Implement a FHIR R4 server endpoint secured with SMART App Launch supporting patient-facing third-party application authorization
Expose at minimum the resource types required by the CMS patient access API rule, including ExplanationOfBenefit (CARIN BB profile), Coverage, and Patient (US Core profile)
Publish a FHIR CapabilityStatement advertising the supported profiles, search parameters, and SMART capabilities at the well-known endpoint
Enforce patient-level scoping so a patient token can only access records for the authenticated beneficiary
Log third-party application access in AuditEvent and provide patients with a mechanism to view and revoke application authorizations
Known gotchas
The CMS rule specifies minimum data content and date range requirements for EOB history; implementing only recent claims without the required historical depth fails compliance
The CapabilityStatement must declare support for SMART using the well-known SMART configuration endpoint; some FHIR server frameworks require explicit configuration to publish this endpoint
Patient-facing access requires the authorization server to perform identity proofing; delegating authorization without verified identity binding does not satisfy CMS requirements
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp