”TL;DR: Build a FHIR-compliant API server using Python and FastAPI in ~20 minutes. The
fhir.resourceslibrary provides automatic Pydantic validation, making FHIR implementation straightforward. This tutorial covers Patient resource creation and retrieval—the foundation of any healthcare API.
Key Takeaways
- Approach: FHIR uses REST + JSON, making it familiar to any web developer
- Setup Time: ~20 minutes with Python 3.8+ and FastAPI
- Validation:
fhir.resourceslibrary provides automatic Pydantic validation - Production: Requires OAuth 2.0 (SMART on FHIR) and HTTPS/TLS for compliance
- FHIR Version: R4 is the most widely implemented as of 2025
What is FHIR?
In the fragmented world of healthcare IT, getting different systems to talk to each other is a monumental challenge. For decades, developers have grappled with complex, rigid standards that hinder innovation. Enter FHIR (Fast Healthcare Interoperability Resources), a modern standard from HL7 designed to finally solve the healthcare data-sharing problem using familiar web technologies.
FHIR is rapidly becoming the go-to specification for exchanging clinical information. For developers, this means a growing demand for skills in building applications that can read, write, and understand this new language of healthcare.
What We're Building
In this tutorial, we'll demystify FHIR by building a simple, compliant API server from scratch. We will use Python and FastAPI to create endpoints that can store and retrieve FHIR Patient resources, the cornerstone of most healthcare applications.
Prerequisites:
- Basic understanding of Python 3.8+ and virtual environments.
- Familiarity with REST APIs and JSON.
- Docker and Docker Compose installed for running a simple database.
Why FHIR Matters
FHIR isn't just another healthcare standard; it's an API-first approach built on REST, JSON, and OAuth2. This makes it accessible and powerful, allowing you to build better, more connected healthcare applications faster.
Understanding the Problem
Healthcare data is often locked away in proprietary EHR (Electronic Health Record) systems. Exchanging this data—for patient care, research, or public health—requires a common format and protocol. Previous standards were often cumbersome and lacked the flexibility needed for modern application development.
FHIR addresses these challenges by:
- Defining Resources: It breaks down healthcare concepts (like Patients, Observations, Medications) into modular, Lego-like building blocks called "Resources".
- Using Web Standards: It leverages a RESTful API for interactions, making it familiar to any web developer. Standard HTTP verbs like
GET,POST,PUT, andDELETEare used for CRUD operations. - Prioritizing Implementation: FHIR is designed to be easy to implement, with a focus on real-world use cases.
Our goal is to build a "FHIR Facade"—a layer that exposes key FHIR resources through a REST API, while managing the data behind the scenes. This approach allows new, FHIR-compliant apps to interact with legacy data systems without requiring a complete overhaul.
Prerequisites
Before we start coding, let's set up our development environment.
First, create and activate a Python virtual environment:
mkdir fhir-fastapi-server
cd fhir-fastapi-server
python3 -m venv venv
source venv/bin/activate
Next, install the necessary libraries: FastAPI for our web server, Uvicorn as the ASGI server, and fhir.resources for FHIR data modeling and validation.
pip install "fastapi[all]" uvicorn fhir.resources
The fhir.resources package provides Pydantic models for all FHIR resources, which makes validation and serialization a breeze.
We'll use an in-memory dictionary to store our data for this tutorial to keep things simple.
Step 1: Creating Your FastAPI Application
What we're doing
We'll start by creating the basic structure of our FastAPI application. This will be the foundation for our FHIR server.
Implementation
Create a file named main.py and add the following code:
# main.py
from fastapi import FastAPI, HTTPException, Response, status
from fhir.resources.patient import Patient
from fhir.resources.operationoutcome import OperationOutcome
import uuid
# In-memory "database" to store our FHIR Patient resources
PATIENT_DB = {}
app = FastAPI()
@app.get("/")
def read_root():
return {"message": "Welcome to the FHIR FastAPI Server"}
How it works
- We import
FastAPIand other necessary components. - We import the
Patientmodel fromfhir.resources. This Pydantic model will handle data validation automatically. - We initialize our FastAPI application.
PATIENT_DBis a simple Python dictionary that will act as our in-memory database, mapping patient IDs to their FHIR resource data.- The
@app.get("/")decorator defines a simple root endpoint to confirm our server is running.
