Arkansas in 2018 required monthly individual reporting through a web portal. Georgia in 2025 emphasizes quarterly automated data matching with employer payroll systems. Both enforce 80-hour monthly work requirements. The coverage outcomes diverge dramatically: Arkansas lost 25% of expansion enrollment while Georgia maintained stability. The difference is verification architecture, the regulatory infrastructure determining who submits proof of compliance, what documentation counts, and what happens when systems fail. States designing these systems for December 2026 implementation face a binary choice about where to place the burden of proof, and that choice determines coverage outcomes more than any employment policy.
Constitutional and Legal Framework#
Federal law requires states to verify work requirement compliance but does not prescribe verification methods, leaving architecture decisions to state regulators within CMS waiver parameters. Constitutional due process requires that coverage termination follow adequate notice and opportunity to respond, constraining how quickly states can act on verification failures. Section 1115 waiver terms typically require states to demonstrate that verification systems provide meaningful compliance opportunities rather than creating documentation barriers that function as coverage restrictions. The legal distinction between verification as compliance support and verification as coverage gatekeeping frames CMS review of state waiver applications. States must also navigate federal privacy requirements including HIPAA for health data, FERPA for educational records (34 CFR 99.31), and 42 CFR Part 2 for substance use disorder treatment information when building data-sharing infrastructure across multiple verification sources.
Core Regulatory Choices#
The foundational decision is whether verification flows through distributed submission authority or centralized individual reporting. Distributed systems delegate verification to employers, educational institutions, managed care organizations, and community partners who submit compliance data directly to state systems. This removes reporting burdens from the 18.5 million expansion adults subject to requirements but demands that states build multi-channel data infrastructure, credential thousands of submitting organizations, and manage submission quality across diverse entities.
Centralized individual reporting makes each person responsible for gathering and submitting their own documentation monthly. This simplifies state systems by creating single submission pathways, but Arkansas demonstrated conclusively that it creates verification failure cascades. People who worked sufficient hours lost coverage because they could not navigate online reporting, particularly older adults without digital literacy and rural residents with unreliable internet access.
Large employer integration through payroll system APIs (ADP, Gusto, Paychex, Workday) could verify work for 40-50% of expansion adults through perhaps 5,000 to 10,000 employers, creating automation for half the affected population. Small employers require alternative pathways: web portals for motivated small businesses, industry association intermediaries for sectors with strong trade groups, MCO intermediaries for members whose employers resist direct reporting, and simplified attestation as last resort.
Self-employment verification creates particular tension between autonomy and documentation requirements. Someone running a small business or freelancing may generate income without producing conventional employment records. The recommended approach combines quarterly tax evidence with monthly self-reported hours backed by moderate audit rates of around 15%, accepting some verification uncertainty rather than excluding the self-employed through documentation impossibility.
Gig economy workers present growing verification challenges since platform companies resist employer classification. Platform data-sharing agreements, where companies like Uber and DoorDash transmit logged hours in exchange for safe harbor liability protections, offer the cleanest resolution. Bank statement verification and self-attestation with elevated audit rates provide fallback pathways when platform partnerships fail.
Trust and Burden Framework#
Verification architecture is ultimately a statement about whether states trust people or suspect them. Distributed systems assume most expansion adults are working or qualifying for exemptions and need infrastructure support rather than surveillance. Centralized systems assume individuals bear responsibility for proving compliance and that state systems should verify rather than facilitate. The burden distribution follows directly: distributed approaches shift costs to organizations with capacity to absorb them (employers through payroll integration, MCOs through capitation-funded navigation, educational institutions through existing enrollment systems), while centralized approaches concentrate burden on individuals least equipped to handle complex bureaucratic compliance.
Seasonal work patterns expose the trust framework most clearly. Agricultural workers, tourism employees, and construction workers in harsh climates face months with zero hours and months exceeding 200. Hour banking, where excess hours above 80 carry forward to cover off-season months, acknowledges economic reality through accounting flexibility. States refusing banking force seasonal workers into off-season exemption applications despite predictable return to employment, revealing whether the system is designed to accommodate work patterns or to catch non-compliance.
Interdependencies and Critical Paths#
Verification architecture depends on delegation frameworks (7D) establishing safe harbor protections that incentivize employer and provider participation. Without liability clarity, the distributed submission model cannot function because potential submitters refuse to participate. Coordination rules (7C) determine verification frequency, grace periods for missed submissions, and what happens during system failures. Exemption architecture (7A) intersects at every point where someone transitions between exempt and subject-to-requirements status, requiring verification systems to track changing compliance obligations. Data sharing agreements with employers, payroll processors, educational institutions, and gig platforms must be finalized months before system development begins, creating sequential dependencies that compress the already tight implementation timeline.
Series 11 Population Accommodations#
Geographic and digital isolation (11I) makes online-only verification portals inaccessible to rural populations, replicating Arkansas’s failure pattern. Limited English proficiency (11J) requires multilingual verification interfaces and navigation support. Serious mental illness (11B) and substance use disorders (11C) create cognitive and executive function barriers to monthly self-reporting even when work capacity exists. The communication architecture surrounding verification, including notification timing, channel diversity, language access, and literacy accommodation, determines whether populations with these characteristics receive realistic compliance opportunities or face systematic exclusion through procedural barriers.
Implementation Timeline Realities#
Building distributed verification infrastructure requires employer credentialing systems, API development for payroll integration, multi-channel submission portals, gig platform partnership negotiations, and data security frameworks. Each component involves procurement, development, testing, and deployment cycles that typically require six to nine months. States must simultaneously develop communication systems in multiple languages, train eligibility workers on new processes, and establish audit frameworks. The December 2026 deadline means states need finalized policy decisions by spring 2026 to allow sufficient development time, a timeline that many states have not yet begun to meet.
Bottom Line#
The verification question is deceptively simple: who proves that work requirements are being met? But the answer determines whether requirements function as employment promotion or as documentation traps. Arkansas proved that placing verification burden on individuals creates coverage loss from reporting failure, not work failure. States choosing distributed verification with individual self-reporting as backup create realistic compliance pathways. States choosing centralized individual reporting replicate the architecture that produced Arkansas’s 25% coverage loss. The evidence is unambiguous about which approach protects coverage while maintaining accountability.