Book a Demo

teal verification badge with bold checkmark symbol
Thank you! Your demo request has
been submitted.
Oops! Something went wrong. Please try again.

FHIR Standards for Patient Data Interoperability

Overview of U.S. FHIR R4.0.1 requirements, CMS deadlines, US Core/CARIN profiles, SMART on FHIR security, and implementation essentials.
11
July 4, 2026
George Kramb
Nurse using patient engagement software to support an older patient and caregiver with compassionate, HIPAA-compliant care.
Ready to Transform Your Patient Engagement?
Experience how our real-time mentorship platform can deliver measurable ROI for your brand.
Book a Demo

Key Takeaways

Overview of U.S. FHIR R4.0.1 requirements, CMS deadlines, US Core/CARIN profiles, SMART on FHIR security, and implementation essentials.

If you work with patient data in the U.S., FHIR R4.0.1 is the rulebook you need to know. I’d sum it up like this: payers must share patient data through FHIR-based APIs, that data must follow U.S. profiles like US Core and CARIN, and access must be secured with SMART on FHIR.

Here’s the short version:

  • FHIR is the data format and API model behind patient access
  • CMS-9115-F made Patient Access APIs a requirement starting July 1, 2021
  • CMS-0057-F adds Prior Authorization, Provider Access, and Payer-to-Payer exchange by January 1, 2027
  • FHIR R4.0.1 is the required version
  • Common data includes claims, encounters, coverage, medications, conditions, and lab results
  • Security depends on OAuth 2.0, OpenID Connect, PKCE, TLS 1.2+, and scoped access
  • Payers must keep data current, with some data available within 1 business day
  • Teams also need testing, audit logs, app revocation, and CMS metrics reporting

A few facts stand out. CMS requires data back to January 1, 2016 for current enrollees in the Patient Access API. CMS reporting for API use started in 2026 for 2025 data. And payer-to-payer exchange under CMS-0057-F includes up to 5 years of data.

What this means for you is simple: this is not just an API project. It’s a data mapping, security, compliance, and governance project all at once.

Below, I break down the rules, the main FHIR resources, the security model, and what teams need to do to put these APIs into production without missing key deadlines.

What is FHIR?

FHIR as the Basis of Patient Data Interoperability

FHIR is the HL7 standard for structuring patient data so systems can exchange it through REST APIs and machine-readable formats like JSON and XML. What makes FHIR useful is that it brings transport, data structure, and shared meaning into one model. That combination is what lets data move between systems without turning into a mess.

FHIR Resources for Patient Data

FHIR organizes health information into small, modular units called Resources. Each Resource represents a single piece of a patient record.

A Patient Resource stores demographics. An Observation Resource records lab results or vital signs. A MedicationRequest covers prescriptions. A Condition records diagnoses. On the payer side, Coverage, Claim, and ExplanationOfBenefit (EOB) Resources handle insurance and claims data.

That modular setup matters. Instead of sending whole documents back and forth, systems can exchange only the Resources they need, using the same structure each time.

These Resources are the building blocks that patient access APIs expose.

Data Category Key FHIR Resources Implementation Guide
Clinical Data Patient, Condition, Observation, AllergyIntolerance US Core
Claims & Encounters ExplanationOfBenefit, Claim CARIN IG for Blue Button
Insurance Coverage Coverage, Organization CARIN IG

REST APIs, JSON, XML, and Standardized Semantics

FHIR uses standard HTTP methods across resource endpoints and returns data in JSON or XML, both of which machines can parse easily. It also standardizes meaning through controlled vocabularies such as LOINC and SNOMED CT. So if one EHR sends a hemoglobin A1c result, another system can read it with the same meaning instead of guessing what the value stands for.

USCDI and US Core in the U.S. Context

USCDI

In the U.S., these building blocks are narrowed further by USCDI and US Core. USCDI defines the baseline data classes that must be exchangeable, while US Core defines how those classes appear as FHIR profiles with required fields and vocabularies.

US Core is the baseline for U.S. FHIR implementation. In plain terms, it tells teams not just what data must move, but also how that data should be structured to meet U.S. rules.

U.S. Regulations Driving FHIR-Based Patient Access APIs

U.S. FHIR Patient Access API Rules: Key Regulations, Standards & Deadlines

U.S. FHIR Patient Access API Rules: Key Regulations, Standards & Deadlines

ONC and CMS take FHIR and make it a compliance issue, not just a data standard. ONC sets the technical floor. CMS spells out which payers have to open access and when.

Once FHIR lays out the data model, these two agencies answer the practical questions: who has to share data, what data is in scope, and what deadline applies.

ONC Cures Act API Requirements

ONC

The ONC 21st Century Cures Act Final Rule requires certified health IT developers to support standardized API access with HL7 FHIR Release 4.0.1, so patients can get their electronic health information (EHI) at no cost. That rule creates the technical starting point for certified health IT. It does not create payer API duties.

