Who is Muhammad Moid Shams?

Muhammad Moid Shams (also known as Moid Shams) is a Lead Software Engineer with 9+ years of experience. He currently works at Octdaily where he has built a national FHIR R4 data warehouse connecting 20,000+ US Skilled Nursing Facilities, automated CMS 5-Star Quality Rating computation, built a QAPI compliance platform, and shipped an AI Clinical Ops Agent AI using Claude and GPT-4o. He is available for senior engineering roles and freelance projects in UAE, Saudi Arabia, and the United States.

Is Muhammad Moid Shams available for work in Dubai or UAE?

Yes. Muhammad Moid Shams is actively seeking full-time senior/lead engineering roles and freelance projects in Dubai, Abu Dhabi, and across the UAE. He specialises in FHIR R4 healthcare platforms, .NET 8 microservices, Azure cloud, Angular 17, and agentic AI engineering. Contact: me_moid@hotmail.com or LinkedIn: https://linkedin.com/in/moidshams

Is Muhammad Moid Shams available for work in Riyadh or Saudi Arabia?

Yes. Muhammad Moid Shams is open to roles in Riyadh, Jeddah, and remote positions for Saudi-based companies. He has expertise in healthcare technology, FHIR integration, Azure cloud, .NET 8, and agentic AI. Contact: me_moid@hotmail.com

What is Muhammad Moid Shams' expertise in FHIR and healthcare technology?

Muhammad Moid Shams built one of the largest FHIR R4 data platforms in US post-acute care at Octdaily, connecting 20,000+ SNFs. He has deep expertise in HL7 v2/v3 to FHIR R4 transformation, SMART on FHIR, CDS Hooks, QAPI compliance automation, CMS 5-Star Quality Rating computation, MDS 3.0 assessments, and EHR integration with Epic, Athena Health, eClinicalWorks, and PointClickCare.

What AI and agentic AI experience does Muhammad Moid Shams have?

Muhammad Moid Shams built an AI Clinical Ops Agent AI using Claude Opus and GPT-4o that monitors 20,000+ SNFs around the clock. He trained 100+ engineers in agentic AI development workflows using Cursor IDE and Claude, achieving 40% faster feature delivery. He has hands-on experience with Claude API, multi-agent orchestration, RAG (retrieval-augmented generation), Model Context Protocol (MCP), LangChain, Semantic Kernel, and Cursor IDE agent mode.

How can I hire Muhammad Moid Shams as a freelancer?

Contact Muhammad Moid Shams at me_moid@hotmail.com or +92 340 0064394. You can also reach him on LinkedIn at https://linkedin.com/in/moidshams. He is immediately available for freelance and contract projects in healthcare technology, FHIR integration, Azure cloud, .NET 8, Angular, and agentic AI engineering.

What programming languages and technologies does Muhammad Moid Shams use?

Muhammad Moid Shams works primarily with C# (.NET 8), TypeScript, Python, and SQL. His key frameworks and platforms include ASP.NET Core, Angular 17, React/Next.js, Azure cloud services, Azure Databricks, Azure Health Data Services (FHIR), and the Claude/OpenAI APIs. He also uses Cursor IDE, GitHub Copilot, and LangChain for AI-assisted development.

What is Muhammad Moid Shams' experience with Azure cloud?

Muhammad Moid Shams has extensive Azure cloud experience including Azure Kubernetes Service (AKS), Azure Health Data Services (FHIR R4 server), Azure Event Hubs, Azure Functions, Azure Databricks, Azure Synapse Analytics, Azure Data Factory, Azure API Management, Azure Service Bus, Cosmos DB, Azure OpenAI Service, Azure AI Search, and Azure Key Vault.

What is Muhammad Moid Shams' contact information?

Email: me_moid@hotmail.com | Phone: +92 340 0064394 | LinkedIn: https://linkedin.com/in/moidshams | Portfolio: https://moidshams.dev

All articles

18 min read2026-03-12

Azure Health Data Services: The Complete Guide for FHIR R4 in Healthcare Production (2026)

Everything you need to deploy FHIR R4 in Azure production — Azure Health Data Services architecture, SMART on FHIR configuration, bulk export, DICOM, MedTech IoT, cost optimisation, and HIPAA compliance for US healthcare workloads.

Azure Health Data ServicesFHIR R4Azure FHIRHealthcare CloudHIPAA AzureSMART on FHIR

Azure Health Data Services is Microsoft's managed FHIR R4 platform — a fully managed, HIPAA-covered cloud service that eliminates the operational burden of running your own FHIR server while providing the scalability, security, and compliance controls that US healthcare applications require.

This guide covers everything from initial workspace setup through production configuration, cost optimisation, and the specific architectural patterns that make AHDS work reliably at healthcare scale.

