APIs for Sharing Healthcare Data

March 25, 2021
Impact Makers

This is the second post in a series about sharing healthcare data according to new CMS guidelines. The first post covers New Solutions for Sharing Healthcare Data


In our previous blog post, we covered the overall need to share healthcare data, and the industry focus on value-based care, business process efficiencies, and increased cloud capabilities.

In this post, we will review API usage and the value for the Healthcare Industry.


Implementing the FHIR standard requires using an API. Let us cover the basics of an API. APIs act as intermediaries between requests and data. Requesters can use an API without knowing the underlying structure of the data. You can think of an API as a translator of data. It sits in the middle of transactions where an external entity requests data.

An API has many advantages.

  • Data can also be made more accessible with APIs.
  • APIs are able to bridge the gap between legacy systems and new technologies
  • APIs can securely control access to their systems and data
  • APIs in the cloud can scale up or down to meet demand

Data is more accessible with APIs. Payers, Providers, and consumers can reach needed data with ease. Administrative bottlenecks can be eliminated. Data can be exchanged rapidly and enable rapid decisions. Value based care can be accelerated.

APIs can bridge the gap between legacy systems and new technologies. Older on-prem systems can be transformed to meet CMS requirements, business needs, and consumer needs.

APIs can securely control access to their systems and data. Since APIs are in the middle of requests and data, additional security can be enabled. This protects both sides of a request. Think of API as a translator with a security functionality.

In the FHIR standard, the APIs provide agreed data formats and elements for exchanging electronic health records. These are in the HL7 format. By following the FHIR standard, any FHIR API should be able to exchange information to any other FHIR API. The interoperability of the FHIR standard can accelerate and overcome many of the existing hurdles between Healthcare entities for exchanging data.


APIs in the cloud can scale up or down to meet demand. This is one of the many benefits of cloud resources. A Healthcare organization can avoid costly capital expenses for modern and innovative services that scale to meet needs of other providers, payers, and consumers.

APIs in the cloud can function as a serverless model. Meaning it is a cloud service and dedicated to providing data exchanges without requiring the user to create the foundational structure. This provides many benefits that include the following:

  • Pay for only what you use, when you use it, no long-term buying
  • No upfront capital investment of servers, storage, networking, and licensing
  • Easily scaled up if you need more or scale down for less
  • Easy provisioning of sharing data to back-end data, share only what is needed to share
  • No obsolete computers left when you upgrade or change performance models
  • All the administration of the complex storage, compute, and networking is done by the cloud service provider
  • Cloud based APIs are typically configured for identity provider and OAuth 2.0 authentication and authorization

A cloud-based API can leverage all the comprehensive services for security that already exist in the cloud. This avoids huge capital expenses to setup all the necessary protections in an on-premises data center. Leveraging a cloud provider for securing an on-demand API is an established method. Identity, Security, Encryption, & Compliance are all services offered by the major cloud providers. These capabilities are mature, comprehensive, HIPAA compliant, configurable, and embedded in API services. If needed, they can be integrated with on-premises systems.

One advantage of an API interface is the ability to screen or sanitize sharing of data. The API is a control point beyond the core system to make sure you only share what is needed. Without an API, sharing data directly from a core system can be cumbersome to operate. There are also advantages to de-coupling systems with an API that increase reliability, scaling, and performance that go hand in hand with enhancing security.

The advantages of sharing data securely are enormous for the healthcare space and APIs are the functionality to deliver this safely.


Any use of an API should be protected by verifying the identity of an external call. Ideally, an API should be using a mature service in the cloud for authentication and authorization. OpenID and OAuth 2.0 are common protocols used for this functionality. At a high level, leveraging a third-party identity provider service to issue a token after successful identification is a suggested goal. This token can be used for many APIs or services like Healthcare APIs. Generally, the use of basic username/password authentication to an API is not a recommended practice. The FHIR guidelines specifically recommend using OpenID Connect and OAuth for security.

Using an identity provider offloads the typical maintenance of passwords, resetting passwords, and related user maintenance tasks. In the past, firms often setup their own systems to keep track of customer usernames, passwords, expirations, password requirements, email addresses, logging, etc. Obviously, this is cumbersome administration and distracts from delivering a core service for value-based healthcare. An identity provider takes care of the basics of user administration.  In our consulting practice, we often encounter clients who need assistance to move away from internally developed authentication and authorization systems created for external users. It is a best practice to leverage an identity provider that issues tokens to successfully authenticated users to access your API.

At the end of the day, you want to be confident that parties accessing an API are authenticated and authorized to gain access to healthcare data.

challenges using apis 

One of the bigger challenges of using an API based solution is the state of the data. An API will provide data based on requests, but it does not transform, combine, or validate the data. If the data in an EHR or combination of back-end systems is not synchronized or consistent, the API will deliver incomplete or fragmented data. It is critical to understand the consistency of your data to operate successfully in the Healthcare space. In the FHIR standard the elements are data components. A compliant data store behind the API is a key component to a successful FHIR API transaction.

Consider a simple element like the telephone number for a provider or patient or payer, is this telephone number the same in all the systems, how is that consistency enabled?  Consider the outcome if one system gets updated with a new number, does it automatically update all systems with the new data? How will the updated data be delivered to an API?

You can ask these questions or provide these answers:

  • Do I trust my data in back-end systems for sharing via API?
  • Do I know where the data is accurate or inaccurate?
  • Are there differences in data quality between silos or back-end systems?
  • Does your data easily map to the CMS API requirements?

Data consistency and manageability is often the biggest portion of setting up the mandatory FHIR API functionality. At Impact Makers, we have successfully helped clients overcome many data problems.


This series continues with additional posts on Data Quality for healthcare interoperability. In the Data Quality post, we will walk through an example showing the impact of Data Quality on patient experience, payer benefits, and visibility into care.  We will also review some of the common data quality issues encountered with an API approach. The links will be updated here so you can continue to gain insight into this new method of exchanging healthcare data.


Impact Makers is an AWS Advanced Consulting Partner with a specialty in data. We leverage comprehensive and mature data practices to enable customers to take advantage of their data.

Every project has unique elements that must be incorporated into a comprehensive strategy in addition to identification and execution of technical work. As Advanced AWS consulting partners, we recognize the importance of a secure, reliable, and flexible data sharing. Our comprehensive framework includes the AWS Well Architected Framework and industry best practices in addition to elements like compliance , asset and metadata management, business strategy alignment, service portfolio management, support model definition, service design and deployCloudOps and much more. We work with our customers to deliver and enable strategic business advantage with cloud services.

To learn more, contact us.

Visit Our Blog

Share This Post

Contact Us
  • This field is for validation purposes and should be left unchanged.