HL7 FHIR: What It Is and How It Works

[]
min read

If you've ever tried to pull patient data out of Epic or Cerner, you've probably run into the term HL7 FHIR and wondered how it's different from plain old HL7. You're not alone. Healthcare data has a reputation for being locked in proprietary formats, and the terminology around interoperability standards doesn't help.

HL7 FHIR (Fast Healthcare Interoperability Resources) is the modern standard for exchanging healthcare data over the web, built on REST APIs and JSON or XML instead of the rigid messaging formats older HL7 versions relied on. It breaks clinical information into small, reusable pieces called resources, patients, medications, observations, and lets systems request exactly the data they need through standard web calls, similar to how any modern application talks to an API.

In this article, we'll walk through what FHIR actually is, how it evolved from earlier HL7 standards like HL7 v2, and how the SMART on FHIR framework layers authorization on top of it. If you're building software that needs to connect to EHR systems, understanding this foundation will save you a lot of guesswork later, and we'll point out where platforms like SoFaaS fit into that picture.

Why HL7 FHIR matters for healthcare data exchange

Healthcare runs on data that rarely stays in one place. A patient's record might live in an Epic instance at one hospital, a Cerner system at a specialty clinic, and a home health agency's separate charting tool, and none of those systems were built to talk to each other easily. HL7 FHIR exists to close that gap by giving every system a common language and a common set of rules for requesting and sharing clinical information, so a lab result generated in one EHR can show up correctly formatted in a completely different application without a custom translation layer for every connection.

FHIR turns healthcare data exchange from a custom integration project into a standard API call.

Breaking down data silos between EHRs

Before FHIR, connecting two EHRs meant negotiating a point-to-point interface, often built around older HL7 v2 messages that varied slightly from vendor to vendor. Integration teams spent months mapping fields, testing edge cases, and maintaining brittle connections that broke every time either vendor pushed an update. FHIR replaces that patchwork with a consistent resource-based model, so a Condition resource looks and behaves the same whether it's coming from Epic, Cerner, or a smaller regional EHR, cutting the integration timeline from months to weeks in many cases.

Regulatory pressure driving adoption

Federal policy has pushed FHIR from a nice-to-have to a near-requirement. The CMS Interoperability and Patient Access rule requires many payers and providers to expose patient data through FHIR-based APIs, and the ONC's certification program mandates FHIR support for certified health IT. If you're building anything that touches Medicare, Medicaid, or a certified EHR, regulatory compliance now assumes FHIR is part of your architecture, not an optional add-on you bolt on later.

Faster time-to-value for healthcare innovators

Once a system speaks FHIR, adding new data sources or new consuming applications becomes far less painful, since you're reusing the same resource definitions and API patterns across every connection instead of rebuilding logic from scratch. Developers building patient-facing apps, clinical decision support tools, or care coordination platforms benefit directly from this consistency.

Here's what that shift typically means in practice:

  • Shorter integration cycles: standard resources and RESTful calls replace custom message parsing.
  • Lower maintenance burden: updates to one FHIR-compliant source rarely break connections to others.
  • Easier vendor switching: a FHIR-based integration isn't locked to one EHR's proprietary interface.
  • Better patient access: individuals can pull their own records into apps of their choosing, as required under current federal rules.

For healthcare suppliers, DME providers, and app builders trying to move fast without a dedicated integration team, this is the practical payoff: data exchange stops being a bottleneck and starts being infrastructure you can rely on, freeing up engineering time for the actual product instead of the plumbing underneath it.

How HL7 FHIR works: resources, APIs, and paradigms

Underneath all the talk about interoperability, FHIR is really just a way of structuring data and a way of asking for it. Every piece of clinical information gets modeled as a resource, a self-contained JSON or XML object with a defined structure, and every resource gets exposed through a standard RESTful API that any developer who's built a web app already understands.

Resources as the basic unit of data

A resource represents one discrete concept, like a Patient, an Observation, a MedicationRequest, or an Encounter. Each resource type has a fixed set of fields defined by the HL7 FHIR specification, so a Patient resource from Epic includes the same core elements as a Patient resource from Cerner, even if the underlying database schemas look nothing alike. This consistency is what makes resource-based modeling so much easier to work with than the free-text or delimiter-based segments in older HL7 messages.

RESTful API calls in practice

Getting data out of a FHIR server usually looks like a simple HTTP request. You query an endpoint, get back JSON, and parse it like you would any other API response:

GET https://fhir.example.com/Patient/12345
Accept: application/fhir+json

That single call returns a structured Patient resource, no custom message parser required. Searching works the same way, so pulling every Observation tied to a patient is just a filtered GET request rather than a bespoke query language.

A FHIR resource is a predictable, reusable data object, and that predictability is what makes real interoperability possible.