What Azure Health Data Services Is

Azure Health Data Services (AHDS) is a workspace-based managed health data platform that includes:

FHIR Service — a fully managed, FHIR R4 compliant API server backed by Azure Cosmos DB
DICOM Service — medical imaging storage and retrieval using the DICOMweb standard
MedTech Service — IoT health device data ingestion pipeline that transforms device telemetry into FHIR Observation resources
Analytics Connector — export of FHIR data to Azure Data Lake / Azure Synapse Analytics for population health analytics

All services operate within a Health Data Services Workspace — a logical container that provides shared authentication (Azure AD), access control (RBAC), and logging configuration.

AHDS is covered under Microsoft's HIPAA Business Associate Agreement (BAA), meaning it is suitable for processing Protected Health Information (PHI) under HIPAA Technical Safeguards.

Workspace and Service Architecture

Creating a Workspace

# Using Azure CLI
az healthcareapis workspace create \
  --name "myhealthworkspace" \
  --resource-group "healthcare-rg" \
  --location "eastus"

Or via Bicep (Infrastructure as Code — strongly recommended for production):

resource healthWorkspace 'Microsoft.HealthcareApis/workspaces@2022-06-01' = {
  name: workspaceName
  location: location
  properties: {}
}
 
resource fhirService 'Microsoft.HealthcareApis/workspaces/fhirservices@2022-06-01' = {
  name: '${workspaceName}/${fhirServiceName}'
  location: location
  kind: 'fhir-R4'
  identity: {
    type: 'SystemAssigned'  // Required for SMART on FHIR
  }
  properties: {
    authenticationConfiguration: {
      authority: 'https://login.microsoftonline.com/${tenantId}'
      audience: 'https://${workspaceName}-${fhirServiceName}.fhir.azurehealthcareapis.com'
      smartProxyEnabled: true  // Enable SMART on FHIR
    }
    corsConfiguration: {
      allowedOrigins: ['https://yourapp.com']
      allowedHeaders: ['*']
      allowedMethods: ['DELETE', 'GET', 'OPTIONS', 'PATCH', 'POST', 'PUT']
      maxAge: 1440
    }
    exportConfiguration: {
      storageAccountName: exportStorageAccount.name  // For bulk $export
    }
  }
}

FHIR Service Configuration

Key FHIR Service settings to configure for production:

Authentication: AHDS uses Azure AD OAuth 2.0. Applications authenticate as Azure AD service principals (for backend services) or users (for clinical applications via SMART on FHIR).

CORS: Configure allowed origins for web browser applications. In production, restrict to specific origins — never use * for a PHI-processing FHIR server.

Smart Proxy: Enable the SMART proxy to support SMART on FHIR standalone and EHR launch from Azure FHIR. This adds the .well-known/smart-configuration endpoint and PKCE-enabled OAuth flows.

Export Storage: Link an Azure Storage Account for bulk $export operations. The storage account must be in the same region and configured with appropriate access controls.

Access Control with Azure RBAC

AHDS uses Azure role-based access control (RBAC) to control which applications and users can read or write FHIR resources. The built-in FHIR roles:

| Role | Permissions | |------|-------------| | FHIR Data Reader | GET, search all resources | | FHIR Data Writer | POST, PUT, PATCH, DELETE | | FHIR Data Contributor | All data operations | | FHIR Data Exporter | $export bulk operations | | FHIR Data Importer | $import bulk operations | | FHIR SMART User | SMART on FHIR scoped access |

For backend service integrations, assign the appropriate role to a Service Principal or Managed Identity:

# Get the FHIR Service resource ID
FHIR_SERVICE_ID=$(az healthcareapis fhir-service show \
  --name fhir-service \
  --workspace-name myhealthworkspace \
  --resource-group healthcare-rg \
  --query id -o tsv)
 
# Assign FHIR Data Reader to a managed identity
az role assignment create \
  --role "FHIR Data Reader" \
  --assignee $SERVICE_PRINCIPAL_OBJECT_ID \
  --scope $FHIR_SERVICE_ID

For applications using SMART on FHIR, assign the FHIR SMART User role — this enables patient-level scope enforcement where a SMART app can only access resources for the authenticated patient.

