Appendix #13 — Automated provider authorization

Front: Single Authorization System (Resolution 3100/2019 and related rules) — defense against the questioning of how ARTERIA eliminates documentary friction, intermediary consultants and the regulatory opacity that the current model sustains.

1. The current problem of the Single Authorization System

Resolution 3100 of 2019 of the Ministry of Health establishes the minimum criteria for a health service provider (IPS, independent professional, medical transport) to be authorized. The standards cover seven areas:

Human talent — diplomas, ReTHUS, vaccination certificates, continuing education
Infrastructure — licenses, sanitary concepts, emergency plans
Equipment — biomedical equipment (INVIMA registries, maintenance, life records)
Medicines, medical devices and supplies — registries, expiration control, pharmacovigilance, technovigilance
Priority processes — biosafety, sterilization, waste management, consents, referral/counter-referral, safe practices
Clinical records and registries — informed consents, custody, formats
Service interdependence — when applicable

Each provider must produce, keep updated and make available for inspection a documentary folder with typically 40-200 documents, depending on the complexity of the service. For an individual dental office this is ~40 documents; for a medium-complexity hospital IPS it can exceed 500.

1.1. The real documentary friction (documented case)

For an individual dental office (documented case of technical review with a consultant specialized in documentary management, December 2025), the typical current process is:

The provider hires an external consultant specialized in authorization (cost between 3 and 15 million COP).
The consultant collects information from the provider (interviews, forms to fill out).
The consultant produces ~40 documents in Word, Excel and PDF formats: protocols, procedures, registry forms, manuals.
The consultant delivers the documentary folder to the provider (CD, USB or email).
The provider signs a delivery record assuming responsibility for keeping it updated.
When there is an inspection, the provider must show the folder physically or as a digital archive.

1.2. The structural problems that this practice conceals

a) Documents frozen at the moment of delivery. Regulations change (resolutions, INVIMA circulars, MinSalud updates), but the provider's documents remain in the version from the time of the consultancy. After one or two years, most of it is out of date.

b) Information fragmented in non-queryable files. The inventories of medicines, biomedical equipment and maintenance records live in local Excel files of the provider. They do not feed any aggregated national health information system. INVIMA, MinSalud and the territorial Health Secretariats have no aggregated visibility.

c) Industry of consultants as intermediaries. Each provider pays for documentation that for the most part is identical to that of other providers of the same profile (same protocols, same generic procedures). It is an industry of copy and paste with logo customization, monetized by the friction that the current system does not resolve.

d) No traceability of real compliance. The consultant delivers well-made documents; the provider signs an acceptance record. But the system does not verify whether the provider is actually applying the procedures. Periodic inspection is the only way to verify, and inspection reviews folders, not real operation.

e) Sanctions for being out of date. When inspection detects outdated documents, the provider is sanctioned. The regulation changed, the provider was unaware, the original consultant is no longer responsive, the sanctions arrive.

f) Data in silos invisible to the national health system. The dental office has its registry of staff vaccinations, its verified sanitary alerts, its pharmacovigilance reports. But all of that dies in local Excel files that never reach the INS, INVIMA or aggregated MinSalud.

1.3. Magnitude of the problem

Colombia has approximately 60,000 authorized providers among IPS, independent professionals, medical transport and complementary offerings (REPS figure, MinSalud). If the median cost of documentary authorization is 5 million COP per provider, and it is renewed every 4 years, the system absorbs on the order of 75 billion COP annually in documentary consultancy, without producing aggregated information usable for national health intelligence.

2. What ARTERIA does structurally differently

ARTERIA does not add another layer on top of the current documentary system. It replaces the documentary model with a model of cryptographically signed events over a live catalog of regulatory criteria.