Four paradigms FHIR supports

RESTful APIs are the most common pattern, but FHIR actually defines four ways systems can exchange resources, and picking the right one matters for how your integration behaves:

Four paradigms FHIR supports

  • REST: query and update individual resources over HTTP, the pattern most apps use.
  • Messaging: push event-driven notifications, like a new lab result, between systems.
  • Documents: bundle resources into a fixed, signed document, useful for records that need a permanent snapshot.
  • Services: wrap FHIR resources around a specific defined operation, like a clinical decision support check.

Most consumer-facing and provider-facing applications lean almost entirely on the REST paradigm, since it maps cleanly onto the kind of API work most engineering teams already do.

HL7 FHIR vs HL7 v2 and v3: what changed

HL7 v2 launched in 1989 and still runs a huge share of hospital messaging today, mostly for lab orders, admissions, and discharge notifications. It works, but it's built on pipe-delimited text segments that read like MSH|^~\&|SENDER|FACILITY|..., and every vendor tends to implement it slightly differently. That variability is why two hospitals running the same HL7 v2 version can still need weeks of custom mapping before their systems actually talk to each other.

Why HL7 v3 never took off

HL7 v3 tried to fix v2's inconsistency with a rigid, XML-based model grounded in something called the Reference Information Model. On paper it solved the ambiguity problem. In practice, it was so complex to implement that most vendors and health systems skipped it entirely. Only a handful of use cases, like the Clinical Document Architecture, saw real adoption, and even those took years longer than expected to roll out.

HL7 v3 solved consistency by adding complexity, and complexity is exactly what killed its adoption.

What FHIR fixed

FHIR learned from both failures. It kept the simplicity developers wanted from v2 and the structural consistency v3 was chasing, then delivered both through REST APIs and JSON, formats every modern engineering team already knows how to use. The table below lays out the practical differences:

Feature HL7 v2 HL7 v3 FHIR
Format Pipe-delimited text XML, RIM-based JSON or XML
Transport Point-to-point messaging Complex messaging REST APIs
Learning curve Moderate, but inconsistent Steep Low for web developers
Vendor consistency Varies widely Rigid but rarely implemented High, standardized resources
Real-world adoption Very high (legacy) Very low Rapidly growing

Living alongside legacy systems

Most health systems haven't ripped out HL7 v2 and replaced it wholesale. Instead, FHIR adoption usually happens alongside existing v2 messaging, with FHIR handling new patient-facing apps and API-driven connections while v2 keeps running internal lab and ADT feeds. If you're building an integration today, expect to encounter both standards, sometimes within the same health system, and plan your architecture to translate between them rather than assuming one will fully replace the other anytime soon.

Common FHIR resources and real-world examples

FHIR defines well over 150 resource types, but you'll spend most of your integration work with a small, predictable set. Understanding what each one actually holds, and how it shows up in a real application, makes the abstract idea of "resources" concrete fast. Below are the ones you'll encounter constantly when connecting to an EHR.

Patient and person-level resources

The Patient resource anchors almost every other resource in a FHIR dataset, holding demographics like name, birth date, and identifiers, plus links to related records such as coverage or care team. A home health app checking eligibility, for example, pulls the Patient resource first, then uses its identifier to query everything else tied to that person. The RelatedPerson resource works alongside it, capturing caregivers or family contacts who need visibility into a patient's care without being a covered individual themselves.

Clinical and observation resources

Clinical data lives mostly in Observation, Condition, and MedicationRequest resources. Observation covers anything measured, vitals, lab results, oxygen saturation readings from a home monitoring device, while Condition tracks diagnoses and problems on a patient's active list. MedicationRequest represents an order, not just a fact, which matters if your app needs to distinguish between what a doctor prescribed and what a patient is actually taking.

Resources aren't just data containers, they're the difference between an app that guesses at meaning and one that knows exactly what it's looking at.

Workflow and administrative resources

Beyond clinical facts, FHIR models the logistics of care through resources like Encounter, Appointment, and DeviceRequest, which matter a lot to DME suppliers and NEMT providers coordinating services around a patient visit.

Resource What it holds Typical use case
Patient Demographics, identifiers Eligibility checks, app onboarding
Observation Vitals, lab results Remote monitoring, chronic care apps
Condition Diagnoses, problem list Clinical decision support
MedicationRequest Prescribed medications Medication adherence tools
Encounter Visit details, setting Care coordination, billing triggers
DeviceRequest Ordered equipment DME fulfillment workflows

Once you've mapped a few real workflows to this table, requesting the right resource stops feeling like guesswork and starts feeling like ordinary API design.

How to implement HL7 FHIR in a healthcare application

Getting from zero to a working FHIR connection involves more than reading the spec. You need to pick a target EHR, handle authorization, and build logic that survives the quirks each vendor adds on top of the base standard. Here's the realistic path most teams follow.

Mapping out your integration requirements

Start by identifying which EHRs your users actually run, since Epic, Cerner, and Allscripts each implement FHIR slightly differently despite following the same base spec. Decide which resources you actually need, Patient and Observation cover a lot of ground, but a DME workflow might also need DeviceRequest and Coverage. Skipping this step is the fastest way to end up rebuilding your data model three months in.

