Governance framework that binds four-family validation evidence (counts, sums, hashes, cross-source) to named human signatures per facility per fiscal period. Materiality thresholds per domain. Three-tier exception handling. Monthly cadence post-cutover. Stored in KMS-signed immutable audit archive. PHI-safe by construction.
Validation produces evidence. Reconciliation is the governance discipline that turns evidence into signed accountability — and into the audit-defensible record that survives HIPAA, Joint Commission and SOX cycles for years after cutover.
A healthcare migration that produces a successful Fusion go-live without a signed reconciliation pack is not done. Three audit families will eventually ask for proof: HIPAA accounting-of-disclosures (every read of PHI during migration and post-migration logged with patient pseudonym, user, timestamp, scope, purpose, recipient); Joint Commission record retrieval (7-year financial and operational substantiation against the source-of-truth at the time of service); SOX (7-year financial-controls retention with chain-of-custody back from a Fusion journal to the originating Allscripts charge). The allscripts / veradigm migration reconciliation framework produces the single canonical pack that satisfies all three.
The framework defines materiality thresholds per domain — typically charge totals reconcile to the cent and headcount reconciles exactly, while supply consumption can absorb $0.01 rounding per item-category-period. It names the three-tier exception handling: immaterial variances get a signed acceptance note; material variances with documented root cause get an exception ticket and re-reconciliation; material variances without documented root cause block sign-off and escalate to the migration steering committee. No facility cuts over until tier-three issues are resolved or formally downgraded.
The reconciliation pack itself is PHI-safe by construction — counts, sums, hashes, pseudonymized tokens and facility-level / fiscal-period-level aggregates only. Where investigation requires patient-level inspection, a separate KMS-controlled audit interface de-pseudonymizes under explicit privacy-officer authorization and logs the read. The signoff-grade reconciliation evidence and the investigation-grade evidence are separated by access control but stored in the same immutable archive. Both are KMS-signed and timestamped via RFC 3161, so the chain-of-custody is cryptographically defensible against any future audit challenge.
The framework is documentation plus governance plus immutable storage — six artifacts that every facility cutover produces.
Charge totals: cent-perfect. Contractual adjustments: cent-perfect per payer per period. Supply consumption: $0.01-per-item-category tolerance. Clinician headcount: exact. Asset value: exact. Documented and signed.
JSON + PDF: row counts, sums, hashes, cross-source consistency per domain. Mismatch register. Exception tickets. Acceptance notes. CFO + CHRO + biomed + privacy signatures.
Per-mismatch JSON: tier (immaterial / material-known / material-unknown), root cause if known, exception-ticket ID, re-reconciliation run reference, accepting stakeholder signature.
S3 Object Lock (or equivalent). RFC 3161 timestamping. KMS-managed key signatures. Retention policy aligned to HIPAA + state + Joint Commission + SOX.
Monthly for first 6 months post-cutover; quarterly for next 12 months; semi-annually for active reporting window. Annual chain-of-custody sample-reconciliation against the compliance archive.
Sunrise (Altera) acute stream reconciled separately from Veradigm ambulatory stream. IDN-level consolidated countersignature rolls both streams to the consolidated Fusion ledger.
The framework runs once per facility cutover with full intensity, then settles into a monthly-then-quarterly cadence aligned to Fusion financial close.
Per-domain materiality thresholds drafted with CFO and signed. Signatory roster confirmed per stream (acute CFO, ambulatory CFO, CHRO, biomed director, privacy officer, IDN CFO). Three-tier exception handling rules documented. Cadence schedule confirmed.
Full four-family validation runs against the cutover-cycle financial close. Mismatches triaged into the three-tier register. Tier-three issues escalated to steering committee for resolution before cutover sign-off.
Per-facility reconciliation pack assembled. CFO, CHRO, biomed director, privacy officer signatures collected. IDN-level CFO countersignature collected for consolidated. Pack KMS-signed and stored in immutable archive.
