Security review

Someone sent you this because they want to use ImOnFHIR

ImOnFHIR is an independent FHIR interoperability lab — a validator, payload tools, and a knowledge library for prior-authorization workflows. It runs on synthetic data only: no PHI, no accounts, no tracking. Everything your security team needs is on this page; the rest is an email away.

What it does

Validates Da Vinci PAS bundles against FHIR standards, washes and compares payloads, and explains how prior-auth interoperability actually works.

What it never has

PHI, user accounts, passwords, tracking cookies, or ad trackers. Just anonymous usage counters (Vercel Analytics) — the data worth stealing does not exist here.

Who runs it

Nick Dugan BSN, RN-BC, CPHIMS — an independent healthcare interoperability engineer. Not a vendor pitch; a working lab.

About the lab →

Whitelist it in three steps

  1. 01Review the postureThe /security page covers data handling per tool, subprocessors, and vulnerability disclosure.
  2. 02Allow the domainsFour domains, listed below. Two are ours; two are Vercel's cookie-free analytics. No ad trackers, no font CDNs, no surprise origins.
  3. 03Email usQuestionnaires, sign-off requests, or questions — one email, prefilled for you. We respond fast.

Domains to allow

A browser using ImOnFHIR contacts exactly these origins:

imonfhir.com
www.imonfhir.com
va.vercel-scripts.com
vitals.vercel-insights.com
imonfhir.com
The site, the Lab, and its same-origin APIs
www.imonfhir.com
Canonical redirect host
va.vercel-scripts.com
Vercel Analytics script (anonymous, cookie-free)
vitals.vercel-insights.com
Vercel Web Vitals beacon

Note: validator.imonfhir.com never sees browser traffic — validation requests go same-origin to imonfhir.com, and our servers talk to the sidecar behind Cloudflare Access.

Data handling at a glance

SurfaceSummary
ValidatorPasted payloads are processed transiently on our servers (1 MB cap, not persisted or logged). Synthetic or de-identified FHIR only.
Washer & CompareRun entirely in the browser. Pasted payloads never reach ImOnFHIR servers. (Temporarily off on stable production during beta rollout.)
AnalyticsAnonymous usage counters via Vercel Analytics. No cookies, no identifiers, never payload contents.
AccountsNone. There is no login, no user database, and no personal data to store.

The longer version — including the validator’s server-side path and the full subprocessor list — is on /security.

Submit a request

Whitelisting sign-off, a SIG Lite / CAIQ style questionnaire, or plain questions — send them over and we’ll respond within two business days, usually faster. The button prefills the email so your team only has to fill in the blanks.

Prefer plain email? Write to security@imonfhir.com. Machine-readable contact: /.well-known/security.txt.