Technical Audit Protocol · TAP Scorecard
Pen-test rigor · Continuous compliance watch
Fire.ly R4 sample · TAP audit engine
2026-05-04 23:44
Target

Fire.ly public FHIR R4 test server, https://server.fire.ly/r4. No API key. TAP probes /metadata and performs HTI-1 style checks when the CapabilityStatement resolves to clinical_ehr. Latency spikes on this host can intermittently trip information-blocking timing requirements; rerun if results look flaky.

86
PASS
FHIR endpoint audit (Fire.ly)
https://server.fire.ly/r4
PASS
Overall Score
86/100
Endpoint Type
clinical_ehr
Sub-Reports
1
Passing
17
Failing
2
Passing Requirements
Req IDSeverityDescriptionRegulatory Ref
HTI1-CAP-01 Critical Capability statement accessible 45 CFR 170.315(g)(10)
HTI1-IB-01 High Metadata reachable without auth within 10s 45 CFR 171.301 (Information Blocking)
HTI1-CAP-02 High FHIR version is R4 45 CFR 170.215(a)(1)
HTI1-RES-01 Critical Patient resource supported 45 CFR 170.315(g)(10)
HTI1-RES-02 High Observation resource supported 45 CFR 170.315(g)(10)
HTI1-RES-03 High Condition resource supported 45 CFR 170.315(g)(10)
HTI1-RES-04 High MedicationRequest resource supported 45 CFR 170.315(g)(10)
HTI1-RES-05 Medium AllergyIntolerance resource supported 45 CFR 170.315(g)(10)
HTI1-RES-06 Medium Immunization resource supported 45 CFR 170.315(g)(10)
HTI1-RES-07 Medium DiagnosticReport resource supported 45 CFR 170.315(g)(10)
HTI1-RES-08 Medium DocumentReference resource supported 45 CFR 170.315(g)(10)
HTI1-RES-09 Medium Encounter resource supported 45 CFR 170.315(g)(10)
HTI1-RES-10 Medium Procedure resource supported 45 CFR 170.315(g)(10)
HTI1-USCDI-01 High USCDI v3 / US Core 6.x profile claim 45 CFR 170.213 (USCDI v3)
HTI1-USCDI-02 Low USCDI v4 / US Core 7.x readiness (forward-looking) 45 CFR 170.213 (USCDI v4, forward-looking)
HTI1-IB-03 High 8 required clinical note types accessible via DocumentReference 45 CFR 171.301 (21st Century Cures Act)
HTI1-IB-02 Medium Bulk export ($export) capability 45 CFR 170.315(g)(10)
Failing Requirements & Remediation
Req IDSeverityDescriptionRegulatory Ref
HTI1-CAP-03 Critical SMART on FHIR configuration endpoint
Deploy a SMART on FHIR authorization server and expose /.well-known/smart-configuration with authorization_endpoint and token_endpoint populated. Options: Keycloak, Azure AD B2C, Auth0 with FHIR scopes.
 45 CFR 170.315(g)(10)(i)
HTI1-CAP-04 High SMART scopes advertised
Configure the authorization server scopes_supported to include: launch/patient, openid, fhirUser, and at least one patient/*.read scope.
 45 CFR 170.315(g)(10)(ii)
Engage TAP for your endpoints
Current SKUs · per endpoint pricing · 2026
Per endpoint

This Firely sample shows a single endpoint at 86/100. A real engagement covers your live endpoints, your HIPAA posture, and applicable state laws. Pick the SKU that matches where you are.

TAP-STARTER
TAP Starter
$7,500 / endpoint
  • Live FHIR R4 audit
  • TAP Scorecard, 0-100 score
  • AI-synthesized compliance brief
  • Penalty exposure quantified
  • Delivered in 24-48 hours
TAP-CORRECTIVE
TAP Corrective Action
$25,000 / endpoint
  • Everything in TAP Starter
  • Prioritized remediation plan
  • Working session with our delivery team
  • Re-scan verification after fixes
TAP-FULL
TAP Full Engagement
$75,000 / endpoint
  • All six TAP deliverables
  • 24-pt HIPAA policy interview
  • DSI inventory review
  • State-law applicability (MHMDA, CPRA, Part 2)
  • Executive debrief
TAP-MONITOR
TAP Monitoring
$3,500 / month
  • Weekly re-audit of in-scope endpoints
  • Email drift alerts on new failures
  • Monthly scorecard snapshot
  • Catches regressions after deploys
Next step: sign NDA, share your FHIR base URL, book a 15-minute scoping call.
terry@yourdata.health
Your Data Health LLC  •  yourdata.health  •  TAP is technical evidence, not legal advice
Generated 2026-05-04 23:44