Your Data Health
YOURDATA.HEALTH

Automated FHIR Compliance Tools You Own and Operate

info@yourdata.health

FHIR Testing Tools, Public Endpoints, and SMART on FHIR Reference

The open and vendor tools that the ONC, HL7, CMS, and Da Vinci ecosystems run on. Plus the public test endpoints your engineers should know, and a quick regulatory map of where SMART on FHIR and OAuth 2.0 are required. TAP runs these as sidecars in your environment and adds the CFR-citation layer the open tools don't provide.

On this page: Testing Tools · Public Test Endpoints · SMART on FHIR + OAuth Regulatory Map · How TAP Orchestrates It
Section 1

Testing Tools

Free and open tools your engineers should be running before procurement, before certification, before every release. Listed by category. TAP composes with each one.

Conformance and certification

ONC Inferno Framework

Apache 2.0 · Ruby + Docker · ONC-built

The official ONC test kit for HTI-1 (g)(10) certification. Tests SMART on FHIR, Bulk FHIR $export, US Core conformance, single-patient API, and Bulk Data. The ground truth for ONC-ACB certification reviews.

inferno-framework.github.io →

HL7 Touchstone

Free for HL7 work · web + API · Aegis-operated

HL7's certification harness. Used by Da Vinci, CARIN Blue Button, and US Core. Deeper IG-conformance testing than Inferno, with cross-server interoperability suites.

touchstone.aegis.net →

HL7 FHIR Validator

Free · web + Java CLI · HL7-maintained

The official structure-conformance validator. Validates FHIR resources against base, US Core, USCDI, and arbitrary IG profiles. Run it in CI/CD before any resource ships.

validator.fhir.org →

HAPI FHIR Validator

Apache 2.0 · Java embedded · Smile CDR substrate

Java-embedded validator. Same conformance ruleset as the HL7 validator, but designed to run inside your application instead of as a standalone service.

hapifhir.io →

Endpoint and capability monitoring

ONC Lantern

Free · public dashboard · ONC-operated

National FHIR endpoint capability monitor. Tracks live conformance, CapabilityStatement contents, and patient-access posture across thousands of US health systems. If your endpoint is listed, Lantern is publicly grading it.

lantern.healthit.gov →

CHPL (Certified Health IT Product List)

Free · public registry · ONC-operated

Public registry of every ONC-certified Health IT module. Check certification status, surveillance non-conformities, Real-World Testing Plans and Results, and (b)(11) DSI declarations.

chpl.healthit.gov →

Synthetic data and safe testing

Synthea

Apache 2.0 · Java · MITRE-built

Open-source synthetic patient generator. Produces statistically realistic FHIR R4 bundles for any number of patients. The standard way to populate a test environment without touching PHI.

synthetichealth.github.io/synthea →

SMART App Launcher

Free · web sandbox · SMART Health IT

Browser-based SMART on FHIR launch simulator. Test your app's launch flow, scope requests, and OAuth handshake against a controllable sandbox without standing up your own auth server.

launch.smarthealthit.org →

API exploration and ad-hoc testing

Postman FHIR collections

Free Postman tier · community-maintained

Pre-built Postman collections for FHIR R4 base, US Core, and major payer / provider sandboxes. The fastest way for an engineer to poke at a new endpoint without writing code.

postman.com →

Da Vinci PAS reference implementations

Open-source · HL7 + Da Vinci

Reference implementations for Prior Authorization Support workflow (CRD + DTR + PAS). The starting point for any payer building CMS-0057-F compliance.

github.com/HL7/davinci-pas →
Section 2

Public Test Endpoints

FHIR endpoints your engineers can probe today. Grouped by access requirement. Always check current status and terms of service before running automated probes against any of these — some impose rate limits, some require registration, some require an OAuth client.

Open Test Servers (no registration required)

Fire.ly Server · https://server.fire.ly/r4 · Reference R4 server; full base profile + US Core support. See our TAP Scorecard sample.

HAPI Public Server · https://hapi.fhir.org/baseR4 · Open HAPI FHIR test server, R4 base; useful for protocol experimentation.

SMART Health IT Sandbox · https://launch.smarthealthit.org · SMART on FHIR launch + auth sandbox.

SMART Bulk Data Sandbox · https://bulk-data.smarthealthit.org · Bulk FHIR $export async workflow testing.

Vendor Sandboxes (registration required)

Epic FHIR Sandbox · https://fhir.epic.com · Epic's developer FHIR portal; required for App Orchard testing.

