Conformance Readiness Checklist

1. API Implementation

• Patient Access API deployed — HL7 US Core / CARIN Blue Button conformance verified
• Provider Directory API deployed — DaVinci PDEX Plan Net conformance verified
• Drug Formulary API deployed — DaVinci PDEX Formulary conformance verified
• Prior Authorization API deployed — DaVinci Prior Authorization conformance verified
• Payer-to-Payer API deployed — DaVinci PDEX conformance verified
• CapabilityStatement accurate — Self-reported resource types, search parameters, and FHIR version match actual API behavior
• OAuth 2.0 implemented — Patient-mediated authorization flows operational (Patient Access API)
• Bulk Data export operational — HL7 Bulk Data Access IG conformance verified (Payer-to-Payer API)

2. Testing & Certification

• Inferno testing passed — All five APIs tested with ONC Inferno test suite (or equivalent)
• mustSupport elements verified — All required data elements present in sample responses
• Cardinality constraints verified — Minimum occurrence requirements met (e.g., min: 1)
• Search parameters tested — All required search capabilities functional
• Error handling verified — Proper OperationOutcome responses for invalid requests
• Production load tested — APIs can handle expected request volume

3. Continuous Monitoring

• Post-deployment monitoring strategy defined — How will you detect specification drift after go-live?
• Continuous conformance testing implemented — Automated checks run on each deployment or daily
• Alerting configured — Notifications when drift is detected or APIs become non-conformant
• Evidence chain established — Audit trail of conformance checks with timestamps and results
• Rollback procedures documented — Process for reverting non-conformant deployments

This is where Tessara helps. Continuous FHIR conformance monitoring with cryptographic evidence chains. Learn more →

4. Documentation

• API documentation published — Public-facing documentation with endpoints, authentication, and data models
• Implementation Guides referenced — Clear citations to HL7 FHIR IGs used
• Change log maintained — Record of API updates, version changes, and breaking changes
• Developer portal available — Third-party developers can register apps and obtain test credentials
• SLA defined — Uptime commitments and performance targets documented

5. Governance & Compliance

• Compliance officer assigned — Named individual responsible for CMS-0057-F compliance
• Legal review completed — Counsel has reviewed API terms of use, privacy policies, and BAAs
• Risk assessment documented — Identified risks of non-compliance and mitigation strategies
• Incident response plan defined — Process for handling API outages, security incidents, or conformance failures
• Vendor contracts reviewed — Third-party FHIR platform vendors have clear SLAs and conformance guarantees
• Board/executive awareness — Leadership understands CMS-0057-F requirements and organizational readiness status