DEV Community: Svetlana Golubeva

How a community health plan from New York outscored nearly every major insurer in America

Svetlana Golubeva — Thu, 02 Apr 2026 13:44:23 +0000

When Flexpa published its November 2025 State of the Payer Patient Access API Report, the results were quietly stunning.

Out of 493 payers evaluated across the United States, the second-highest score went to VillageCareMAX, a community-focused health plan serving New York, with a Core Implementation score of 91 out of 100, trailing only CMS itself at 92.

This isn't a participation trophy. Flexpa's evaluation is one of the most rigorous real-world tests of payer API performance in the industry, measuring not just technical compliance but actual usability — how well a patient or developer can connect, authenticate, and retrieve data in practice.

Why This Result Matters
Most people outside of healthcare IT have never heard of the Patient Access API. But it's quietly becoming one of the most important infrastructure pieces in American healthcare.

Under CMS-9115-F, payers are required to give patients access to their own health data (claims, coverage, clinical records) through standardized FHIR APIs that work with third-party apps. The idea is simple: your health data should be as portable as your bank statement.

The reality has been messier. Flexpa's data tells the story: over 428,000 patient authorization attempts tracked, 100+ million FHIR resources synced, and a wide spectrum of implementation quality across the industry. Many large national plans are still struggling with the basics. VillageCareMAX isn't.

What Flexpa Actually Tests
Flexpa's scoring goes beyond checkbox compliance. Their Core Implementation score (100 points) covers FHIR R4 standards adherence, SMART on FHIR/OAuth 2.0 authentication, essential data resources, and API stability. Their Beyond Compliance score (40 additional points) tests data completeness, documentation clarity, error handling, response speed, and real end-user experience.

This distinction matters. A payer can technically "comply" with CMS requirements while still delivering an API that frustrates developers and fails patients at the moment of authentication. Flexpa measures what actually happens in production.

VillageCareMAX scores well on both dimensions — which is why their ranking has been consistent, not a one-time fluke. In Flexpa's 2024 report, they ranked #1 among payers.

The technology behind the score
VillageCareMAX built their implementation on Aidbox, Health Samurai's certified FHIR platform, first deployed to meet the CMS-9115-F deadline back in July 2021 — a milestone many plans missed entirely.

What started as a compliance project has since evolved into a central data layer powering multiple internal applications. That's the compounding advantage of getting the foundation right early: the infrastructure becomes an asset, not just a regulatory box checked.

The next deadline is already coming
Here's the strategic angle most health plans are missing.

CMS-0057-F (the Interoperability and Prior Authorization Final Rule) goes live January 1, 2027. It requires four new FHIR APIs:

expanded Patient Access
Provider Access
Payer-to-Payer data exchange
fully electronic Prior Authorization workflow.

The technical foundation is identical to what's already required under CMS-9115-F: FHIR R4, OAuth 2.0, SMART on FHIR. Payers who built their Patient Access API correctly the first time have a significant head start. Those who cut corners, or haven't started yet, are facing a much steeper climb.

VillageCareMAX's #2 ranking isn't just a benchmark result. It's a signal that thoughtful, well-executed interoperability infrastructure pays dividends — in compliance, in usability, and in readiness for what comes next.

The takeaway
The payers winning at interoperability aren't necessarily the biggest ones. They're the ones that treated FHIR infrastructure as a long-term investment rather than a last-minute compliance sprint.

With 2027 approaching and the scope of CMS-0057-F far exceeding anything required before, the gap between prepared and unprepared payers is about to become very visible.

Health Samurai's platform powers VillageCareMAX's top-ranking Patient Access API implementation and is available to payers preparing for CMS-9115-F and CMS-0057-F compliance.

CMS just set a 2027 deadline that will reshape how payers share data

Svetlana Golubeva — Thu, 02 Apr 2026 13:18:09 +0000

CMS-0057-F, finalized in January 2024, forces insurers (Medicare Advantage, Medicaid/CHIP, and certain ACA plans) to replace fax-based workflows with four mandatory FHIR APIs by January 2027.

The four APIs payers must build:

Patient Access — members see their claims, clinical data, and prior auth status via third-party apps
Provider Access — in-network doctors pull patient data directly from the payer
Payer-to-Payer — up to 5 years of health history follows the patient when they switch plans
Prior Authorization — fully electronic PA workflow with structured approvals, denials, and reasons

Key deadlines:

2026 — faster PA decision timelines (72 hours urgent / 7 days standard) and public reporting kick in
2027 — all four APIs must be live and operational

Who's affected: Payers own compliance, but the rule ripples out to providers, EHR vendors, clearinghouses, and patients who gain more control over their own data.