Cerner / Oracle Health FHIR Sandbox · https://fhir.cerner.com · Code Console developer access; required for CernerNow integration.

athenahealth FHIR Sandbox · https://developer.athenahealth.com · Marketplace developer access.

Meditech Greenfield Workspace · https://home.meditech.com/en/d/restapiresources · Greenfield FHIR sandbox.

Allscripts / Veradigm Developer · https://developer.veradigm.com · Veradigm FHIR developer portal.

Government and Payer Sandboxes

CMS Blue Button 2.0 Sandbox · https://sandbox.bluebutton.cms.gov · Medicare CARIN Blue Button test environment with synthetic beneficiary data.

VA Lighthouse · https://developer.va.gov · Department of Veterans Affairs FHIR developer platform; community of Veterans data.

MITRE FHIR Test Servers · https://github.com/mitre/inferno-reference-server · MITRE-hosted reference implementations behind Inferno.

Implementation Guide Reference Servers

DaVinci reference implementations · https://github.com/HL7/davinci-pas · PAS, PDex, PDex Plan-Net, PDex Drug Formulary, HRex, CRD, DTR.

CARIN Blue Button reference · https://github.com/HL7/carin-bb · CARIN Consumer-Directed Payer Data Exchange reference.

US Core reference · https://github.com/HL7/US-Core · US Core FHIR profile reference and examples.

Section 3

SMART on FHIR + OAuth Regulatory Map

Which regulation requires which SMART scope, which OAuth flow, and which Bulk FHIR mode. Engineers building auth flows reach for this table all the time and it does not really exist anywhere else in clean form.

Regulation Auth pattern Required SMART scopes Notes
CMS-9115 Patient Access SMART App Launch + OAuth 2.0 (PKCE) patient/*.read, launch/patient Public app onboarding; no fee-gating; standalone-app launch supported.
CMS-9115 Provider Directory None (open read) n/a Plan-Net IG; publicly accessible; no auth wall.
CMS-0057 Provider Access API SMART Backend Services (asymmetric JWT) system/Patient.read, system/Coverage.read, system/ExplanationOfBenefit.read Payer-controlled OAuth client registration; in-network provider attribution check.
CMS-0057 Payer-to-Payer API SMART Backend Services (asymmetric JWT) system/*.read (Bulk) Member opt-in at enrollment; Bulk FHIR $export between payers.
CMS-0057 PA API (DaVinci PAS) SMART App Launch from provider EHR + OAuth 2.0 user/Claim.write, user/Coverage.read CRD + DTR launch from EHR; PAS transmission to payer.
ONC HTI-1 § 170.315(g)(10) SMART 1.0 + 2.0 launch; OAuth 2.0; Backend Services patient/*.read, user/*.read, system/*.read Bulk FHIR $export async required; population services via Backend Services.
ONC HTI-1 § 170.315(b)(11) DSI n/a (UI surface, not API) n/a Source-attribute disclosure to end users; not an auth requirement.
SMART on FHIR Bulk Data Backend Services (JWT bearer, asymmetric) system/*.read, system/<Resource>.read JKU / x5c key publication; async $export with kickoff + status polling.
CARIN Blue Button SMART App Launch (Consumer-Directed) patient/*.read, patient/ExplanationOfBenefit.read Consumer-facing apps; member-initiated only.
VA Lighthouse Patient APIs SMART App Launch + VA-issued OAuth Per-API; patient/*.read + custom Veteran scopes VA developer-program-controlled client onboarding.

Common scope strings every team should recognize: patient/Patient.read, patient/Observation.read, patient/ExplanationOfBenefit.read, patient/MedicationRequest.read, user/Practitioner.read, system/Group.read, launch/patient, offline_access, fhirUser, openid.

How TAP Orchestrates It

The value-add: orchestration + CFR-citation layer

Each tool above tests a slice. Inferno covers certification. Touchstone covers HL7 IGs. Lantern monitors public endpoints. Synthea generates safe test data. FHIR Validator enforces structure. SMART App Launcher exercises auth flows.

TAP runs them as sidecars in your environment, pulls the results into one TAP Scorecard, and adds the CFR-section citation layer the open tools do not provide. Every finding maps to the specific § 170.315 criterion, § 422.119 / 422.120 / 422.122 paragraph, or 45 CFR Part 171 exception that triggered it.

You keep using all of these tools after the engagement. We just made the orchestration turn-key, and we added the regulatory citations that turn engineering output into procurement-defensible evidence.

Book a Call