FAQ: TAP, HTI-1 & Clinical Data Compliance

TAP is our structured technical audit for health IT teams: we test interoperability and privacy-critical behavior, document evidence, and give you a prioritized remediation backlog plus re-scan verification after fixes (see our one-pager for the full deliverable list—HTI readiness scorecard, evidence packet, board-ready summary, etc.).

TAP produces technical diagnostics and evidence, not legal opinions. ONC certification decisions remain with ONC-ACBs.

TAP Intake is the structured form you complete so we can scope endpoints, constraints, and evidence expectations (submitted via your email client—nothing stored on the website).

TAP Assessment is the hub for payment (Stripe—Google Pay or card) and scheduling (Google Calendar) once you are ready to move forward.

Why two steps? Intake captures technical scope without tying it to a card or calendar. Assessment bundles checkout and booking so money and time live in one audited flow. Between them you may have a short intro or email thread—that is normal; you do not need “intake complete” before a conversation, but we need intake before we can quote a Starter Audit or lock scope in a SOW.

Typical flow: optional short intro (email or call) to confirm fit → complete TAP Intake so we can size the work in writing → use TAP Assessment when you are ready to pay and hold time on the calendar → we align on a SOW for a Starter Audit or advisory engagement.

Do I need intake before we talk? No—reach out or book through assessment if you already know you want to proceed. Intake is the structured artifact we need before fixed-fee quotes and audit scope; separate from optional discussion.

If you are still exploring requirements, skim Regulations for engineering context and Privacy Laws for jurisdictional overview—then come back to intake.

Starter Audit fixed-fee TAP engagements start at $3,000, consistent with our strategic one-pager. Exact scope, assumptions, and deliverables are confirmed in a signed SOW before billable work.

Need a shorter executive snapshot first? The one-pager is the best single artifact to share internally.

Certification & interoperability (HTI, USCDI, FHIR): start with Regulations (engineering context), then deep dives in Regulatory Hubs and the HTI-1 through HTI-4 & USCDI v3/v4 implementation guide.

Privacy statutes & frameworks: see Privacy Laws, US State Laws, and International Laws. MHMDA engineering protocols when Washington consumer health data applies.

SOC 2 and many security audits focus on controls—policies, access, encryption, vendor risk. TAP focuses on whether your clinical interoperability and safety-critical logic behave correctly under HTI/USCDI expectations: FHIR resources, CDS/DSI traceability, clinical workflows, and evidence you can show an ACB or payer.

Think: security auditors stress-test your locks; we stress-test whether your sepsis alert logic and data exchange hold up—not only whether the firewall is on.

No. We provide technical implementation advice: we translate requirements from legal, privacy, and compliance stakeholders into testable checks, pipelines, and AWS/Azure/GCP configurations. We are the how, not the law.

The HTI rules (HTI-1 through HTI-4) set certification and interoperability deadlines for certified Health IT. Applications that connect to certified systems (e.g. Epic, Cerner) must keep pace with US Core and USCDI v3/v4 expectations—or risk failed integrations, blocked deploys, or certification problems. View current ONC certification deadlines.

Yes—that is a core specialty. We architect NLP-driven pipelines using SQL tooling, Redgate, and Google Cloud Healthcare APIs, and we evaluate Azure Health Data Services and AWS Comprehend Medical where they fit. Compare Azure, AWS, and Google Cloud Healthcare APIs.

Different data types: Redgate and SQL masking excel at structured columns (demographics, billing codes, SSNs). Cloud APIs excel at unstructured clinical text.

Together: Redgate for dev/test copies and referential masking; cloud APIs for note-level de-ID before the lake. We routinely combine SQL, Redgate, and Google Healthcare APIs. Full comparison.

We audit Decision Support Intervention (DSI) logic so source attributes, training data provenance, and behavior are traceable against federal transparency expectations (including (b)(11)-class requirements).

Static dummy data misses edge cases. We design automated pipelines that feed lower environments and CRM instances with high-fidelity, de-identified clinical datasets.

Yes—we reduce manual regression through structured break-fix analysis and automated E2E coverage for major EHR releases.

Yes—platform choice should not dictate whether you can govern data. We build in-place de-identification and governance patterns that run across all three clouds.

You're not hiring a vendor; you're hiring a coach, mentor, trainer, validator, and best-practices expert who can work with you at the C-suite level or down to engineers and QA. We publish transparent pricing aligned with how lean HealthTech teams actually buy TAP (Technical Audit Protocol) work.

Getting started:

• Free 15-minute intro: A no-obligation fit check.

• TAP Intake: Structured scoping via the intake form so we can size endpoints, constraints, and evidence expectations.

• TAP Assessment: Pay (Stripe—Google Pay or card) and schedule on Google Calendar when you are ready to move forward.

Fixed-fee TAP (Technical Audit Protocol):

• Starter Audit — from $3,000: Entry fixed-fee TAP engagement with evidence-ready diagnostics (aligned with our one-pager). Technical diagnostics and evidence, not legal advice; certification decisions remain with ONC-ACBs.

Advisory & time-and-materials (when scoped):

• Fractional advisory: typically $199–$299/hour depending on commitment and scope. Rates are confirmed in writing before work starts.

• 10-hour blocks: $249/hour when purchased as a 10-hour block.

• Retainers: Custom retainers for milestones, remediation support, or ongoing checkpoints.

Work that involves PHI or broader scoped validation uses a signed NDA and BAA as appropriate. All fees are documented in the SOW before billable work begins.

vs. large consultancies: You avoid enterprise overhead, long sales cycles, and junior staff doing the work. You get a senior practitioner who has validated 20M+ healthcare records and led compliance at scale, without the big-firm markup.

vs. boutique firms: You get the same deep expertise, but with a fractional model built for startups: milestone-based engagements, no long-term lock-in, and pricing that fits early-stage budgets.

You get direct principal-level access: FHIR pipelines, HTI/USCDI validation, $13M documented cost-avoidance leadership, and zero critical or high defects in production under our QA discipline over 15 years—not a bench of junior analysts.

We typically respond within 48 hours. For active engagements, response expectations are documented in the SOW.

We keep a limited client load so each TAP or advisory engagement gets focused attention. If you need faster turnaround, say so during TAP Intake or when coordinating through TAP Assessment.

Specific terms, including response-time SLAs, are documented in the signed SOW or engagement agreement.

Yes. If you do not find value in our engagement, or if our audit surfaces no critical findings in scope, we work with you to make it right—including refunds of fees where our agreement allows.

We aim to earn trust through results and evidence, not lock-in. Specific guarantee language lives in your signed agreement.

Specific terms and conditions are documented in the signed SOW or engagement agreement.