FHIR Explained: Resources, APIs, Profiles, & Use Cases

FHIR Explained

FHIR (pronounced “fire”) stands for Fast Healthcare Interoperability Resources. 

It is a healthcare data exchange standard created by HL7 International that gives different systems — EHRs, lab systems, payer platforms, patient apps, and clinical tools — a common way to represent and share health information using modular building blocks called resources and modern API patterns.

Unlike older HL7 standards that rely on event-driven messaging or document-based exchange, FHIR uses RESTful APIs, JSON, and XML formats familiar to web developers. 

The result is a standard that can support hospital integrations, patient-facing apps, payer data exchange, quality measurement, clinical decision support, and population health workflows through a single architectural model.

A 2025 ONC data brief found that 70% of U.S. hospitals enabled patient access using standards-based APIs such as FHIR in 2024.

A 2025 global survey of 82 FHIR experts across 52 countries found that 71% reported active FHIR use, with R4 as the dominant production version in 31 countries.

Here is what this guide covers:

  • How SMART on FHIR handles security
  • How FHIR differs from HL7 v2 and CDA
  • Where FHIR fits in U.S. interoperability policy
  • Benefits, limitations, and implementation steps
  • Why profiles and implementation guides are needed
  • How FHIR works (resources, APIs, and data formats)

How does FHIR work?

FHIR breaks healthcare information into standardized building blocks called resources

Each resource represents a healthcare concept — a patient, a lab result, a medication order, an encounter, an allergy — and can be independently created, read, updated, searched, or deleted through API calls.

FHIR ARCHITECTURE

How FHIR data moves from definition to exchange

R

Resource

Standard data building block

P

Profile

Constraints for a use case

IG

Impl Guide

Rulebook for a workflow

API

FHIR API

Real-world data exchange

FHIR APIs use standard HTTP methods

  • Read — retrieve a specific resource (GET)
  • Search — query resources by parameters (GET with search params)
  • Create — add a new resource (POST)
  • Update — modify an existing resource (PUT)
  • Delete — remove a resource (DELETE)

Data is typically transmitted in JSON (most common for APIs and apps) or XML (used in some document and validation contexts).

What are FHIR resources?

Resources are the core data objects in FHIR. Each represents a distinct healthcare concept and can be independently addressed, exchanged, and linked to other resources.

FHIR resourceRepresentsExample use
PatientDemographics and identifiersFind or verify a patient record
ObservationMeasurements and findingsBlood pressure, lab value, vital sign
EncounterA healthcare visit or interactionOffice visit, hospital admission
MedicationRequestMedication order or prescriptionActive prescription for a patient
AllergyIntoleranceAllergy or sensitivityPenicillin allergy
DiagnosticReportDiagnostic findingsLab panel, imaging report
ConditionProblem, diagnosis, or concernDiabetes, hypertension
ProcedureClinical action performedSurgery, vaccination
CoverageInsurance or payer informationHealth plan details
ClaimBilling or payment requestSubmitted healthcare claim

How does FHIR differ from HL7 v2 and CDA?

FHIR is part of the HL7 standards family — not a replacement for everything that came before it. HL7 International is the organization; FHIR is one of several standards it maintains.

StandardModelCommon formatBest for
HL7 v2Event-driven messages (segments and fields)Pipe-delimited textHospital interfaces — ADT, orders, results, billing
CDADocument-based clinical exchangeXMLClinical documents — discharge summaries, care records
FHIRResource-based API exchangeJSON or XMLApps, APIs, patient access, modern data exchange

HL7 v2 remains one of HL7’s most widely adopted standards, prominent in inpatient settings worldwide.

FHIR and v2 often coexist — organizations may keep v2 interfaces for legacy hospital workflows while building FHIR APIs for app access, payer exchange, and new integrations.

The practical mistake is assuming FHIR automatically replaces v2. Migration is a project, not a toggle.

Why do FHIR implementations need profiles and implementation guides?

Base FHIR resources are intentionally flexible. 