2.1. Regulatory catalog as code

Resolution 3100/2019 and all related rules (modifying resolutions, MinSalud circulars, applicable INVIMA regulations) are maintained as a queryable data structure, not as loose PDFs. Each regulatory criterion is a node of the catalog with a stable identifier, verbatim regulatory text, applicability by service type and complexity, validity, and traceability of modifications.

When MinSalud issues an amendment, the catalog is updated centrally. All providers are notified immediately through the system, without requiring manual notification or dependence on the original consultant.

2.2. Cryptographic identity of the provider

Each authorized provider operates with a verifiable cryptographic identity. Signatures are not scans of handwritten signatures — they are verifiable cryptographic digital signatures. Each event of the provider (incorporation of a piece of biomedical equipment, maintenance record, staff training, addition of a medicine to inventory) generates a signed event in the national registry.

2.3. Generic documents as resolving templates

The documents that the consultant currently produces manually are, for the most part, templates with minimal customization. ARTERIA provides them as code:

Dental biosafety protocol → template parameterized by the provider's inventory (which disinfectants are used, which PPE is available). The provider does not write the protocol; the provider configures it in 15 minutes and the system generates the compliant document.
Sterilization procedure → template parameterized by equipment (autoclave or not, chemical integrator in use).
Waste management plan → template parameterized by estimated monthly volume + territorial zone.

The human consultant is freed for what really requires professional judgment: operational implementation, training, internal audit, clinical review. Not for copy and paste.

2.4. Live events instead of frozen documents

Current document (frozen)	ARTERIA equivalent (live event)
Medicine inventory (Excel)	Stream of signed inventory events (entry, dispensing, expiration alert)
Active surveillance logbook	Alert verification events with timestamp and signature of the responsible party
Temperature and humidity registry	Automatic stream from IoT sensors, signed by registered device
Biomedical equipment life record	Chain of events: entry with INVIMA registry → periodic maintenance → incidents when applicable → decommissioning at end of useful life
Training record	Training-completed event signed by the trainer and the trainee, with course metadata
Informed consent	Consent event signed by patient and professional, linked to the clinical event it authorizes
Pharmacovigilance / technovigilance report	Event that automatically reaches INVIMA through a structured channel, without a manual screenshot of the e-reporting

2.5. Automatic verification against the live catalog

The system continuously verifies that the provider complies with all the criteria applicable to its service profile. For example, for an individual dentist: current ReTHUS, up-to-date vaccination certificate, preventive maintenance of the dental unit in the last year, medicine inventory without expired items, all verified by automatic consultation of current registries — without manual documentary management.

The specific stable identifiers of the catalog, the exact names of event types, the cryptographic primitives underlying the signatures, and the integration protocols with INVIMA are documented in the technical repository under the control of the Foundation of the Standard (technical proposal §10).

3. Migration from the current model to the ARTERIA model

The migration does not require discarding the existing documentation — it converts it into the provider's initial state in ARTERIA.

3.1. Initial loading of the provider

When a provider enters ARTERIA, its current documentation (authorization folder with its 40-500 documents) is processed:

Structured extraction — Excel inventories are imported into the system; protocols are identified and linked to the corresponding regulatory catalog; personnel life records are linked to ReTHUS.
Verification against the live catalog — outdated documents and gaps are identified.
Gradual replacement — the provider, assisted by the system, gradually replaces frozen documents with live events. Generic templates are replaced automatically; customized data is confirmed.
Final validation — when everything is in line, the provider signs its entry into the system with its national cryptographic identity.

3.2. Transition period

During a defined period (24-36 months suggested), both models coexist:

New providers enter directly into the ARTERIA model.
Existing providers maintain their traditional documentary authorization but can already feed events into the system. Upon renewing authorization, they opt for the ARTERIA model.
Inspections under the traditional model continue to review documents; inspections under the ARTERIA model verify real state.

3.3. Closing of the documentary model

At the end of the transition period:

Authorization is granted exclusively under the ARTERIA model.
The documents of the traditional folder go to the historical archive.
The documentary consultancy industry is reoriented toward operational auditing, clinical training, and implementation review (the functions that require real human judgment).