To run the server, use uvicorn:
uvicorn main:app --reload
Open your browser to http://127.0.0.1:8000. You should see the message: {"message":"Welcome to the FHIR FastAPI Server"}. FastAPI also automatically generates interactive API documentation, which you can access at http://127.0.0.1:8000/docs.
Step 2: Creating a Patient (The create Interaction)
What we're doing
Now, let's implement the FHIR create interaction, which corresponds to a POST request. This endpoint will receive a FHIR Patient resource in JSON format, validate it, assign a unique ID, and store it.
Implementation
Add the following code to main.py:
# main.py (continued)
@app.post("/Patient", status_code=status.HTTP_201_CREATED)
def create_patient(patient: Patient, response: Response):
"""
Create a new Patient resource.
- Assigns a new unique ID.
- Stores the patient in the in-memory database.
- Sets the Location header to the new resource's URL.
"""
# Generate a new ID for the patient
patient_id = str(uuid.uuid4())
patient.id = patient_id
# Store the patient resource
PATIENT_DB[patient_id] = patient
# Set the Location header for the newly created resource
response.headers["Location"] = f"/Patient/{patient_id}"
# Return the created patient resource
return patient.dict()
How it works
@app.post("/Patient"): This decorator registers thecreate_patientfunction to handlePOSTrequests to the/Patientendpoint.patient: Patient: This is the magic of FastAPI and Pydantic. FastAPI automatically reads the request body, parses the JSON, and validates it against thePatientmodel fromfhir.resources. If the incoming JSON doesn't conform to the FHIR Patient specification, FastAPI will automatically return a 422 Unprocessable Entity error with a descriptive message.- ID Generation: We generate a new
uuidfor the patient and assign it to theidfield of the resource. - Storage: We add the new patient resource to our
PATIENT_DBdictionary. status_code=status.HTTP_201_CREATED: We tell FastAPI to return a201 Createdstatus code on success, which is the standard for REST APIs.- Location Header: A crucial part of a
createoperation is to return the location of the newly created resource in theLocationheader. We construct this URL dynamically. return patient.dict(): We return the complete patient resource, including the server-assigned ID, as the response body.
You can test this endpoint using the /docs UI or a tool like Postman. Here is a minimal example of a FHIR Patient resource to POST:
{
"resourceType": "Patient",
"name": [
{
"family": "Simpson",
"given": [
"Homer",
"J"
]
}
],
"gender": "male",
"birthDate": "1956-05-12"
}
Step 3: Retrieving a Patient (The read Interaction)
What we're doing
Next, we'll implement the FHIR read interaction, which is a GET request to retrieve a specific patient by their ID.
Implementation
Add the following code to main.py:
# main.py (continued)
@app.get("/Patient/{patient_id}")
def read_patient(patient_id: str):
"""
Retrieve a single Patient resource by its ID.
"""
patient = PATIENT_DB.get(patient_id)
if not patient:
# If patient not found, return a FHIR-compliant error
outcome = OperationOutcome(issue=[{
"severity": "error",
"code": "not-found",
"details": {
"text": f"Patient with id '{patient_id}' not found."
}
}])
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail=outcome.dict()
)
return patient.dict()
How it works
@app.get("/Patient/{patient_id}"): This decorator defines an endpoint that accepts apatient_idas a path parameter.- Database Lookup: We attempt to retrieve the patient from
PATIENT_DBusing the provided ID. - Error Handling: If the patient is not found, we must return a
404 Not Founderror. Crucially, for FHIR compliance, the error response body should be anOperationOutcomeresource. This provides a standardized way for clients to understand what went wrong. - Success Response: If the patient is found, we return their resource data with a
200 OKstatus code.
Putting It All Together
Your complete main.py file should now look like this:
# main.py
from fastapi import FastAPI, HTTPException, Response, status
from fhir.resources.patient import Patient
from fhir.resources.operationoutcome import OperationOutcome
import uuid
# In-memory "database" to store our FHIR Patient resources
PATIENT_DB = {}
app = FastAPI(
title="FHIR FastAPI Server",
description="A simple server to demonstrate FHIR interactions using FastAPI.",
version="0.1.0",
)
@app.get("/")
def read_root():
return {"message": "Welcome to the FHIR FastAPI Server"}
@app.post("/Patient", status_code=status.HTTP_201_CREATED, response_model=Patient)
def create_patient(patient: Patient, response: Response):
"""
Create a new Patient resource.
- Assigns a new unique ID.
- Stores the patient in the in-memory database.