Connecting Applications via Azure AD

Backend Service Authentication (.NET 8)

using Azure.Identity;
using Hl7.Fhir.Rest;
using Hl7.Fhir.Model;
 
public class AzureFhirClient
{
    private readonly FhirClient _client;
 
    public AzureFhirClient(string fhirBaseUrl, string tenantId, 
                            string clientId, string clientSecret)
    {
        // Use Azure.Identity for token acquisition
        var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
        
        var settings = new FhirClientSettings
        {
            PreferredFormat = ResourceFormat.Json,
            VerifyFhirVersion = false
        };
        
        _client = new FhirClient(fhirBaseUrl, settings);
        
        // Inject Azure AD token as Bearer for each request
        _client.RequestHeaders.Authorization = new AuthenticationHeaderValue(
            "Bearer",
            credential.GetToken(new TokenRequestContext(
                new[] { $"{fhirBaseUrl}/.default" }
            )).Token
        );
    }
    
    public async Task<Patient?> GetPatientAsync(string patientId)
    {
        return await _client.ReadAsync<Patient>($"Patient/{patientId}");
    }
    
    public async Task<Bundle> SearchObservationsAsync(string patientId, string loincCode)
    {
        return await _client.SearchAsync<Observation>(new SearchParams()
            .Where($"patient=Patient/{patientId}")
            .Where($"code=http://loinc.org|{loincCode}")
            .OrderBy("date", SortOrder.Descending)
            .LimitTo(50));
    }
}

SMART on FHIR Configuration

To enable SMART on FHIR for patient-facing applications:

Enable the SMART proxy on the FHIR Service (shown in Bicep above)
Register your application in Azure AD with the FHIR Service as an API permission
Configure SMART scopes in your Azure AD app registration

The SMART proxy in AHDS implements:

.well-known/smart-configuration endpoint for SMART discovery
PKCE support for public clients
Patient-level scope enforcement (tokens with patient/Patient.read scope can only read the authenticated patient's resources)

Bulk $export for Population Health Analytics

The AHDS bulk export ($export) operation is essential for population health analytics workloads — patient registry queries, quality measure calculation, and FHIR data warehousing.

import httpx
import asyncio
import time
 
async def run_bulk_export(
    fhir_base_url: str, 
    access_token: str,
    resource_types: list[str],
    output_container_url: str
) -> list[dict]:
    """
    Run a system-level bulk export to Azure Blob Storage.
    Returns list of output file information.
    """
    
    headers = {
        "Authorization": f"Bearer {access_token}",
        "Accept": "application/fhir+json",
        "Prefer": "respond-async"
    }
    
    params = {
        "_type": ",".join(resource_types),
        "_outputFormat": "application/fhir+ndjson",
        "_container": output_container_url  # Azure Blob container URL
    }
    
    # Initiate export
    response = await httpx.get(f"{fhir_base_url}/$export", 
                                headers=headers, params=params)
    
    assert response.status_code == 202, f"Export initiation failed: {response.text}"
    status_url = response.headers["Content-Location"]
    
    # Poll for completion
    while True:
        status_response = await httpx.get(status_url, headers=headers)
        
        if status_response.status_code == 202:
            progress = status_response.headers.get("X-Progress", "processing")
            print(f"Export status: {progress}")
            await asyncio.sleep(30)
            
        elif status_response.status_code == 200:
            result = status_response.json()
            return result.get("output", [])
            
        else:
            raise Exception(f"Export failed: {status_response.text}")

Processing NDJSON Export Files

Bulk export produces NDJSON (newline-delimited JSON) files in Azure Blob Storage — one FHIR resource per line. Processing with Azure Data Factory or Python:

import json
from azure.storage.blob import BlobServiceClient
 
async def process_fhir_export(
    storage_connection_string: str,
    container_name: str,
    blob_path: str
) -> list[dict]:
    """Stream NDJSON file from blob storage, parse each FHIR resource."""
    
    blob_service = BlobServiceClient.from_connection_string(storage_connection_string)
    blob_client = blob_service.get_blob_client(container_name, blob_path)
    
    resources = []
    
    # Stream blob content to handle large files without loading into memory
    downloader = blob_client.download_blob()
    
    buffer = ""
    async for chunk in downloader.chunks():
        buffer += chunk.decode("utf-8")
        lines = buffer.split("\n")
        buffer = lines[-1]  # Keep incomplete last line in buffer
        
        for line in lines[:-1]:
            if line.strip():
                resource = json.loads(line)
                resources.append(resource)
    
    # Process remaining buffer
    if buffer.strip():
        resources.append(json.loads(buffer))
    
    return resources

MedTech Service: IoT Health Device Data

The MedTech Service transforms health device telemetry into FHIR Observation resources — handling the ingestion pipeline from IoT devices through Azure Event Hubs to FHIR storage.