Handling authorization with SMART on FHIR

FHIR itself doesn't define how a user logs in or grants access, that's where SMART on FHIR comes in, layering OAuth 2.0 on top of the FHIR spec to manage patient consent and token exchange. A typical authorization flow looks like this:

Handling authorization with SMART on FHIR

  1. Your app redirects the user to the EHR's authorization server.
  2. The patient or provider grants consent to specific data scopes.
  3. The EHR returns an authorization code.
  4. Your app exchanges that code for an access token.
  5. You use the token on every subsequent FHIR API call.

Getting SMART on FHIR authorization wrong is the single most common reason integrations stall before they ever touch real patient data.

Building, testing, and scaling the connection

Before touching production data, test against a sandbox environment, most major EHR vendors publish one specifically for this. Once your calls return the expected resources, you still need to handle token refresh, rate limits, and the vendor-specific extensions layered onto standard resources, since real-world FHIR servers rarely match the spec's example payloads exactly.

Step What it involves
Requirements mapping Choose target EHRs and required resources
Sandbox testing Validate calls against vendor test environments
Authorization setup Implement SMART on FHIR OAuth flow
Production rollout Handle token refresh, rate limits, vendor quirks

Doing all of this in-house is exactly why many teams turn to a managed layer like SoFaaS instead of building the entire authorization and connection stack from scratch.

Challenges to expect when adopting HL7 FHIR

Even with a solid grasp of resources and REST calls, teams hit friction once they connect to real EHR systems. The spec describes the standard, but vendors implement it with enough variation that you can't treat FHIR as plug-and-play. Knowing the common failure points ahead of time saves you from debugging them in production.

Vendor-specific implementations

Epic, Cerner, and Allscripts all claim FHIR compliance, but each one adds custom extensions, restricts certain search parameters, or interprets optional fields differently. A Condition resource that validates cleanly against one vendor's sandbox might return an unexpected shape from another, so vendor variation forces you to write conditional logic instead of one universal parser. Budget real time for testing against each target system rather than assuming your first successful connection generalizes to the rest.

Authorization and consent complexity

SMART on FHIR solves the authorization problem in theory, but implementing OAuth 2.0 correctly, handling token refresh, scope negotiation, and patient consent screens that vary by vendor, trips up teams that have never worked with healthcare-specific auth flows before. Get the token lifecycle wrong and your app either loses access mid-session or over-requests scopes that trigger patient consent friction.

Most FHIR integrations don't fail on the data model, they fail on the authorization handshake around it.

Scaling beyond a single connection

One EHR connection is manageable with a small team. Ten connections, each with its own quirks, rate limits, and token refresh schedule, turns into a maintenance job on its own. Scaling challenges show up as the second or third integration gets added, since the custom logic you wrote for EHR one rarely transfers cleanly to EHR two.

Compliance and security overhead

Every FHIR connection touching patient data falls under HIPAA, and depending on your customers, you may also need SOC 2 Type II controls, audit logging, and encryption at rest and in transit. Building and maintaining that infrastructure yourself means ongoing security reviews, not a one-time setup.

Here's a quick rundown of where teams most often get stuck:

  • Inconsistent vendor behavior across otherwise spec-compliant EHRs
  • Token management bugs that break access mid-workflow
  • Rate limiting on production FHIR servers during high-volume periods
  • Audit logging gaps that surface during a compliance review
  • Staffing gaps, since FHIR and SMART on FHIR expertise is still scarce

Each of these is solvable, but solving all of them in-house is a real engineering investment, not a weekend project.

what is hl7 fhir infographic

Putting HL7 FHIR into practice

HL7 FHIR gives healthcare software a common language, resources, REST APIs, and predictable data shapes that replace decades of custom point-to-point mapping. You now know how it evolved from HL7 v2 and v3, how SMART on FHIR handles authorization on top of it, and where the real friction shows up once you connect to Epic, Cerner, or Allscripts in production. That friction, vendor quirks, token management, audit logging, isn't a sign you misunderstood the spec. It's just the gap between reading documentation and running live integrations at scale.

You don't have to close that gap alone. Teams building DME workflows, remote monitoring apps, or care coordination tools are choosing managed infrastructure over months of custom OAuth and connector work, because shipping faster matters more than reinventing plumbing every EHR vendor already forces you to rebuild. If you're ready to connect to real EHR data without staffing a full integration team, launch your SMART on FHIR app in a couple of steps.

Read More

6 Best Home Health Agency Software Options in 2026

By

Health Information Exchange: What It Is And How It Works

By

How to Build HIPAA Compliant Software: A Step-by-Step Guide

By

Clinical Decision Support: What It Is And How CDS Works

By

The Future of Patient Logistics

Exploring the future of all things related to patient logistics, technology and how AI is going to re-shape the way we deliver care.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.