- Sets the Location header to the new resource's URL.
"""
patient_id = str(uuid.uuid4())
patient.id = patient_id
PATIENT_DB[patient_id] = patient
response.headers["Location"] = f"/Patient/{patient_id}"
return patient
@app.get("/Patient/{patient_id}", response_model=Patient)
def read_patient(patient_id: str):
"""
Retrieve a single Patient resource by its ID.
"""
patient = PATIENT_DB.get(patient_id)
if not patient:
outcome = OperationOutcome(issue=[{
"severity": "error",
"code": "not-found",
"details": {
"text": f"Patient with id '{patient_id}' not found."
}
}])
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail=outcome.dict()
)
return patient
Notice the response_model=Patient addition. This tells FastAPI to also validate our outgoing data against the Patient model, ensuring we always send compliant responses.
Security Best Practices
In a real-world scenario, a FHIR server must be secure.
- Authentication & Authorization: Protect your endpoints. The SMART on FHIR profile often uses OAuth 2.0 for this.
- Transport Security: Always use HTTPS (TLS) to encrypt data in transit.
- Input Validation: FastAPI and
fhir.resourceshandle structural validation, but you still need to handle business logic validation (e.g., ensuring referenced resources exist).
Production Deployment Tips
- Database: For production, replace the in-memory dictionary with a robust database like PostgreSQL or SQL Server.
- Containerization: Deploy your application using Docker for consistency and scalability.
- CapabilityStatement: A production FHIR server must provide a
CapabilityStatementat the/metadataendpoint. This resource describes the server's functionality—which resources and interactions it supports. Libraries likefhirstartercan help automate this.
Conclusion
Congratulations! You've successfully built a basic but FHIR-compliant API server using Python and FastAPI. We've seen how the FHIR standard uses RESTful principles and how modern tools can make implementation surprisingly straightforward.
From here, you can extend the server to support more interactions (update, delete, search) and more resource types like Observation or Encounter. The combination of FastAPI's performance and the fhir.resources library's validation capabilities provides a powerful stack for building the next generation of healthcare applications.
Resources
- Official FHIR Specification: https://www.hl7.org/fhir/
- FastAPI Documentation: https://fastapi.tiangolo.com/
- fhir.resources on PyPI: https://pypi.org/project/fhir.resources/
- Sample FHIR Patient JSON: https://www.hl7.org/fhir/patient-examples.html
Frequently Asked Questions
What FHIR version should I implement?
FHIR R4 is the most widely implemented version as of 2025. STU3 is still in use but being phased out. R5 was released in 2023 but adoption is still early. Start with R4 for production systems.
Is FHIR compliant with HIPAA?
FHIR itself is a data exchange standard and doesn't guarantee HIPAA compliance. You must implement transport security (HTTPS/TLS), authentication (OAuth 2.0/SMART on FHIR), and proper audit logging to meet HIPAA requirements.
Can I use FHIR without a dedicated EHR system?
Yes! FHIR is ideal for building "FHIR Facades" that expose data from existing systems. Our tutorial uses an in-memory dictionary, but in production, you'd connect to your existing database through the FHIR API layer.
What's the difference between FHIR and HL7 v2?
HL7 v2 uses pipe-delimited text messages and is complex to parse. FHIR uses modern REST/JSON, making it accessible to web developers. FHIR also includes a rich data model with resources, while v2 is primarily messaging-focused.
Do I need a special database for FHIR?
No! FHIR resources are just JSON. You can store them in any database—PostgreSQL, MongoDB, or even a simple key-value store. The fhir.resources library handles validation before storage.
How do I handle FHIR search parameters?
FHIR defines specific search parameters for each resource type. Implementing full search support requires parsing query strings and filtering results. Libraries like fhir-search-py can help, or you can implement basic search manually.
What is SMART on FHIR?
SMART on FHIR is a security profile that adds OAuth 2.0 authentication to FHIR APIs. It's the standard for patient-facing apps (like patient portals) and is required for most healthcare integrations.
Can I extend FHIR resources with custom fields?
Yes, FHIR supports extensions. Use the extension field to add custom data while maintaining core FHIR compliance. However, extensions can reduce interoperability, so use them sparingly.
Disclaimer
The algorithms and techniques presented in this article are for technical educational purposes only. FHIR implementations handling real patient data must comply with HIPAA, GDPR, and other applicable regulations. Always consult legal and compliance professionals when building healthcare applications.