CMS picks up from there and applies that baseline to payers.

CMS Interoperability and Patient Access Rules

CMS

CMS added two payer-facing rules.

The first is CMS-9115-F. It requires Medicare Advantage organizations, Medicaid and CHIP fee-for-service and managed care programs, and QHP issuers on the Federally-facilitated Exchanges (FFEs) to deploy FHIR-based Patient Access APIs. Enforcement began on July 1, 2021. These APIs must expose adjudicated claims, encounter data, and clinical data aligned with USCDI. They also must include data going back to January 1, 2016, for current enrollees.

The second rule, CMS-0057-F, pushes the model further. It adds Prior Authorization, Provider Access, and Payer-to-Payer exchange, all built on FHIR R4.0.1. The main compliance deadline is January 1, 2027.

Key U.S. Rules, FHIR Standards, and Deadlines at a Glance

At a practical level, these rules boil down to four things: the standard, the data, the entities, and the deadline.

Regulation Required FHIR Standard / IG Data Types in Scope Key Deadlines
ONC 21st Century Cures Act Final Rule HL7 FHIR R4.0.1; USCDI Electronic Health Information (EHI) Ongoing (certified health IT requirements)
CMS-9115-F (Patient Access API) FHIR R4.0.1; US Core IG; SMART App Launch; CARIN IG for Blue Button Claims, encounters, clinical data (USCDI v1) July 1, 2021 (enforcement began)
CMS-0057-F (Prior Authorization API) FHIR R4.0.1; Da Vinci PAS, CRD, and DTR IGs Prior authorization status and documentation (excluding drugs) January 1, 2027
CMS-0057-F (Provider Access API) FHIR R4.0.1; US Core IG; Bulk Data Access IG Claims, encounters, USCDI data, prior authorization info January 1, 2027
CMS-0057-F (Payer-to-Payer Exchange) FHIR R4.0.1; US Core IG; Bulk Data Access IG 5 years of claims, encounters, USCDI, and prior auth data January 1, 2027
CMS-0057-F (API Metrics Reporting) N/A (reporting obligation) Unique patient data transfer counts March 31, 2026 (for 2025 data)

One detail can trip teams up: CMS-0057-F points to 45 CFR 170.213, so data content rules update when ONC adopts newer USCDI versions. That means the target doesn’t stay still. USCDI v1 is no longer current as of January 1, 2026, and teams still relying on v1-only mappings should recheck their builds as the market shifts to USCDI v3.

FHIR Building Blocks and Security for Patient Access APIs

After the regulatory requirements, the next piece is the FHIR resources and security controls that make patient access work. The rules set the boundaries. FHIR sets the structure. FHIR defines the data model, and SMART on FHIR handles secure access.

Core FHIR Resources Used in Patient Access APIs

Patient Access APIs expose payer data through mapped FHIR resources, so a lot of the work comes down to normalization and source-system mapping. In plain English: data from different payer systems has to be lined up with the right FHIR resource.

For example, a pharmacy fill record from a PBM maps to a MedicationRequest, while claims adjudication details map to an ExplanationOfBenefit.

CMS requires only the data the payer already keeps in its own systems. Those mappings are then shaped by specific implementation guides. In practice, payer APIs usually rely on CARIN Blue Button, US Core, PDex Plan-Net, and Da Vinci Drug Formulary profiles.

SMART on FHIR

Once the data model is set, access has to be secured. SMART on FHIR adds authorization to FHIR with OAuth 2.0 and OpenID Connect, so third-party apps can access patient data without handling login credentials. The app sends the patient to the payer, the patient approves access, and the server returns an access token limited to the approved data.

Public clients must use PKCE, TLS 1.2+, and the SMART discovery endpoint. Scopes should be as narrow as possible, such as patient/ExplanationOfBenefit.read or patient/Coverage.read. All token and data-access events should be tracked.

The token response must also include the patient context so the app pulls the right patient record.

FHIR Resources and Their Role in Patient Access

FHIR Resource Primary Use in Patient Access APIs Typical Data Elements Mapped Source Systems
ExplanationOfBenefit Claims and adjudication details Billed/allowed amounts, service dates, provider NPI Claims adjudication system
Observation Lab results and vital signs LOINC codes, values, units, reference ranges Lab information systems / EHR
MedicationRequest Prescription history Medication code, dosage, prescriber, status Pharmacy Benefit Manager (PBM)

These building blocks lead straight into the implementation work covered next.

How to Implement FHIR-Based Patient Access in Enterprise Programs

With the building blocks in place - resources, profiles, and security controls - the next step is making the whole thing work in production. That comes down to doing the work in the right order, keeping data up to date, and making sure the system can handle growth.

Data Mapping, Testing, and Readiness

Once the FHIR model and security layer are in place, implementation starts with source-to-profile mapping and conformance testing. Each source system needs to be mapped to its target FHIR profile before testing begins. That includes mapping claims, clinical, and formulary data to the right FHIR profiles and implementation guides.

