Welcome to Day 4 of our Fall 2025 Launch Week! Read about Day 3's Consent 2.0 launch.
Today we're excited to announce our fully-featured SMART Health Links API—making secure health data sharing at the point of care as easy as a POST request.
Flexpa is launching this API as part of our commitment as a CMS-aligned network early adopter to Kill the Clipboard. The test mode version is available free of charge to any CMS-aligned network participant.
SMART Health Links (or SHLs for short) are secure URLs that link to encrypted health information. They enable secure data sharing without confusing online portals or expensive network connection fees. Despite their potential, SHLs remain one of the most underutilized tools in health information technology.
With one simple API, any data holder—from labs to doctor's offices—can generate a production-ready SMART Health Link on-demand for any arbitrary FHIR payload. Our API fully implements the SMART Health Cards and Links STU1 specification, including security features such as passcodes and TTL expiries. The API is stand-alone and does not require use of other parts of the Flexpa platform like our Consent SDK.
The Clipboard Problem
Healthcare has a patient data portability problem. Every time a patient visits a new provider, they're handed a clipboard with forms asking them to manually write out their medical history: current medications, allergies, previous surgeries, chronic conditions, family history. This information already exists in multiple electronic health record systems across various providers, labs, and pharmacies. Yet patients are forced to recall and transcribe it from memory, often incompletely or inaccurately.
The consequences are significant. Incomplete medical histories lead to duplicated tests, adverse drug interactions, missed diagnoses, and delayed treatment. Patients waste time filling out forms. Providers waste time manually entering the data. And despite all this effort, the resulting record is often incomplete because patients simply can't remember every detail of their medical history.
CMS recognized this problem and launched the aligned network initiative with a clear vision: any patient, using applications of their choice, should be able to access their entire medical record anywhere it lives on the network and share it seamlessly with providers. No additional logins, no portal registrations, no clipboard.
Why We Built This API
As part of our pledge to the CMS-aligned network, we committed to enabling patients to retrieve their health records and share them with providers via QR codes using SMART Health Links. This API is how we're delivering on that promise.
But our motivation goes beyond regulatory compliance. We believe SMART Health Links represent a fundamental shift in how healthcare data moves through the system. Instead of data being locked in portals where only credentialed users can access it, SMART Health Links enable patient-controlled data portability. Patients become the transmission mechanism for their own data.
This unlocks powerful workflows at the point of care:
Lab results you can actually share: After getting blood work done, patients could receive a QR code they can scan to view results in their personal health app or share with their primary care physician, without logging into a separate portal.
Real-time visit summaries: When patients leave a doctor's appointment, they could receive a SMART Health Link containing their visit summary, diagnoses, new prescriptions, and follow-up instructions. They can immediately share this with family members or import it into their personal health record app.
Digital insurance cards that work: Insurance cards can embed SMART Health Links containing current coverage details and eligibility information. Providers can scan the QR code to instantly verify coverage without phone calls or portal lookups.
How SMART Health Links Work
The technology behind SMART Health Links balances security with usability through a clever design. When you create a link through our API, we encrypt the health data using AES-256-GCM encryption with a unique 32-byte key generated specifically for that link. The encrypted data is stored securely in cloud storage, and we return a shlink: URL that contains both the location of the encrypted data and the decryption key.
Here's the important part: Flexpa never stores the decryption key. It's embedded in the URL itself, which means only someone with access to the full URL can decrypt the data. This creates a bearer token model where possession of the URL grants access, similar to how a key to your house works.
For additional security, links can be protected with passcodes that must be shared through a separate channel. Links can also have expiration times, be revoked at any time, and include brute-force protection that automatically locks access after three failed passcode attempts.
The links can be shared as QR codes, copy-pasted URLs, or embedded in applications. Recipients can view the data in a web browser or import it directly into SMART Health Link-aware applications. For long-term use cases, links can be configured to allow content updates over time while maintaining the same URL.
Built on Proven Infrastructure
Our SMART Health Links API runs on the same infrastructure that powers Flexpa's network of payer connections. This means you get the reliability and performance we've refined through years of processing production healthcare data.
We support the complete specification including all required flags, full status lifecycle management, and both manifest and direct transfer access patterns. Links are stored in cloud storage with automatic expiry handling. You get authenticated endpoints for creating and managing links, plus public endpoints for recipients to access shared data.
// Request Example
curl -X POST https://api.flexpa.com/smart/health-links/manifests/7d4c9a5e3b2f1a8c6d9e4f7a8b5c2e1d \
-H "Content-Type: application/json" \
-d '{
"recipient": "healthcare-provider-id",
"passcode": "12345"
}'
// Response Example
{
"status": "finalized",
"files": [
{
"contentType": "application/smart-health-card",
"embedded": "eyJhbGciOiJFUzI1NiI...",
"lastUpdated": "2024-01-01T10:30:00.000Z"
}
]
}
Looking Ahead
SMART Health Links are a key piece of the interoperability puzzle, but they're not the complete solution. They work best when combined with other standards and technologies. That's why we're building complementary capabilities like our mobile app that can both generate and consume SMART Health Links, creating a complete ecosystem for patient-controlled health data.
We're committed to the CMS vision of killing the clipboard. Every patient should be able to walk into any healthcare setting with their complete, accurate medical history immediately available. SMART Health Links help make that vision a reality.
The API is available now in both sandbox and production environments. Visit our SMART Health Links documentation to get started, or contact us to discuss how SMART Health Links can fit into your healthcare application.
Want to learn more about our commitment to healthcare interoperability? Read about our selection as a CMS-aligned network early adopter.
Interested in staying updated on Flexpa's latest features and industry developments? Subscribe to our newsletter. Ready to start building? Schedule a demo to learn more.
