Product

Worker Profile / Passport Memo

AI Diligence Console

Worker Passport: Product Memo

TL;DR: The Passport is Rōvn's spine: one worker-owned, source-receipted, depth-labeled credential record that travels across every facility, role, renewal, and payer enrollment for the worker's career. Rōvn does the work of building and maintaining it. Source systems prove the facts. Humans, the worker, facility credentialers, and committees, own every decision. Live at passport.rovn.to; worker-owned by design; Rōvn turns credentialing from a repeated cost into a reusable network asset.

1. What the Passport Is

The Passport is a verified credential record owned by the healthcare worker (RN, MD, PA, NP, allied). It is the worker side of the Rōvn network, the rail facility workflow layer and Verified API read from.

Concretely:

One worker. One Passport. Persistent across every facility the worker ever works at.
Free to the worker, forever. Network growth depends on it.
Source-receipted, every fact carries an evidence-labeled receipt (source name, source URL, source timestamp, hash, depth tier).
Portable, the worker chooses who reads what and for how long. Time-boxed consent. Worker can revoke.
Public-slug URLs at /p/{slug}, the worker can share an opt-in profile to a recruiter, facility, payer, or app with a single link.

This is the structural inversion vs every facility-silo credentialing product on the market: the record belongs to the worker, not the facility. When the worker moves Facility A → Facility B six months later, the record moves with them.

2. The Depth-Label Ladder

Every credential field carries a depth tier. Auditors and facility GCs can see exactly how strong each fact is. No assertion-level claims of "verified", only tier-labeled receipts.

Tier	Label	What it means	Typical use
1	Worker-attested	Worker typed it in	Initial intake
2	Document-uploaded	Worker uploaded image/PDF	Pre-extraction state
3	AI-extracted	OCR/LLM parsed structured fields from doc	Speeds intake
4	Human-reviewed	Rōvn reviewer or facility credentialer confirmed	Optional intermediate
5	Source-verified	Primary source (NPDB, DEA, ABMS, state board) returned matching record	Required for hire
6	Continuously-monitored	Source subscription active, deltas alert	Required for ongoing privilege
7	Facility-approved	Specific facility's credentialing committee signed off	Required for clinical work at that facility

Every receipt is replay-able. A hospital GC can pull the chain at any point and see source name, source URL, source timestamp, and the hash that anchors it in the audit log.

This is the procurement-safe spine of the product. Compliance officers, MSO directors, and CMOs accept it because it cleanly separates AI assistance from the regulated source of truth.

3. Source Receipts: The Evidence Layer

A source receipt is the atomic unit of trust on Rōvn. Each receipt includes:

Source identity: NPDB, DEA, ABMS, Nursys, OIG LEIE, state board, payer, etc.
Source URL: the queried endpoint
Source timestamp: when the record was returned
Result hash: content-addressable, anchored to the hash-chained audit log
Depth tier: 1-7 from the ladder above
Validity window: how long the receipt remains canonical before re-query

Source receipts are stored in PostgreSQL (source_receipts schema, migrations 032, 062, 068) and the underlying source artifacts in S3 with Object Lock and 7-year retention.

Current adapter count: 36 live (50-state plus DC verification coverage map + DEA + NPDB + Nursys + OIG + SAM + Verifiable + 5 payer adapters). ABMS + AMA on roadmap Q3 2026.

This is what makes cached-replay possible. The next time any customer asks for the same worker + same source inside the validity window, Rōvn serves the cached receipt at $0.50 instead of paying $7.50 to NPDB again. Margin compounds with network size.

Workers control which facilities can read which fields, for how long. Mechanics:

Default privacy posture is private. Nothing is public unless the worker opts in.
Public-slug profile at /p/{slug}, opt-in toggle, worker-defined field visibility.
Per-facility consent grants, worker grants Facility A access to the credential set Facility A needs to evaluate hire eligibility; the grant is time-boxed and revocable.
Per-API consent, when a third-party app reads from Verified API on the worker's behalf, the worker sees the request, sees what fields are returned, and can revoke.

The audit log captures every read. Consent events are first-class schema artifacts (in scaffolding; UX in progress, see Truth Tiers ledger in PRODUCT_OVERVIEW.md).

The principle is non-negotiable: the worker owns the data; Rōvn is the rail.

5. Portability: The Record Travels

This is the structural moat. A symplr or Modio record dies when the worker leaves the facility's roster. A Rōvn Passport persists.

