Technical Audit Protocol · TAP Scorecard
Pen-test rigor · Continuous compliance watch
Fire.ly R4 sample · TAP audit engine
2026-05-04 23:44
Target

Fire.ly public FHIR R4 test server, https://server.fire.ly/r4. No API key. TAP probes /metadata and performs HTI-1 style checks when the CapabilityStatement resolves to clinical_ehr. Latency spikes on this host can intermittently trip information-blocking timing requirements; rerun if results look flaky.

86
PASS
FHIR endpoint audit (Fire.ly)
https://server.fire.ly/r4
PASS
Overall Score
86/100
Endpoint Type
clinical_ehr
Sub-Reports
1
Passing
17
Failing
2
Passing Requirements
Req IDSeverityDescriptionRegulatory Ref
HTI1-CAP-01 CRITICAL Capability statement accessible 45 CFR 170.315(g)(10)
HTI1-IB-01 HIGH Metadata reachable without auth within 10s 45 CFR 171.301 (Information Blocking)
HTI1-CAP-02 HIGH FHIR version is R4 45 CFR 170.215(a)(1)
HTI1-RES-01 CRITICAL Patient resource supported 45 CFR 170.315(g)(10)
HTI1-RES-02 HIGH Observation resource supported 45 CFR 170.315(g)(10)
HTI1-RES-03 HIGH Condition resource supported 45 CFR 170.315(g)(10)
HTI1-RES-04 HIGH MedicationRequest resource supported 45 CFR 170.315(g)(10)
HTI1-RES-05 MEDIUM AllergyIntolerance resource supported 45 CFR 170.315(g)(10)
HTI1-RES-06 MEDIUM Immunization resource supported 45 CFR 170.315(g)(10)
HTI1-RES-07 MEDIUM DiagnosticReport resource supported 45 CFR 170.315(g)(10)
HTI1-RES-08 MEDIUM DocumentReference resource supported 45 CFR 170.315(g)(10)
HTI1-RES-09 MEDIUM Encounter resource supported 45 CFR 170.315(g)(10)
HTI1-RES-10 MEDIUM Procedure resource supported 45 CFR 170.315(g)(10)
HTI1-USCDI-01 HIGH USCDI v3 / US Core 6.x profile claim 45 CFR 170.213 (USCDI v3)
HTI1-USCDI-02 LOW USCDI v4 / US Core 7.x readiness (forward-looking) 45 CFR 170.213 (USCDI v4, forward-looking)
HTI1-IB-03 HIGH 8 required clinical note types accessible via DocumentReference 45 CFR 171.301 (21st Century Cures Act)
HTI1-IB-02 MEDIUM Bulk export ($export) capability 45 CFR 170.315(g)(10)
Failing Requirements & Remediation
Req IDSeverityDescriptionRegulatory Ref
HTI1-CAP-03 CRITICAL SMART on FHIR configuration endpoint
Deploy a SMART on FHIR authorization server and expose /.well-known/smart-configuration with authorization_endpoint and token_endpoint populated. Options: Keycloak, Azure AD B2C, Auth0 with FHIR scopes.
 45 CFR 170.315(g)(10)(i)
HTI1-CAP-04 HIGH SMART scopes advertised
Configure the authorization server scopes_supported to include: launch/patient, openid, fhirUser, and at least one patient/*.read scope.
 45 CFR 170.315(g)(10)(ii)
Engage TAP for your endpoints
Current SKUs · per endpoint pricing · 2026
Per endpoint

This Firely sample shows a single endpoint at 86/100. A real engagement covers your live endpoints, your HIPAA posture, and applicable state laws. Pick the SKU that matches where you are.

TAP-STARTER
TAP Starter
$3,000 / endpoint
Live FHIR audit, TAP Scorecard, AI compliance brief. Delivered in 24-48 hours. Best for a fast health check or pre-due-diligence read.
TAP-CORRECTIVE
TAP Corrective Action
$7,500 / endpoint
Starter deliverables plus a prioritized remediation plan and a working session with Terry to close the highest-severity gaps.
TAP-FULL
TAP Full Engagement
$12,500 / endpoint
All six TAP deliverables, HIPAA policy interview, DSI inventory review, state-law applicability, executive debrief. Board, investor, and procurement ready.
TAP-MONITOR
TAP Monitoring
$1,500 / month
Weekly re-audit with drift alerts and a monthly scorecard snapshot. Catches regressions after deploys.
Next step: sign NDA, share your FHIR base URL, book a 15-minute scoping call.
terry@yourdata.health
Why we exist
Founded on the conviction that healthcare data ownership is a patient right, not a regulatory checkbox. Built so families don’t have to fight the system to control their own health data.
Your Data Health LLC  •  yourdata.health  •  TAP is technical evidence, not legal advice
Generated 2026-05-04 23:44