4. What this means for the actors

4.1. For the provider (IPS, independent professional, transport)

Reduction in authorization cost: on the order of 60-90% depending on the service profile (the remaining costs are real operational audits, not documentary production).
Reduction in administrative burden: the system automatically produces most of the records currently generated manually.
Regulatory certainty: the provider knows in real time what applies and what its compliance status is.
Lower risk of sanction for being out of date: the system flags gaps before inspection detects them.

4.2. For the territorial Health Secretariat

Targeted inspection: it knows a priori which providers have gaps and of what type. Physical inspection is concentrated where it is needed.
Aggregated information: it sees territorial patterns of compliance, identifies zones with specific problems.
Coordination with other authorities: it automatically shares with INVIMA, INS, Procuraduría when there are relevant non-compliances.

4.3. For MinSalud

National health intelligence: aggregated authorization information becomes a signal of system quality.
Evidence-based policy: regulatory decisions can be made with visibility of the impact each criterion has in practice.
Reduction of duplication: the single regulatory catalog eliminates contradictions among resolutions, circulars and guides.

4.4. For the citizen

Direct verification: any citizen can check whether the provider where they are receiving care is authorized and compliant.
Increased public trust: transparency makes compliance verifiable, not declarative.

4.5. For the current consultancy industry

Reorientation toward real value: firms that contribute professional judgment (operational auditing, clinical training, implementation review) grow; those that copy/paste generic documents disappear.
Specialization: the market is segmented toward consultancies that effectively accompany the provider, not those that produce paperwork.

5. Articulation with the ARTERIA architecture

This functionality operates on the technical primitives of the technical document §2.4:

Distributed infrastructure backbone — authorization events travel over the same federated network that operates the rest of the health system.
Immutable testimony protocol — each authorization event is signed in the national DAG (directed acyclic graph), not in a manipulable central database.
Citizen and professional client — the provider operates from the system's PWA (Progressive Web App), without requiring specialized corporate installation.
National cryptographic identity — the provider's signature is the same one used to authorize ADRES payments, sign clinical records, certify training.

Authorization ceases to be a documentary silo and becomes a projection of the provider's operational state onto the live regulatory catalog. It is not parallel information; it is information derived from real operation, cryptographically signed.

6. Current status and next step

This functionality does not require legal reform. Resolution 3100/2019 establishes the authorization criteria; the method to accredit compliance can be updated via a MinSalud resolution without the need to modify the law. The transition is decreed at the regulatory level.

The operational pilot can begin with:

A group of voluntary providers (10-50) in a Health Secretariat committed to the test.
A bounded service profile (e.g., individual dentistry, which has relatively simple regulation).
Period of 12 months with defined success metrics: reduction in authorization cost, time to update in the face of regulatory change, rate of early detection of gaps.

If the pilot performs, nationwide scaling is decreed with a transition deadline of 36 months to bring the entire REPS to the ARTERIA model.

7. Connection with other appendices

Appendix #02 (Data protection) — authorization information contains personal data of staff and sensitive data of operation. The ARTERIA architecture guarantees Habeas Data by design.
Appendix #06 (Master Accounts of the subsidized regime) — Territorial Secretariats are the ones that authorize; this functionality integrates into their operational layer.
Appendix #07 (Legacy data migration) — the initial loading of the provider into the ARTERIA model is a case of legacy migration.
Appendix #11 (PyP + ARL) — the SGSST of companies shares technical primitives with provider authorization; both are verification of compliance against a live catalog.

Documented reference case: authorization folder of an individual dental office, ~40 documents produced by an external consultant in December 2025. Folder structure pursuant to Resolution 3100/2019: Equipment / Medicines, MD and Supplies / Priority Processes / Clinical Records and Registries. Technical analysis performed by the ARTERIA team in June 2026.