YDH-TAP — Fire.ly public FHIR R4

Req ID	Severity	Description	Regulatory Ref
HTI1-CAP-01	CRITICAL	Capability statement accessible	45 CFR 170.315(g)(10)
HTI1-IB-01	HIGH	Metadata reachable without auth within 10s	45 CFR 171.301 (Information Blocking)
HTI1-CAP-02	HIGH	FHIR version is R4	45 CFR 170.215(a)(1)
HTI1-RES-01	CRITICAL	Patient resource supported	45 CFR 170.315(g)(10)
HTI1-RES-02	HIGH	Observation resource supported	45 CFR 170.315(g)(10)
HTI1-RES-03	HIGH	Condition resource supported	45 CFR 170.315(g)(10)
HTI1-RES-04	HIGH	MedicationRequest resource supported	45 CFR 170.315(g)(10)
HTI1-RES-05	MEDIUM	AllergyIntolerance resource supported	45 CFR 170.315(g)(10)
HTI1-RES-06	MEDIUM	Immunization resource supported	45 CFR 170.315(g)(10)
HTI1-RES-07	MEDIUM	DiagnosticReport resource supported	45 CFR 170.315(g)(10)
HTI1-RES-08	MEDIUM	DocumentReference resource supported	45 CFR 170.315(g)(10)
HTI1-RES-09	MEDIUM	Encounter resource supported	45 CFR 170.315(g)(10)
HTI1-RES-10	MEDIUM	Procedure resource supported	45 CFR 170.315(g)(10)
HTI1-USCDI-01	HIGH	USCDI v3 / US Core 6.x profile claim	45 CFR 170.213 (USCDI v3)
HTI1-USCDI-02	LOW	USCDI v4 / US Core 7.x readiness (forward-looking)	45 CFR 170.213 (USCDI v4 — forward-looking)
HTI1-IB-03	HIGH	8 required clinical note types accessible via DocumentReference	45 CFR 171.301 (21st Century Cures Act)
HTI1-IB-02	MEDIUM	Bulk export ($export) capability	45 CFR 170.315(g)(10)

Req ID

Severity

Description

Regulatory Ref

HTI1-CAP-01

CRITICAL

Capability statement accessible

45 CFR 170.315(g)(10)

HTI1-IB-01

HIGH

Metadata reachable without auth within 10s

45 CFR 171.301 (Information Blocking)

HTI1-CAP-02

HIGH

FHIR version is R4

45 CFR 170.215(a)(1)

HTI1-RES-01

CRITICAL

Patient resource supported

45 CFR 170.315(g)(10)

HTI1-RES-02

HIGH

Observation resource supported

45 CFR 170.315(g)(10)

HTI1-RES-03

HIGH

Condition resource supported

45 CFR 170.315(g)(10)

HTI1-RES-04

HIGH

MedicationRequest resource supported

45 CFR 170.315(g)(10)

HTI1-RES-05

MEDIUM

AllergyIntolerance resource supported

45 CFR 170.315(g)(10)

HTI1-RES-06

MEDIUM

Immunization resource supported

45 CFR 170.315(g)(10)

HTI1-RES-07

MEDIUM

DiagnosticReport resource supported

45 CFR 170.315(g)(10)

HTI1-RES-08

MEDIUM

DocumentReference resource supported

45 CFR 170.315(g)(10)

HTI1-RES-09

MEDIUM

Encounter resource supported

45 CFR 170.315(g)(10)

HTI1-RES-10

MEDIUM

Procedure resource supported

45 CFR 170.315(g)(10)

HTI1-USCDI-01

HIGH

USCDI v3 / US Core 6.x profile claim

45 CFR 170.213 (USCDI v3)

HTI1-USCDI-02

LOW

USCDI v4 / US Core 7.x readiness (forward-looking)

45 CFR 170.213 (USCDI v4 — forward-looking)

HTI1-IB-03

HIGH

8 required clinical note types accessible via DocumentReference

45 CFR 171.301 (21st Century Cures Act)

HTI1-IB-02

MEDIUM

Bulk export ($export) capability

45 CFR 170.315(g)(10)

Req ID	Severity	Description	Regulatory Ref
HTI1-CAP-03	CRITICAL	SMART on FHIR configuration endpoint Deploy a SMART on FHIR authorization server and expose /.well-known/smart-configuration with authorization_endpoint and token_endpoint populated. Options: Keycloak, Azure AD B2C, Auth0 with FHIR scopes.	45 CFR 170.315(g)(10)(i)
HTI1-CAP-04	HIGH	SMART scopes advertised Configure the authorization server scopes_supported to include: launch/patient, openid, fhirUser, and at least one patient/*.read scope.	45 CFR 170.315(g)(10)(ii)

Req ID

Severity

Description

Regulatory Ref

HTI1-CAP-03

CRITICAL

SMART on FHIR configuration endpoint

Deploy a SMART on FHIR authorization server and expose /.well-known/smart-configuration with authorization_endpoint and token_endpoint populated. Options: Keycloak, Azure AD B2C, Auth0 with FHIR scopes.

45 CFR 170.315(g)(10)(i)

HTI1-CAP-04

HIGH

SMART scopes advertised

Configure the authorization server scopes_supported to include: launch/patient, openid, fhirUser, and at least one patient/*.read scope.

45 CFR 170.315(g)(10)(ii)

Engage TAP for your endpoints

Current SKUs · per endpoint pricing · 2026

Per endpoint

This Firely sample shows a single endpoint at 86/100. A real engagement covers your live endpoints, your HIPAA posture, and applicable state laws. Pick the SKU that matches where you are.

TAP-STARTER

TAP Starter

$3,000 / endpoint

Live FHIR audit, TAP Scorecard, AI compliance brief. Delivered in 24-48 hours. Best for a fast health check or pre-due-diligence read.

TAP-CORRECTIVE

TAP Corrective Action

$7,500 / endpoint

Starter deliverables plus a prioritized remediation plan and a working session with Terry to close the highest-severity gaps.

TAP-FULL

TAP Full Engagement

$12,500 / endpoint

All six TAP deliverables, HIPAA policy interview, DSI inventory review, state-law applicability, executive debrief. Board, investor, and procurement ready.

TAP-MONITOR

TAP Monitoring

$1,500 / month

Weekly re-audit with drift alerts and a monthly scorecard snapshot. Catches regressions after deploys.

Next step: sign NDA, share your FHIR base URL, book a 15-minute scoping call.

terry@yourdata.health

Why this exists

The founder story behind TAP

In 2007, the founder of Your Data Health lost his wife seven days after she delivered their third daughter, due to mistakes made by hospital staff. Rather than walk away from healthcare, he joined it to help make a difference and prevent this from happening to others.

In 2010 he joined Providence then Opala and combined has spent the last 16 years building the clinical safety systems that prevent the failure that killed his family: MEWS (Modified Early Warning Score) and real-time SEPSIS alerting at Providence Health System, validated in Epic, now standard of care. A Defect Prevention Governance framework that secured $13 million in annual risk avoidance with zero critical defects introduced into production over fifteen years.

TAP is the engineering distillation of that work. Patient data ownership, privacy, and control are not abstract regulatory concerns. They are a moral commitment, rooted in lived experience, applied as testable artifacts.