Each Fusion financial close month-end triggers a four-family reconciliation against the legacy GL (now read-only) and against the Allscripts compliance archive for the same period. Reconciliation packs signed monthly per facility.
Cadence drops to quarterly for months 6-18, semi-annually thereafter. Joint Commission, SOX and HIPAA audit cycles trigger their own reconciliation passes on the records in audit scope. Annual chain-of-custody sample-reconciliation against the compliance archive. All packs signed and immutably stored.
The artifacts that show up in a Joint Commission or HIPAA OCR audit — and the evidence that survives every challenge.
Stored immutably in S3 Object Lock with RFC 3161 timestamps. CFO + CHRO + biomed + privacy signatures cryptographically verifiable years later.
Every mismatch above immaterial threshold has a documented root cause, exception ticket, and re-reconciliation evidence. No undocumented variances.
From source-side SHA-256 hash on Sunrise replica through extraction manifest through Fusion load to post-load Fusion hash. Bit-for-bit verifiable end-to-end.
Sunrise (Altera) acute stream evidence separated from Veradigm ambulatory evidence. IDN-level consolidated countersignature. Audit can trace each stream independently.
No PHI in the signoff-grade pack — only counts, sums, hashes, pseudonymized tokens. Circulatable to audit committee and external auditors without HIPAA exposure.
Monthly packs for 6 months, quarterly for 12 months, semi-annually thereafter — full multi-year evidence trail aligned to HIPAA 6-year, state retention and SOX 7-year requirements.
Allscripts / veradigm migration reconciliation is the governance framework that takes the four families of data validation (counts, sums, hashes, cross-source consistency) and binds them to a named human signature per facility per fiscal period — and to a documented exception-management process for any de-minimis variance the team is willing to accept. Validation produces evidence; reconciliation is what the CFO, CHRO, biomed director and privacy officer sign. The framework defines materiality thresholds per domain (typical: charge totals must reconcile to the cent; supply consumption can absorb $0.01 rounding per item-category-period; clinician headcount must reconcile exactly), names the escalation path for any variance above threshold, and produces a single canonical reconciliation pack stored in the immutable audit archive. The framework also names the periodic re-reconciliation cadence — typically monthly close for the first six months post-cutover, quarterly thereafter.
By treating them as separate reconciliation streams that converge at the IDN-level signoff. A health system running Sunrise (or Altera Sunrise) for acute care and TouchWorks / Practice Fusion / Professional EHR for ambulatory reconciles each stream independently. The Sunrise stream reconciles acute charges, supply consumption and clinician records against the Fusion business unit holding acute. The ambulatory stream reconciles ambulatory charges, scheduling-driven encounters and ambulatory provider tables against the Fusion business unit holding ambulatory. The IDN-level reconciliation rolls both streams to the consolidated Fusion ledger. The framework explicitly names which CFO or CFO delegate signs which stream — typically the acute CFO signs the Sunrise stream, the ambulatory operations CFO signs the ambulatory stream, the IDN CFO signs the consolidated. This mirrors the contract reality post-2022 split where the support relationships are also separate.
Three-tier handling. Tier one (immaterial) — variances below the per-domain materiality threshold (typical $0.01 per item-category-period for supply consumption, zero for charge totals and headcount) are documented in the reconciliation pack with an explicit acceptance note and signed acknowledgment by the relevant stakeholder. Tier two (material, root-cause-known) — variances above threshold with a documented root cause (e.g., a known Sunrise encounter-merge edge case) get an exception ticket, a corrective extract or load, and a re-reconciliation run before sign-off. Tier three (material, root-cause-unknown) — variances above threshold without a documented root cause block sign-off and trigger an escalation to the migration steering committee. The framework requires that no facility cutover until tier-three issues are resolved or downgraded to tier two with explicit acceptance. The exception register is itself part of the reconciliation deliverable.