A Patient resource can represent patient data in many different ways. That flexibility is a strength for the standard, but a problem for interoperability — because two systems using the same resource can still structure the data differently.

Profiles constrain base resources for specific use cases. A profile might require specific fields, restrict code systems, or add extensions for data that the base resource doesn’t cover.

Implementation guides (IGs) package profiles, terminology rules, examples, and interaction patterns into a complete specification for a use case or jurisdiction.

US Core is the U.S. Realm FHIR implementation guide that defines baseline profiles and interactions for patient data exchange. It maps to USCDI (the federal baseline dataset) and is central to U.S. certification and patient-access API requirements.

A 2024 scoping review of FHIR in chronic disease management found that only about 20% of reviewed applications referenced implementation guides — a sign that profile and IG discipline remains a weak point in real-world FHIR adoption.

How does SMART on FHIR handle security?

FHIR defines data structures and API patterns. Security is handled through complementary frameworks — primarily SMART on FHIR and OAuth 2.0.

SMART on FHIR provides a standard way for apps to

  • Launch securely within an EHR workflow
  • Authenticate users through OpenID Connect
  • Operate within patient or practitioner context
  • Request specific data access through OAuth scopes

The principle is minimum necessary access — apps should request only the FHIR scopes they need for their function.

A 2024 VA study of telesupervision found that supervisors were more confident than trainees that essential security elements were maintained during remote work — a reminder that security architecture and user experience of security are not always aligned.

FHIR enables secure exchange, but it does not automatically guarantee compliance.

HIPAA, state privacy rules, consent management, and organizational policy still govern how data is accessed, shared, and protected.

Where does FHIR fit in U.S. interoperability policy?

FHIR has moved from a voluntary standard to a regulatory building block.

ONC’s Cures Act Final Rule requires standardized APIs so patients can securely access structured health information through apps. 

CMS’s 2024 Interoperability and Prior Authorization Final Rule requires impacted payers to implement and maintain certain HL7 FHIR APIs, with most API requirements taking effect by January 1, 2027.

Policy areaFHIR role
Patient accessAPI access to health information under ONC/CMS rules
Provider accessPayer-to-provider data sharing
Payer-to-payer exchangeData continuity when coverage changes
Prior authorizationAPI-supported request and response workflows
USCDI / US CoreDefines data classes and FHIR profiles for U.S. implementation

HHS announced in June 2026 that TEFCA exchange grew to more than 1 billion health records in less than one year. While TEFCA is not FHIR, it is part of the national exchange infrastructure that FHIR-based APIs increasingly support.

What are the benefits and limitations of FHIR?

Here are the benefits and limitations of FHIR, weighed in:

FHIR ADOPTION

Where FHIR stands in production healthcare

70%

Of U.S. hospitals using FHIR-based APIs for patient access (2024)

71%

Of 52 surveyed countries reporting active FHIR use (2025)

73%

Of digital health companies using standards-based APIs with EHRs

57%

Of digital health companies also using proprietary APIs alongside FHIR

Sources — ONC Data Briefs (2025–2026), HL7/Firely Survey (2025), Barker et al. JAMIA (2024)

FHIR creates real value when it is implemented consistently. Benefits include

  • A common model for representing health data across systems
  • Reduced custom integration work when profiles and IGs are followed
  • Alignment with U.S. regulatory requirements for data access and exchange
  • API patterns that support patient access, app development, and payer exchange

But FHIR does not solve everything by itself

  • Security and consent governance require separate design
  • R4 and R5 version differences create compatibility decisions
  • Data quality varies — APIs expose what the source system contains
  • Profile and IG conformance is uneven across vendors and organizations
  • Semantic interoperability still depends on consistent terminology and coding

A 2024 JAMIA survey found that even among FHIR-adopting digital health companies, 47% cited high API fees, 41% cited lack of realistic test data, and 40% cited insufficient data elements as substantial barriers.

How should organizations start implementing FHIR?

