Conformance evaluations

Interoperability Agent

SMART App Launch Authorization Test Kit

SCRIMED conformance evaluations execute deterministic checks against synthetic fixtures and declared connector contracts. A synthetic pass is not certification, partner acceptance, production authorization, or permission to exchange live healthcare data.

Synthetic statussynthetic-pass
Live readinesslive-blocked
Checks passed3
Pre-live blockers4

Deterministic checks

SMART App Launch 2.2.0 with FHIR R4 launch context

pass

SMART registry target

synthetic · contract

hl7-fhir, smart-app-launch, clinical-terminology
  • The FHIR intake contract explicitly binds SMART App Launch.
pass

Least-privilege control declared

synthetic · authorization

deployment-approved FHIR R4/R4B profile; CapabilityStatement; US Core and USCDI alignment where applicable; SMART scopes for approved applications
  • The contract requires approved SMART scopes before applications receive FHIR access.
pass

Synthetic data boundary

synthetic · privacy

syntheticOnly=true
  • Authorization evaluation remains separated from live patient context.
block

Approved scope matrix

live-readiness · authorization

Tenant decision required
  • Define user, patient, system, launch, and offline-access scopes per application and role.
block

Token audience validation

live-readiness · security

Partner endpoint test required
  • Validate aud, issuer, discovery metadata, signing keys, and token lifetime against the partner.
block

Launch-context and revocation tests

live-readiness · security

Partner acceptance required
  • Test EHR launch, standalone launch, patient context, revocation, and session termination.
block

Authorization audit linkage

live-readiness · governance

Durable audit decision required
  • Link token, tenant, role, patient context, purpose-of-use, and reviewer events without capturing secrets.
available

SMART-bound integration contract

FHIR intake contract declares SMART scope approval as a conformance target.

Inspect evidence
required-before-live

Application scope matrix

Approved least-privilege scopes by application, tenant, role, and launch context.

required-before-live

Authorization server test report

Discovery, audience, issuer, signing, token, launch, revocation, and session tests.

Required before live exchange

Production use remains denied until every deployment-specific blocker is resolved.

01Production identity provider and tenant-isolation decision
02Approved least-privilege scope matrix
03Patient-context authorization, consent, and purpose-of-use controls
04Partner authorization-server and launch-context testing
05Durable authorization audit and security acceptance

Linked controls

Contract, fixture, and standards evidence remain inspectable.

Primary sources

Official references retained for implementation and partner review.