Executive Summary

Executive Summary: Tessara Continuous Conformance Monitoring

For Chief Compliance Officers, CISOs, and Procurement Leads

The Regulatory Forcing Function

The CMS-0057-F Interoperability and Prior Authorization Final Rule, together with its predecessor CMS-9115-F (Interoperability and Patient Access Final Rule), requires 5,000+ US healthcare payers to implement and maintain five standardized FHIR APIs — four under CMS-0057-F (Patient Access expanded, Provider Access, Payer-to-Payer, Prior Authorization) plus CMS-9115-F’s Provider Directory. Passing initial certification is only the first step; maintaining continuous specification conformance in production is a critical regulatory requirement.

The Problem: Silent Non-Conformance

Standard API monitoring (Datadog, Splunk) tracks uptime and latency but is blind to structural drift. A routine code deployment or backend schema change can silently break FHIR Implementation Guide (IG) requirements — such as a mandatory field becoming null or a data type changing — without triggering traditional alerts. This results in:

  • Regulatory Liability: Failure to meet CMS-0057-F mandates.
  • Data Integrity Risk: Downstream systems and apps receiving non-conformant data.
  • Audit Failure: Inability to provide evidence of continuous compliance.

The Tessara Solution

Tessara is purpose-built for continuous structural conformance monitoring of regulatory APIs. It bridges the gap between point-in-time testing (Inferno) and transport-layer monitoring.

Key Capabilities:

  • Specification-Aware Monitoring: Automatically parses FHIR Implementation Guides (CARIN Blue Button, Da Vinci PDex, etc.) to establish a precise structural baseline using Merkle hash trees.
  • Metadata-Only Architecture: Tessara reads only your API’s public /metadata endpoint (CapabilityStatement). No patient data, no PHI, no payload content is ever accessed, stored, or transmitted. Structural hashes and signed verdicts are persisted locally; no payloads.
  • Cryptographic Integrity: All conformance verdicts are backed by an immutable chain of Ed25519-signed evidence and SHA-256 hash-linked records, providing a tamper-proof audit trail.
  • 6-Category Drift Taxonomy: Instantly classifies structural changes into regulatory severity levels, from informational (structural extensions) to critical (mandatory element removal).

Deployment Model

Tessara is a single Go binary with no external dependencies. It runs on your infrastructure (Linux, macOS, or Windows), stores evidence in a local SQLite database, and requires no cloud services, containers, or database servers.

Procurement Advantages

  • Fast-Track Security Review: Zero PHI access and minimal external dependencies (2 Go libraries, both permissive-licensed) dramatically reduce the security review surface.
  • Local-First Deployment: Runs entirely within your environment with no data egress beyond standard HTTP probes to your FHIR API’s metadata endpoint.
  • Compliance ROI: Replaces manual, error-prone compliance audits with continuous, automated verification, significantly reducing the total cost of compliance.

Contact hello@tessara.us to schedule a technical deep dive.

DRAFT — counsel review pending. This document is provided for procurement discussion. Final legal terms subject to attorney review and counterparty redlines.