A practical implementation checklist:

FHIR Implementation Checklist

9 Steps for a Successful FHIR Implementation

Work through each checkpoint before moving to production.

Define the Use Case
Clarify whether the project supports patient access, payer exchange, app integration, quality reporting, or clinical decision support.
Choose the Right Guide
Identify the required implementation guide and the appropriate FHIR version before development begins.
Map Clinical Data
Map source system fields to the correct FHIR resources and profiles.
Standardize Terminology
Select SNOMED CT, LOINC, RxNorm, and other required value sets for consistent interoperability.
Secure Access
Design authentication, authorization, and patient consent workflows.
Build the API
Develop or configure the required FHIR API endpoints and capabilities.
Validate Conformance
Test with sample data and verify compliance using FHIR validation and conformance tools.
Pilot the Solution
Deploy with real users and real workflows before full-scale implementation.
Monitor & Optimize Continuously
Track API usage, response times, errors, missing data, and performance metrics to improve interoperability over time.

When interoperability meets revenue

FHIR-based APIs increasingly drive how patient data, payer authorization, and claims information move between systems. 

When those connections break down, practices face delayed authorizations, incomplete data, and avoidable denials.

MedHeave helps healthcare providers build the operational bridge between clinical data exchange and revenue cycle performance.

  • Claims and authorization workflows connected to payer data exchange
  • EHR integration support for billing and documentation systems
  • Denial management tied to data completeness and interoperability gaps
  • Compliance documentation for payer and certification requirements

Contact MedHeave to connect your interoperability investments to your revenue cycle.

Frequently asked questions

Here are some commonly asked questions about FHIR:

What is FHIR in simple terms?

FHIR is a healthcare data exchange standard that lets different systems share health information using a common structure. It breaks medical data into modular building blocks called resources — such as Patient, Observation, MedicationRequest, and Encounter — and makes them accessible through modern web APIs. FHIR is created by HL7 International, is pronounced “fire,” and is now used by the majority of U.S. hospitals for patient-access APIs. It supports app development, payer data exchange, quality reporting, and clinical decision support.

What is the difference between HL7 and FHIR?

HL7 International is the standards organization that publishes FHIR and other healthcare interoperability standards. FHIR is one specific HL7 standard — the modern, API-focused one using resources and JSON/XML. HL7 v2 is an older, widely used messaging standard that remains common for hospital interfaces like ADT, lab orders, and results. CDA is another HL7 standard designed for clinical document exchange. FHIR, v2, and CDA often coexist in the same organization because they serve different workflows and integration patterns.

Is FHIR still used?

Yes. FHIR is actively used and growing. HL7 lists FHIR R5 as the current published version, while R4 remains the dominant production version because major U.S. implementation guides (including US Core) and regulatory requirements still reference R4. ONC found that 70% of U.S. hospitals used FHIR-based APIs for patient access in 2024. CMS requires impacted payers to implement FHIR APIs by January 2027. FHIR is not declining — but version choice depends on the implementation guide and use case.

What is a FHIR profile?

A FHIR profile constrains a base resource for a specific use case. Base FHIR resources are intentionally flexible, so profiles narrow them by requiring certain fields, restricting code systems, or adding extensions. For example, a US Core Blood Pressure profile constrains the Observation resource to require specific LOINC codes, systolic and diastolic components, and UCUM units. Profiles are packaged inside implementation guides, which define the complete rules for exchanging data in a particular context or jurisdiction.

Is FHIR required by law?

In certain U.S. programs, specific FHIR-based APIs are required. ONC’s Cures Act Final Rule requires standardized APIs for patient access to structured health information. CMS’s 2024 interoperability rule requires impacted payers to implement FHIR-based Patient Access, Provider Access, Payer-to-Payer, and Prior Authorization APIs. Requirements vary by actor type, program, and compliance deadline. Outside the U.S., FHIR adoption is growing but regulatory mandates vary by country. Organizations should verify which FHIR version and implementation guide their specific requirements reference.

Improve Billing Accuracy
and Efficiency

Scroll to Top

Get a Quote