FHIR · TEFCA · USCDI integration

The problem

An EHR partner needed to ingest and emit FHIR R4 resources against multiple healthcare networks, with TEFCA QHIN handshake on the wire and SMART-on-FHIR auth on the client side. The existing integration leaked patient identifiers in error logs, lacked consent scoping in the audit trail, and would not pass an info-blocking review. Partner onboarding took weeks because every quirk leaked into business logic instead of staying in an adapter.

The approach

We built a FHIR R4 ingestion and emission layer with strict resource validation against USCDI v3 profiles. SMART-on-FHIR OAuth2 scopes are enforced at every endpoint; the TEFCA QHIN handshake is wrapped in a typed adapter so partner-specific quirks do not leak into business logic. Access logs scope every read and write to the consent record that authorized it. Patient identifiers never appear in logs; only opaque request IDs do. New partners onboard via adapter configuration, not core changes.

Stack and engineering choices

• FHIR R4 conformant resources
• SMART-on-FHIR OAuth2 scopes
• TEFCA QHIN handshake adapter
• USCDI v3 profile validation
• Consent-scoped access logs
• Partner quirks isolated in adapters
• PII never logged in clear

Outcome

The integration passed external info-blocking review without rework. Partner onboarding shrank from a multi-week handshake to a config change. The audit trail satisfies both internal compliance and external auditors with the same dataset, and the partner-specific quirks stay isolated in adapters.