Data freshness isn't just an IT concern. It's a compliance rule. CMS requires adjudicated claims and prior authorization decisions to be available through the Patient Access API within one business day. So you need to track lag across every ETL job and database sync in the pipeline. If the total delay goes past that one-business-day window, the API falls out of compliance.

For validation, use HL7 FHIR Validator, ONC Inferno for SMART launch and CARIN conformance, and the Touchstone platform for Da Vinci IG testing. And don't stop with synthetic test data. Test against real member records too. That's where problems usually show up: duplicate identities, messy code mappings, and partial prior authorization histories.

Once validation passes, move into a limited production pilot before rolling out at scale.

Scalability, Governance, and Bulk Data

Patient access APIs are built for individual records. Bulk export is for population-level exchange. If you're supporting analytics, care management, or reporting across large groups, use Bulk Data Access instead of making per-patient calls. The asynchronous $export operation returns data in NDJSON format, with one resource type per file.

Governance is the day-to-day control layer that keeps the API dependable over time. That includes app registration, token lifecycle management under SMART App Launch 2.0, and usage metrics reporting. Every access event should be logged: app, patient, timestamp, IP address, and the data requested. Audit logs must be kept for at least six years to align with HIPAA rules.

There's also a reporting piece. Starting in 2026, payers must send annual metrics to CMS, including the total number of unique patients who accessed data and how many accessed it more than once. Another item that's easy to miss: patients must be able to see their active app authorizations and revoke them in real time.

How Interoperable Data Supports Patient Mentorship and Adherence

FHIR-based access turns compliance work into a live patient support channel. When standardized data such as MedicationRequest, Condition, and ExplanationOfBenefit is available in real time, patient-facing programs can move past generic outreach and offer support that matches the patient's current situation.

PatientPartner connects patients with mentors, and real-time FHIR data helps those programs react faster when care changes. That can mean more timely follow-up, support that lines up with active treatment, and better adherence support when patients need it most.

For pharma and med-tech teams, the upside is simple: faster, more relevant patient support tied to real-time data.

Conclusion: Key Takeaways on FHIR and Patient Access APIs

FHIR R4.0.1 is the U.S. baseline for Patient Access APIs under ONC and CMS rules. It applies across Medicare Advantage, Medicaid, CHIP, and QHP issuers on the Federally-facilitated Exchanges.

But the standard by itself isn't enough. It needs clear profiles and secure access to work as intended. In plain terms, compliance is more than API integration for healthcare. It still depends on USCDI-aligned data, US Core profiles, and SMART on FHIR security. CMS-0057-F also extends FHIR requirements to Prior Authorization APIs and Payer-to-Payer exchange, with most of those updates taking effect on January 1, 2027.

After the API framework is set, day-to-day execution becomes the hard part. What matters most is accurate data mapping and testing with actual member records, not just sample data. That's where many teams either get it right or run into trouble.

Governance also plays a big part. Audit logs, access tracking, and CMS reporting help keep the API compliant over time.

When access works the way it should, the focus starts to move beyond compliance and toward patient support. For PatientPartner, interoperable data can help drive timely patient mentorship and stronger adherence.

FAQs

Who must comply with these FHIR API rules?

These FHIR API rules apply to impacted payers, including:

  • Medicare Advantage organizations
  • State Medicaid and Children’s Health Insurance Program fee-for-service programs
  • Medicaid managed care plans
  • CHIP managed care entities
  • Qualified Health Plan issuers on the Federally Facilitated Exchanges

How do US Core and CARIN differ in practice?

US Core and CARIN play different parts in the Patient Access API framework.

US Core is the required standard for representing clinical data. That includes things like conditions, observations, and procedures, all aligned with USCDI requirements.

CARIN for Blue Button, on the other hand, is used for adjudicated claims and encounter data. While US Core centers on clinical records, CARIN mainly relies on the ExplanationOfBenefit resource to handle financial and coverage details.

What is the biggest challenge in getting compliant?

The biggest challenge is treating compliance like API endpoint testing only while missing the messier part underneath: the data pipeline and workflow behind it.

That’s where teams get tripped up.

Compliance isn’t a one-and-done fix. It needs constant monitoring, especially as CMS rules change over time. If the API looks fine on the surface but the data behind it is late, incomplete, or broken, you can still run into trouble.

Some of the most common problems show up in a few places:

  • Missing data freshness requirements
  • Lag between claims systems and FHIR data stores
  • Production-level data issues
  • Friction with SMART on FHIR launch flows

Put simply, passing endpoint checks doesn’t mean the whole setup is in good shape. The workflow, timing, and data quality all matter just as much.

Related Blog Posts

Author

George Kramb
George Kramb

Co-Founder and CEO of PatientPartner, a health technology platform that is creating a new type of patient experience for those going through surgery

Back to Blog