Patient Access FHIR API Best Practices
Recommendations for implementing FHIR APIs that enable patients to access their health information.
Items marked with this icon are required by ONC certification criteria and must be implemented to maintain compliance.
Support OAuth 2.0 for patient authentication
Implement OAuth 2.0 authorization framework to enable secure patient access to their health information.
Support multiple authentication methods
Provide multiple authentication options for patients, such as username/password, biometric authentication, and multi-factor authentication.
Implement token refresh
Support OAuth 2.0 refresh tokens to allow patient applications to maintain access without requiring frequent re-authentication.
Support all USCDI data elements
Ensure that all United States Core Data for Interoperability (USCDI) data elements are accessible through the patient access API.
Support patient-specific data filtering
Implement robust filtering capabilities to allow patients to retrieve specific subsets of their health information.
Support patient data export
Enable patients to export their complete health record in standard formats, such as FHIR bundles or C-CDA documents.
Provide clear documentation for patients
Offer user-friendly documentation that explains how patients can access their health information through the API.
Support third-party app connections
Make it easy for patients to connect third-party applications to their health data through a simple authorization process.
Implement user-friendly error messages
Provide clear, actionable error messages that help patients understand and resolve issues when accessing their data.