Under the hood: Everything runs on FHIR R4, SMART on FHIR (OAuth 2.0) for auth, Bulk Data exports for large transfers, and Da Vinci implementation guides for prior auth workflows (CRD, DTR, PAS).

Three years to rebuild how half the U.S. healthcare system shares data. The clock is running.

CMS-0057 Prior Authorization webinar, April 28, 2026

Svetlana Golubeva — Thu, 02 Apr 2026 13:08:27 +0000

Join the CMS-0057 Prior Authorization — an online webinar on April 28, 2026, 12:00–1:00 PM ET.

If you're responsible for CMS-0057-F prior auth compliance — as a payer, delegate, or technology partner — join spec authors and teams building live implementations for a practical walkthrough of what matters before enforcement.

Spots are limited — Reserve your seat →

What you'll learn

The accountability gap when prior auth runs through delegates: what it means for your compliance posture
Why there are three IGs: how CRD, DTR, and PAS connect end-to-end, from a Da Vinci IG author
What payers expect from delegated entities, how they'll verify endpoints and evidence, and lessons from active implementation (IHCS)
Implementation architecture: connecting CRD/DTR/PAS to legacy UM without native FHIR: build vs. buy tradeoffs
A realistic path to January 2027: ownership models, timelines, and what to decide next

On the panel

Lloyd McKenzie, Chief Standards Officer, Dogwood Health Consulting
Phil Goldenberg, CIO, IHCS
Juan A. Mendez, Senior VP, Technology, IHCS
Rajeev Ranjan, VP – Healthcare Technology Solutions, Emids
Rostislav Antonov, Software Engineer, Health Samurai

Hosted by Mike Kulakov · Health Samurai

The session closes with moderated Q&A so you can put questions to the full panel.

Can't make it live? Register anyway — we'll send the recording and materials to registrants afterward.

AI assistant that builds your FHIR forms for you

Svetlana Golubeva — Tue, 28 Oct 2025 14:26:38 +0000

Introducing the new AI Assistant in Aidbox Form Builder designed to make creating FHIR forms faster and simpler.

Now you can:

Generate a new form from a plain-text description
Edit forms through straightforward chat interactions
Add calculation formulas like BMI or scores without coding
Set conditional fields to show only when needed
Use existing data to pre-fill fields automatically
Extract data smoothly to other FHIR resources

You stay fully in control of the form design, with much less manual work. No need to know FHIR or programming languages, the AI guides you step-by-step to build accurate, well-structured forms quickly.

[FREE] Try it out in the Aidbox Form Builder and save time on form creation.

Watch the video to see it in action.

Your audit logs are about to break your database

Svetlana Golubeva — Tue, 28 Oct 2025 14:15:27 +0000

Here's a problem nobody talks about at health IT conferences: your audit logs are growing faster than your clinical data.

The hidden time bomb

Every patient lookup. Every lab result viewed. Every medication ordered. HIPAA requires you to log it all and keep it for 6+ years.

Do the math: A mid-sized health system generates millions of audit events daily. That's billions per year. Trillions over the retention period.

And you're storing them in the same database handling patient care.

When compliance kills performance

We've seen it repeatedly: Organizations build beautiful FHIR APIs, implement perfect AuditEvent resources, then watch their systems grind to a halt under audit log volume.

The classic mistake? Treating audit logs like regular data. But audit events are write-heavy, query-rarely, and grow relentlessly. Your operational database wasn't designed for this.

The real cost

Performance degradation as tables grow into billions of rows
Expensive storage for data that's rarely accessed
Slow investigations when you actually need those logs
System risk when audit processing impacts patient care

One large EHR vendor we know had to disable audit logging during peak hours because it was crashing their production systems. Guess when most breaches happen?

There's a better way

The solution isn't more database tuning. It's architectural separation.
Purpose-built audit repositories like Auditbox handle FHIR AuditEvents separately from operational systems, ingesting millions of events per day, archiving automatically, and enabling sub-second searches across billions of records.

Think: Elasticsearch-backed, FHIR-native, designed specifically for write-once-read-rarely audit patterns.

