 analytics
CPT 19101 — open surgical breast biopsy. Each rate is the median of the institution's preserved rates for this (payer, code) tuple; the source pack retains every disclosed rate as a separate provenance-bearing row. Three packs are litigation-grade; MD Anderson's is analytics-tier, and the roll-up surfaces that label rather than hiding it. Corpus snapshot 2026-05-30; MD Anderson has since been promoted to litigation-grade.
§ 02Proof

Don't take the numbers
on faith. Run the verifier.

Every Provenant pack is signed with Ed25519, and the public key ships inside the pack. A cross-hospital roll-up re-verifies each contributing source pack first, then itself — recursively, down to the original file hashes. Alter any byte and the chain fails to verify.

1 · SOURCE 2 · SIGN 3 · AGGREGATE 4 · VERIFY MRF → pack sha256 9f3a1c…d7b1 MRF → pack sha256 4c8e02…af55 MRF → pack sha256 b7e0a9…3c12 cross-hospital roll-up source_packs [] ├─ 9f3a1c…d7b1 ├─ 4c8e02…af55 └─ b7e0a9…3c12 ✓ verify: PASS (10/10)
Each rate is hashed to the exact public file it came from, sealed into a signed pack, then aggregated into a roll-up that records every pack's fingerprint. To verify, the chain is walked back — each source re-checked, then the roll-up's own signature — so a single PASS attests to every layer beneath it.

It isn't a diagram. It runs:

verify — cross-hospital roll-up
$ oncorate-verify-pack --pubkey signing_public_key.pem \
    reports/2026-05-30-allviews-rollup/rollup_pack_…_cross_hospital_rollup_uhc
  source: affidavit_pack_…_050441_all_oncology  PASS (9/9)   source: affidavit_pack_…_050625_all_oncology  PASS (9/9)   source: affidavit_pack_…_330154_all_oncology  PASS (9/9)   source: affidavit_pack_…_450076_all_oncology  PASS (9/9)   TIER: analytics   manifest            PASS   rates.csv / rates.json  PASS   pack_content        PASS   manifest_signature    PASS   pack_metadata       PASS   tier_metadata       PASS   source_packs        PASS (recursive)
  all checks PASS (10/10)
§ 03What it does

The architecture, precisely.

  • Per-row provenance Every rate traces by SHA-256 to a signed, CMS-mandated public machine-readable file — source URL and fetch timestamp recorded on the row itself.
  • Cross-hospital aggregation Rates compared only under deterministic, boundary-aware canonical-payer matching — never substring, never fuzzy. A passthrough payer is never silently compared against a canonical one.
  • Modeled 340B analytics Markup proxies gated on recomputable statutory eligibility — IPPS Disproportionate-Share receipt, or PPS-exempt cancer-hospital status — and labeled modeled, never as an observed price. Gated on eligibility, never on enrollment.
  • Composable caveats Each figure carries exactly the limitations its source data warrants — unit-basis, brand-default, modeled-markup — stacked, not collapsed into a single trust score that would hide which limitation applies.
  • Recursive verification A passing aggregate asserts every contributing pack passes, down to the original file hashes — from a clean checkout, with no Provenant-held secret and no network access.
§ 04Discipline

What Provenant does not do.

The limits are part of the product. Stating them plainly is what lets the claims that remain be trusted.

  • Does not ingest claims data — disclosed rates suffice to surface dispersion, and claims tempt causal inference Provenant does not make.
  • Does not publish, quote, or reconstruct 340B ceiling prices, which are confidential under 42 CFR Part 10.
  • Does not infer a drug's NDC class — a labeled brand-default assumption applies, auditable on every row, pending refinement.
  • Does not claim any hospital is enrolled in 340B, is purchasing at 340B prices, or is acting improperly. Eligibility is structural; conduct is not asserted.
  • Does not adjudicate causation, fraud, or impropriety. It surfaces dispersion; the expert adjudicates.
§ 05Read & verify

Three ways to evaluate the work.

Case study · PDF
Cross-Hospital Rate Dispersion in Surgical Oncology
A short, source-verified read: the CPT 19101 finding, a 340B-drug illustration with its caveat surfaced, and external context from RAND, the Community Oncology Alliance, and ASCO.
Open
Methodology · PDF
Provenance, caveats, the 340B model & recursive verification
The full method: data sources, the two-tier pack architecture, the conservative-by-design 340B markup proxy, canonical-payer aggregation, and how to verify any claim from a clean checkout.
Open
Verify a pack · ZIP
Download a signed source pack and reach 10/10 yourself
One litigation-grade pack, the public key, and a one-line command. Tamper-evident, offline, no Provenant-held secret. About five minutes including the download.
Download