The reconciliation pack itself contains no PHI — only counts, sums, hashes, pseudonymized tokens and facility-level / fiscal-period-level aggregates. This is deliberate so the pack can circulate to the audit committee, external auditors and the CFO's executive team without HIPAA exposure. Where deeper investigation requires patient-level inspection (e.g., a tier-three variance traces to a specific encounter), the investigation runs through a separate KMS-controlled audit interface that de-pseudonymizes the token under the privacy officer's explicit authorization and logs the read to HIPAA accounting-of-disclosures. The reconciliation framework explicitly separates the signoff-grade reconciliation evidence (PHI-safe) from the investigation-grade evidence (PHI-aware, logged, audit-trailed). Both are stored in the immutable archive but with different access controls.
Monthly for the first six months post-cutover. Each month-end financial close in Fusion gets a full four-family reconciliation against the corresponding Allscripts-side period (Allscripts continues firing into the legacy GL in parallel, frozen and read-only after cutover) and against the Allscripts compliance archive for the same period. After six months the cadence drops to quarterly for the next year, then semi-annually for the duration of the active reporting window. The compliance archive itself is reconciled annually against a sample of retrieved records to confirm chain-of-custody integrity. Joint Commission and SOX audit cycles trigger their own reconciliation passes on the records covered by the audit scope. The reconciliation framework names the cadence per audit family per facility so the operations team knows what runs when and who signs.
Yes. dbMotion (now Veradigm Connect) maintains a unified patient identity across Sunrise, TouchWorks, Professional EHR, Practice Fusion and any external EHRs federated into the dbMotion master patient index. The reconciliation framework runs cross-source consistency family-four checks against dbMotion: for any encounter that exists in multiple Allscripts/Veradigm products, the dbMotion unified identity should resolve to a single Fusion-side KMS-pseudonymized token. Identity drift surfaces as a reconciliation failure with the dbMotion identity audit trail attached. This catches a class of error that purely Fusion-side reconciliation cannot detect — the case where two different Allscripts-side encounters refer to the same patient under different MRNs and end up on the Fusion side as two distinct customer records. The dbMotion cross-source check has caught real identity-drift issues in production migrations that other validation classes would have missed.
Per facility per fiscal period, four named signatures. The CFO (or facility CFO delegate) signs the financial reconciliation — charges, contractual adjustments, payer AR, supply spend, asset value. The CHRO signs the HCM reconciliation — clinician headcount, provider tables, credentialing license-expiry dates, department assignments. The biomed director signs the asset reconciliation — medical-device asset count, asset value, maintenance history. The privacy officer signs the PHI-handling reconciliation — every read of PHI during the reconciliation period logged with accounting-of-disclosures evidence. For multi-facility IDNs, the IDN-level CFO countersigns the consolidated pack. For the 2022-split scenario where acute and ambulatory CFOs are separate humans, the framework names each per stream. Signatures are timestamped, KMS-signed, and immutable in the audit archive.
The framework treats the Sunrise data extraction path as a single reconciliation stream regardless of whether the Sunrise system is currently under Allscripts (pre-split contracts) or under Altera Digital Health (post-split contracts). The underlying Sybase or SQL Server schema and Sunrise Financial Manager overlay continue to operate as they did pre-split, so the technical reconciliation logic is unchanged. What changes is the support escalation path — for tier-three mismatches that trace to a vendor-side issue, the escalation goes to Altera Digital Health rather than to Veradigm. The framework names the escalation contact per stream so the operations team knows who to call. For health systems that previously kept Sunrise under Allscripts and have since moved support to Altera, the reconciliation framework re-points the escalation path without re-running any reconciliation logic. The data continues to reconcile correctly because the underlying schema didn't change.
Governance framework binding four-family validation to named human signatures per facility per period. Three-tier exception handling. KMS-signed immutable storage. Monthly post-cutover cadence. Audit-defensible against HIPAA, Joint Commission and SOX for years after cutover.