The bottom line

Your audit logs are not regular data. Stop treating them that way.
Separate your audit infrastructure before it becomes your next production incident. Your database and your compliance team will thank you.

Want to solve this before it becomes a crisis? We're offering early free access to Auditbox for select healthcare organizations. Get early access here →

Stop writing authorization code for your FHIR-based app

Svetlana Golubeva — Tue, 28 Oct 2025 14:05:53 +0000

Stop writing authorization logic. Start using standards that do the work for you. Your future self (and your security team) will thank you.

The problem keeping healthcare devs up at night: You've got one API endpoint. Multiple user types. Different data access levels. And a tangled mess of authorization logic that breaks every time requirements change. Sound familiar?

The Traditional nightmare
You're building a healthcare app. Dr. Sarah needs to see ALL patient observations. Mike the lab tech should only see finalized lab results. Nothing else. So you write:

Custom middleware
Complex query filters
Separate API endpoints
100+ unit tests
Another 40 hours when requirements change

There's a better way. And it requires ZERO custom authorization code.
The Game-Changer: SMART Scopes + Keycloak Roles

Here's what blows mind: SMART on FHIR V2 lets you write scopes with query parameters: user/Observation.rs?category=laboratory&status=final
This means: "Read observations, but ONLY finalized lab results."

Combine this with Keycloak's composite roles and Aidbox, and something magical happens:The same API endpoint returns different data based on who's asking. Automatically.

How it actually works

Create basic roles (SMART scopes):

user/Observation.rs — All observations
user/Observation.rs?category=laboratory&status=final — Just lab results

Bundle into job functions:

Physician role → Full observation access
Lab Technician role → Restricted to finalized labs

Let Keycloak resolve roles into tokens.Let Aidbox FHIR server enforce the rules.

That's it. No custom code.

Dr. Sarah calls: GET /fhir/Observation

Hemoglobin (lab result)
Blood Pressure (vital sign)

Mike calls: GET /fhir/Observation

✅ Hemoglobin (lab result)
❌ Blood Pressure (filtered out)

Same endpoint. Same code. Different results. Zero custom filtering.

Why this changes everything

No authorization code to maintain
Change permissions in one place (Keycloak)
Standards-based (SMART on FHIR V2)
Fine-grained control without complexity
Add new roles in minutes without touching code

Try it now
The complete working example is on GitHub with Docker Compose. Clone it, run docker compose up, and test both user types in 5 minutes.

Read the full article by our Software Engineer Aleksandr Kislitsyn at health-samurai.io

HL7 FHIR R4 vs R5: Why jumping to the latest version isn't always the best move

Svetlana Golubeva — Tue, 28 Oct 2025 13:48:27 +0000

When it comes to picking your FHIR version, the latest release might seem like the best choice — enter FHIR R5, packed with 4,000+ changes including shiny new resources and revamped real-time subscriptions. Sounds great, right?

But hold up. Most of the healthcare world still runs on FHIR R4, the stable workhorse backed by major EHR vendors like Epic and Oracle, and reinforced by government mandates. R5 introduces breaking changes and compatibility headaches, from patient record tweaks to allergy data shake-ups, forcing costly rewrites and complex migrations.

Plus, many partners and integrations are stuck on R4, limiting your real interoperability if you jump to R5 too soon.

The future? FHIR R6 promises stability and backward compatibility with official normative status, making it the smarter long-term upgrade. For now, most implementers (including us at Health Samurai) recommend sticking with R4, enjoying wide support and waiting for R6’s smooth rollout.

In short: Don't rush to upgrade. Choose stability, not just novelty. Your integrations (and your budget) will thank you.

What's your take? R5 now, wait for R6, or still loving R4? Drop your thoughts below!

Read the full article by our Customer Success Manager Vlad Zholnerchuk at health-samurai.io

Immediate Release: Free Public Inferno (g)(10) Test Kit Available During U.S. Government Shutdown

Svetlana Golubeva — Thu, 09 Oct 2025 08:57:09 +0000

As the government shutdown limits access to many essential public health IT services, developers working on ONC §170.315(g)(10) certification and US Core compliance face critical challenges.

To ensure testing continuity, we've deployed a free public Inferno (g)(10) test kit instance available now for immediate use.

