HL7 FHIR (Fast Healthcare Interoperability Resources)

FHIR in plain terms

Think of FHIR as the 'REST API for healthcare.' Every clinically meaningful concept — a patient, an appointment, a lab result, a medication, an allergy — is modelled as a discrete resource with a predictable structure and a stable URL. You fetch a patient with a GET request to /Patient/123, search for their conditions with /Condition?patient=123, and write back observations with a POST. Because the format is JSON over HTTP, the same skills your team already uses to integrate Stripe or Twilio transfer directly to healthcare. That accessibility is exactly why FHIR has become the default integration layer for new digital health products and why regulators in the US and UK now mandate FHIR-based patient data access.

FHIR R4, resources, and profiles

FHIR R4 (Release 4) is the first 'normative' version, meaning its core resources are stable enough to build production systems against without fear of breaking changes. The specification defines roughly 145 resource types, but real implementations rarely need more than a couple of dozen: Patient, Practitioner, Encounter, Observation, Condition, MedicationRequest, AllergyIntolerance, DiagnosticReport, and a handful of others. Profiles and implementation guides — such as US Core in the United States or UK Core for the NHS — constrain those base resources into nationally agreed shapes, specifying which fields are mandatory and which code systems (SNOMED CT, LOINC, ICD-10) are allowed. Building against the right profile is what separates a demo from a system an EHR vendor will actually certify.

SMART on FHIR and authorisation

FHIR defines the data model; SMART on FHIR defines how apps securely launch and obtain access. SMART layers OAuth 2.0 and OpenID Connect on top of FHIR so a clinical app can launch inside an EHR like Epic or Cerner, inherit the logged-in clinician's context, and request scoped permissions (for example, read-only access to a single patient's medications). This is the mechanism that lets a third-party AI copilot appear inside the EHR without the vendor handing over a database dump. Getting SMART scopes, token refresh, and launch context right is typically where integration projects spend their effort — the FHIR queries themselves are the easy part.

Why FHIR matters for AI products

Large language models are only as useful as the clinical context you can feed them. FHIR is how that context arrives: a structured, permissioned, real-time view of the patient that an agent can summarise, reason over, or act on. An ambient documentation tool reads the Encounter and writes back a clinical note; a triage agent reads Conditions and Observations to risk-stratify; an RCM bot reads Coverage and Claim resources to flag denials. Because FHIR is standardised, the same integration architecture you build for one customer's EHR largely carries over to the next — the economic foundation of selling healthcare software at scale rather than rebuilding a custom interface per hospital.

Common pitfalls and considerations

FHIR's flexibility is also its trap. Two systems can both be 'FHIR R4 compliant' yet disagree on which optional fields they populate, how they code a diagnosis, or whether they support the search parameters you need. Bulk export ($export) behaves very differently from per-patient reads and is often rate-limited. Sandbox environments rarely match production data quality. And FHIR carries Protected Health Information, so every request must be designed under HIPAA, UK GDPR, and your data processing agreements from day one. Treat conformance testing against the customer's real (or synthetic) data as a first-class engineering task, not an afterthought.

Related terms

• Healthcare InteroperabilityStandards & Interoperability
• Electronic Health Record (EHR)Standards & Interoperability
• SNOMED CTStandards & Interoperability
• Protected Health Information (PHI)Compliance & Security