What travels with the worker:

All verified credentials and license attestations
All source receipts with depth tiers
Continuous-monitoring subscriptions the worker has opted into
Renewal cadence and expiration timelines
Network history, which facilities the worker has worked at (worker-controlled visibility)
Privacy preferences and consent grants

When Facility B onboards a worker who already has a Passport built at Facility A:

Facility B does not re-pay NPDB / DEA / state board queries inside the validity window
Facility B reads cached, tier-labeled receipts at cached-replay pricing
Facility B's credentialing committee still reviews and approves, the human decision step is unchanged
The 78-day direct-hire RN credentialing window compresses dramatically

This is how credentialing stops being a repeated cost and starts being a reusable network asset.

6. The AI Surface on the Worker Side

Nine AI surfaces, all compressing the work. None making credentialing, privileging, hiring, or clinical decisions.

Onboarding Assistant, guides Passport build, flags missing credentials before they cost a job
Document Intake, OCR/LLM extracts structured fields from worker-uploaded credentials
Renewal Reminder, surfaces upcoming license / certification / immunization expirations
Opportunity Match, surfaces facility roles the worker's Passport already meets requirements for (readiness match)
Privacy Controls, worker chooses which facilities can read which fields, time-boxed
Verification Coverage Map, shows the worker which sources are verified, which are stale, which are missing
Portable Receipts, worker can share a tier-labeled receipt to any facility, payer, or app
Continuous Monitoring Opt-in, worker enables source subscriptions for proactive renewal flags
Earnings / Hours Dashboard, for marketplace workers, surfaces facility-direct opportunities

AI chain: AWS Bedrock under BAA → Anthropic Claude (Haiku 4.5) under BAA → Rōvn backend on ECS. AI advisor: Opus 4.7 via beta tool, ZDR-eligible. Every advisor call logs to ai_runs with token cost capture.

The Golden Rule applies everywhere: AI operates the workflow. Source systems prove the facts. Humans make every regulated decision.

7. What's Live Today

Grep-verifiable against app/main.py and the migrations directory:

Worker signup + intake (/start), LIVE
Worker wallet UI (/wallet, /network), LIVE
Worker auth v2 (Cognito-backed), LIVE
AuthKit integration, LIVE
Worker profile v2 schema (migrations 070, 071), LIVE
Public profile /p/{slug}, LIVE
Identity verification (Persona IAL2), LIVE
License catalog, LIVE
Document upload + immunization records, LIVE
Network apply (worker → facility), LIVE
Worker referral / network growth, LIVE
source authority rails plus the 43-role, 51-jurisdiction coverage map, LIVE
Hash-chained audit log with S3 Object Lock 7-year retention, LIVE
MCP server at passport.rovn.to/mcp with zero-PHI lookup tool, LIVE

In progress (PARTIAL):

Verification coverage map UI
Continuous monitoring (Nursys e-Notify) full subscription flow
Renewal reminder UX (schema live, UX pending)

Roadmap (TARGET):

ABMS + AMA adapters (Q3 2026)
CMS PECOS direct integration
Worker premium SKU ($9.99/$24.99), post-launch upside, not in base case

8. The Truth Boundary

This memo's procurement-safe boundary, restated:

What AI does	What sources do	What humans do
Extracts structured fields from uploaded documents	Return the regulated record of truth (NPDB, DEA, ABMS, state board, OIG, SAM)	Approve credentialing
Crosswalks worker-attested data against source returns	Provide source name, URL, timestamp	Approve privileging
Flags anomalies and inconsistencies for human review	Anchor depth tiers 5-7	Approve hire
Compresses the privileging packet for committee review	Persist receipts under hash-chained audit	Make clinical decisions
Surfaces renewal cadence and readiness matches	Cache results within validity windows	Grant or revoke consent

That boundary is the procurement-gold version of how the Passport works. It is the version every facility GC, CMO, and compliance officer signs off on.

9. Why the Passport Wins

Three reasons.

Worker ownership is the structural inversion incumbents cannot copy. Facility-silo products (symplr, Modio, Medallion) cannot become a worker-owned network without burning their existing customer base. The inversion is one-directional.
Cached source receipts compound. Each Passport that gets built adds inventory to the cache. The next facility that hires that worker pays cached-replay pricing. Margin scales nonlinearly with network size.
The depth-label ladder is procurement-safe. Auditors get a replay-able evidence chain. CMOs get a compression layer that does not violate the regulatory regime. MSO directors get their 78-day window compressed without losing committee authority.

The Passport is the worker side of the rail. facility workflow layer is the facility side. Verified API is the developer side. Same network. Same evidence model. Same Golden Rule.

"Rōvn turns credentialing from a repeated cost into a reusable network asset."

Ask the AI agent about this section, the raise, compliance posture, or any cross-document question. Grounded in Rōvn's deep context, with on-page source citations.

AI queries route through AWS Bedrock under BAA · Anthropic Claude (Haiku 4.5) under BAA · zero-data-retention posture · no PHI in prompts.