TAP · Technical Audit Protocol

Know your exposure. Fix it fast. Show your proof.

Pen-test rigor. Continuous compliance watch.
The pen-test for healthcare compliance, that keeps watch after the audit ships.

TAP is a live audit of your healthcare FHIR endpoint against every active federal and state regulatory framework. You get a TAP Scorecard, citation-level findings, quantified penalty exposure, and a prioritized remediation roadmap. Days, not months.

Book a Call See a real TAP Scorecard

Built to compose with ONC's Inferno reference suite. TAP reads regulations, not just specs.

What TAP audits

Federal and state framework coverage, in one engagement

Each finding is cited to the source regulation, synthesized by AI into an executive narrative, and packaged for board, investor, and procurement review.

ONC HTI-1 / Cures Act

Certified FHIR API conformance, USCDI v3/v4 elements, information-blocking safeguards, SMART on FHIR authorization flows.

CMS Interoperability

CMS-9115-F Patient Access, Provider Directory, and Prior Authorization API readiness, deadline-aligned.

Da Vinci Implementation Guides

PDex Plan-Net STU 2 (provider directories) and PDex Drug Formulary STU 2 (formulary surfaces).

CARIN Blue Button

Consumer-directed payer data exchange conformance, EOB and Coverage resource exposure.

HIPAA

24-point assessment across Security, Privacy, and Breach Notification Rules (45 CFR Parts 160 and 164).

State Consumer Health Data

Washington MHMDA, California CPRA, 42 CFR Part 2, applicability detection and geofencing-rule exposure.

Engagement SKUs

Fixed-fee, per FHIR endpoint

No hourly billing. No surprise scope expansion. Multi-endpoint engagements (for example a payer auditing patient access plus provider directory plus formulary) multiply the per-endpoint price.

TAP-STARTER
TAP Starter
Fast health check / pre-due-diligence
$3,000 / endpoint
  • Live FHIR R4 endpoint audit
  • TAP Scorecard with 0-100 conformance score
  • AI-synthesized compliance brief
  • Penalty exposure quantified
  • Delivered in 24-48 hours
TAP-CORRECTIVE
TAP Corrective Action
Gap closure with a working session
$7,500 / endpoint
  • Everything in TAP Starter
  • Prioritized remediation plan
  • Working session with Terry to close highest-severity gaps
  • One verification re-scan after fixes
  • Stakeholder readout materials
TAP-FULL
TAP Full Engagement
Procurement, Series A, ONC certification
$12,500 / endpoint
  • Everything in TAP Corrective Action
  • 24-point HIPAA policy assessment
  • DSI inventory review (45 CFR 170.315(b)(11))
  • State law applicability (MHMDA, CPRA, 42 CFR Part 2)
  • Executive debrief call
TAP-MONITOR
TAP Monitoring
Fractional compliance monitoring for healthcare data systems
$1,500 / month
  • We track the regulations so your engineers don't have to
  • Weekly re-audit of in-scope FHIR endpoints
  • Email drift alerts when new failures appear
  • Monthly scorecard snapshot
  • Catches regressions before the buyer does

Work that involves PHI uses a signed NDA and BAA as appropriate. All fees are documented in the SOW before billable work begins. See the FAQ for full engagement-flow detail.

Proof, not prose

See a real TAP Scorecard

Below is a real TAP audit run against a public FHIR R4 reference server, scored against ONC HTI-1 and information-blocking citations. Every finding maps to a specific CFR section.

Sample · Public reference server

Live HTTPS probe of https://server.fire.ly/r4. Capability statement, USCDI v3 claim, SMART on FHIR discovery, and 12 required US Core resources all probed.

17 requirements pass. 2 requirements fail, each with a CFR citation and a deployable remediation. The two failures are SMART on FHIR configuration and advertised scopes, a representative shape for an early-stage product.

View the full scorecard Run this on my endpoint
86 TAP score · 100 17 passing · 2 failing · 1 critical, 1 high
Why this work exists

A personal accountability standard

In 2007, the founder of Your Data Health LLC lost his wife seven days after she delivered their third daughter, due to mistakes made by hospital staff. Three daughters. Rather than walk away from healthcare, he went deeper into it.

He spent the next 15 years building the clinical safety systems that prevent the failure that killed his family: MEWS (Modified Early Warning Score) and real-time SEPSIS alerting at Providence Health System, validated in Epic, now standard of care. A Defect Prevention Governance framework that secured $13 million in annual risk avoidance with zero critical defects introduced into production over fifteen years.

TAP is the engineering distillation of that work. Patient data ownership, privacy, and control are not abstract regulatory concerns. They are a moral commitment, rooted in lived experience, applied as testable artifacts.

Founded on the conviction that healthcare data ownership is a patient right, not a regulatory checkbox. Built so families don’t have to fight the system to control their own health data.

Terry Virdell · Founder, Your Data Health LLC

Ready to scope your audit?

TAP engagements start at $3,000 per endpoint. Free 15-minute intro available. Start with the intake form to describe systems, constraints, and the endpoints in scope.

Book a Call Read the FAQ