Provider App FHIR API Best Practices

Recommendations for implementing FHIR APIs that enable provider-facing applications to access and interact with EHR data.

Items marked with this icon are required by ONC certification criteria and must be implemented to maintain compliance.

Authentication & Authorization

Best practices for provider app authentication in FHIR APIs

Support SMART on FHIR authorization

Implement SMART on FHIR authorization to enable secure provider access to EHR data with appropriate scopes and permissions.

Support clinician context

Ensure that provider identity and role information is available to applications through the FHIR API to enable role-based access control and personalized experiences.

Implement token refresh

Support OAuth 2.0 refresh tokens to allow provider applications to maintain access during extended clinical sessions without requiring frequent re-authentication.

Clinical Data Access

Best practices for clinical data access in provider-facing FHIR APIs

Support US Core profiles

Implement US Core profiles for all required FHIR resources to ensure standardized data access for provider applications.

Support efficient search operations

Implement comprehensive search capabilities including chained parameters, _include, and _revinclude to enable efficient data retrieval for clinical workflows.

Enable write operations

Support FHIR create, update, and delete operations to allow provider applications to contribute data back to the EHR, with appropriate validation and audit logging.

Workflow Integration

Best practices for workflow integration in provider-facing FHIR APIs

Support clinical task management

Implement FHIR Task resources to enable provider applications to create, track, and manage clinical tasks within the EHR workflow.

Enable order entry

Support FHIR resources for medication, diagnostic, and procedure orders to allow provider applications to initiate clinical orders with appropriate clinical decision support.

Support clinical documentation

Implement FHIR DocumentReference and Composition resources to enable provider applications to contribute to and access clinical documentation within the EHR.

Performance and Reliability

Best practices for performance in provider-facing FHIR APIs

Optimize response times

Ensure API response times are optimized for clinical workflows, with 95% of requests completing in under 1 second to maintain provider productivity.

Implement appropriate rate limits

Define and document rate limits that balance system protection with the needs of provider applications, with higher limits for authenticated provider applications compared to patient access.

Provide status monitoring

Implement a public API status page and notification system to communicate planned maintenance and unplanned outages to provider application developers.