Access the test kit here: health-samurai.io/inferno/onc_certification_g10

Benefit from a fully functional testing environment that respects your privacy and helps you maintain compliance even during shutdowns.

Secure your FHIR APIs: Token introspection explained

Svetlana Golubeva — Mon, 01 Sep 2025 13:28:53 +0000

Token introspection is a key process in securing modern FHIR APIs by validating access tokens from external identity providers.

The article covers the fundamentals of authentication, authorization, and token introspection in FHIR. It details different token validation methods supported by Aidbox, including secret-based, JWKS URI, and direct cryptographic key configurations. Readers will learn how token introspection works in practice and see best practices for managing token security in healthcare applications.

Why it’s beneficial to readers
Understanding token introspection equips developers and DevOps teams with the knowledge to secure their FHIR servers effectively while embracing existing identity infrastructure. This reduces system complexity, improves security, and prevents costly re-architecting of authentication workflows.

What readers will learn
The role of token introspection as a bridge between authentication and authorization in FHIR

How Aidbox validates JWT and opaque tokens using industry standards
Multiple ways to validate tokens depending on infrastructure needs
Key rotation, multi-key support, and common pitfalls to avoid
How to define AccessPolicies that enforce fine-grained authorization based on tokens

Read the full article
For detailed explanations, examples, and configuration samples, read the full article here.

Agentic FHIR: Using AI to simplify and speed up Implementation Guide development

Svetlana Golubeva — Mon, 01 Sep 2025 13:23:21 +0000

FHIR Implementation Guides (IGs) are essential for healthcare interoperability but are complex and technical to create.

The article explains the traditional challenges of developing FHIR Implementation Guides using technical JSON and specific tools, and presents an AI-driven alternative that automates guide creation from natural language requirements. It highlights how the Aidbox FHIR server integrates for real-time validation, enabling quick iterations and collaboration between healthcare experts and developers.

Readers will see how AI can reduce the steep learning curve of FHIR IG development, save time, and open opportunities for healthcare professionals who are not developers to contribute meaningfully to interoperability standards. It offers a glimpse of future collaborative workflows powered by AI, improving healthcare software development efficiency.

What readers will learn

The complexity and pain points of current FHIR IG development.
How AI agents generate accurate FHIR resources from simple language.
The role of Aidbox in instant validation and feedback.
Steps to scale from simple code systems to full implementation guides.
Practical examples and tools to try AI-assisted FHIR IG development today.

Read the full article
Explore full details, example projects, and source code on the Health Samurai blog.

HL7 FHIR Camp 2025, Portugal

Svetlana Golubeva — Wed, 20 Aug 2025 09:35:21 +0000

Reserve your place at FHIR Camp 2025

This October, join the FHIR community right by the Atlantic for FHIR Camp 2025 in Cascais, Portugal.

HL7 FHIR® Camp isn’t a traditional conference. Here, the agenda is shaped by you and your peers. Instead of lectures or passive sessions, you’ll dive right into lively discussions and hands-on problem-solving with experts like Grahame Grieve, Lloyd McKenzie, Diego Kaminker, and many others who are driving the FHIR movement forward.

𝗪𝗵𝘆 𝗰𝗼𝗺𝗲?

No formal agenda – you bring the topics you care about
No panels – just real conversations, tech debates, and shared problem-solving
Everyone's a contributor; no division between “experts” and “audience”
Expect genuine peer connections, new solutions, and time to refresh by the ocean

Participation is limited, so reserve your spot soon. Early bird tickets end September 1.

Event details:
HL7 FHIR® Camp 2025, a participant-driven FHIR event by the ocean
October 22-24, 2025 | Cascais, Portugal
Preliminary Agenda
Event page

FHIRPath: A Deep Dive into Static Type Analysis for Robust Tooling

Svetlana Golubeva — Tue, 08 Jul 2025 12:38:44 +0000

How can FHIRPath become safer and smarter to use? With static type analysis.

In this new article, Olim Saidov, Software Engineer for Aidbox Forms, dives deep into how a type system for FHIRPath can transform the developer experience: enabling intelligent autocompletion, real-time validation, and robust editor tooling.

From Single to PrimitiveFHIRType, and through the quirks of FHIR's own schema structure, we explore the architecture behind a more reliable FHIRPath.

💡 If you're working on FHIR tooling or building low-code experiences on top of FHIR – this read is for you.

📖 Read the full article

🧑‍💻 Code and editor are open source