Request Flow

Every API request moves through a defined sequence to ensure accurate, consistent, and traceable data exchange.

• Data intake and query orchestration: The platform receives your API call and routes it through the query builder to connected networks.
• Patient discovery and record location: Entity-resolution logic, the Master Patient Index (MPI), and the Record Locator Service (RLS) confirm identity and locate available records.
• Processing and vocabulary mapping: Source documents such as Consolidated Clinical Document Architecture (C-CDA) or HL7 v2 messages are parsed and converted to FHIR R4 resources using standard vocabularies such as LOINC, SNOMED CT, and RxNorm.
• Quality control: Records are deduplicated, versions reconciled, and provenance tags applied to maintain a full audit trail.
• Secure storage and retrieval: Normalized resources are stored in the FHIR server and made available for secure delivery.

Routing and Record Discovery

When an API call is submitted, Health Gorilla manages routing, discovery, and retrieval across all connected networks.

The process includes the following steps:

• Matching patient demographics using entity-resolution and referential data
• Identifying record locations through the Record Locator Service (RLS)
• Dispatching queries using FHIR, HL7, or other supported protocols
• Normalizing and returning results as FHIR resources in a consistent structure

Patient Identity Resolution

Cross-network queries require precise identity matching. Health Gorilla uses a layered approach that combines deterministic, probabilistic, and referential techniques.

• Internal matching algorithms evaluate and correlate patient attributes
• Connected RLS services from TEFCA-qualified networks confirm identity across exchanges
• Referential data from participating partners enhances match confidence

These methods enable accurate record retrieval even when demographic information varies or is incomplete.

Data Contribution and Reciprocity

Organizations can contribute structured clinical data back to connected networks using FHIR write operations (such as POST, PUT, or $merge). Contributed data moves through the same validation, normalization, provenance tagging, and routing pipeline used for retrieved records, ensuring consistency and traceability across exchanges.

Shareback supports:

• Continuity of care for shared patients
• Reciprocity expectations in nationwide exchange frameworks
• Compliance with TEFCA and other regulatory data-sharing requirements

Contributed records are distributed through the same discovery and trust framework used for record retrieval. Organizations do not need to manage endpoint credentials or packaging formats—Health Gorilla handles routing and exchange through its network integrations.

Delivery Methods

Health Gorilla supports multiple delivery methods to fit different implementation models.

Most integrations rely on FHIR Subscriptions or asynchronous export to support scalable, event-driven data exchange, while synchronous retrieval remains available for specific use cases.

• FHIR Subscription: Delivers new or updated resources to your secure HTTPS endpoint as soon as they’re available, enabling near-real-time event notifications.
• Asynchronous export: Supports long-running or bulk jobs such as $export, allowing your application to poll for job status and download results when processing completes.
• Synchronous retrieval: Returns complete results in the API response and is best suited for targeted queries or small patient populations.

Data can be delivered to downstream systems such as electronic health record (EHR) platforms, client applications, SMART on FHIR or iFrame viewers, or custom portals built on the same APIs.

Monitoring and Security

Health Gorilla continuously monitors all API activity to ensure transparency, auditability, and compliance.

• Every API request is logged and made available through the audit reporting API, allowing clients to review access history and data transactions.
• Access controls are enforced through OAuth 2.0 authentication scopes, and all data is encrypted both in transit and at rest.
• Each tenant environment is fully isolated to protect patient privacy and maintain compliance with HIPAA, HITRUST, and other regulatory requirements.