Architecture: Device → Azure IoT Hub → Azure Event Hub → MedTech Service → FHIR Service

// Device Mapping Template (MedTech device-to-FHIR mapping)
{
  "templateType": "CollectionContent",
  "template": [
    {
      "templateType": "JsonPathContent",
      "template": {
        "typeName": "heartrate",
        "typeMatchExpression": "$..[?(@.heartRate)]",
        "deviceIdExpression": "$.deviceId",
        "timestampExpression": "$.timestamp",
        "values": [
          {
            "required": true,
            "valueExpression": "$.heartRate",
            "valueName": "hr"
          }
        ]
      }
    }
  ]
}

// FHIR Mapping Template (normalized measurement to FHIR Observation)
{
  "templateType": "CollectionFhir",
  "template": [
    {
      "templateType": "CodeValueFhir",
      "template": {
        "codes": [
          {
            "code": "8867-4",
            "system": "http://loinc.org",
            "display": "Heart rate"
          }
        ],
        "periodInterval": 0,
        "typeName": "heartrate",
        "value": {
          "defaultPeriod": 5000,
          "unit": "/min",
          "valueName": "hr",
          "valueType": "Quantity"
        }
      }
    }
  ]
}

Cost Optimisation

AHDS costs are primarily driven by:

Storage — FHIR resources stored in underlying Cosmos DB. Priced per GB-month.
Request Units — Cosmos DB RU consumption for reads, writes, and searches
Throughput — Autoscale RU/s configuration

Cost reduction strategies:

Right-size throughput. AHDS FHIR Service uses Cosmos DB with autoscale. Set the minimum and maximum RU/s based on actual workload patterns — avoid over-provisioning for peak loads that occur only briefly.

Use bulk import for initial data loads. The $import operation is significantly more cost-efficient for bulk data ingestion than individual POST requests — it batches Cosmos DB writes and reduces per-transaction overhead.

Export infrequently-accessed resources. For historical FHIR data that is accessed rarely (older encounter data, historical observations), consider exporting to Azure Data Lake for cold storage and deleting from the FHIR Service to reduce Cosmos DB storage costs.

Cache frequently-read reference data. Practitioner, Organization, Location, and ValueSet resources are read frequently but change rarely. Cache them in Azure Cache for Redis with appropriate TTLs rather than fetching from FHIR on every clinical request.

Monitor with Cost Analysis. Enable Azure Cost Management tagging for your AHDS workspace and set budget alerts to catch unexpected cost spikes from misconfigured ingestion pipelines.

Production Reliability Patterns

Retry and Circuit Breaker

using Polly;
using Polly.Extensions.Http;
 
// Configure retry with exponential backoff for transient FHIR API failures
var retryPolicy = HttpPolicyExtensions
    .HandleTransientHttpError()
    .WaitAndRetryAsync(
        retryCount: 3,
        sleepDurationProvider: attempt => TimeSpan.FromSeconds(Math.Pow(2, attempt)),
        onRetry: (outcome, timespan, attempt, context) =>
        {
            logger.LogWarning("FHIR request retry {Attempt} after {Delay}ms: {StatusCode}",
                attempt, timespan.TotalMilliseconds, outcome.Result?.StatusCode);
        });
 
// Circuit breaker to stop hammering FHIR when it is degraded
var circuitBreakerPolicy = HttpPolicyExtensions
    .HandleTransientHttpError()
    .CircuitBreakerAsync(
        handledEventsAllowedBeforeBreaking: 5,
        durationOfBreak: TimeSpan.FromSeconds(30));
 
// Combine policies
var combinedPolicy = Policy.WrapAsync(retryPolicy, circuitBreakerPolicy);

Observability

// Structured logging for FHIR operations
public async Task<T?> ExecuteFhirOperationAsync<T>(
    string operationName, Func<Task<T>> operation) where T : class
{
    using var activity = _activitySource.StartActivity(operationName);
    var stopwatch = Stopwatch.StartNew();
    
    try
    {
        var result = await operation();
        
        _logger.LogInformation("{Operation} completed in {ElapsedMs}ms",
            operationName, stopwatch.ElapsedMilliseconds);
        
        _metrics.RecordFhirOperationDuration(operationName, stopwatch.Elapsed);
        
        return result;
    }
    catch (FhirOperationException ex)
    {
        _logger.LogError(ex, "{Operation} failed with FHIR status {Status}: {Detail}",
            operationName, ex.Status, ex.Outcome?.ToString());
        throw;
    }
}

HIPAA Compliance Checklist for AHDS

The AHDS service is covered under the Microsoft HIPAA BAA, but compliance is shared responsibility. Your configuration must implement:

Access Control — Azure RBAC with minimum necessary access; no wildcard assignments
Audit Logging — Enable Azure Monitor diagnostic settings for all FHIR operations; retain logs for 6+ years
Encryption — AHDS encrypts data at rest using Microsoft-managed keys (default) or Customer-Managed Keys (recommended for HIPAA)
Network Security — Configure Private Endpoints to prevent FHIR Service from being accessible over the public internet
Data Residency — Deploy in a US Azure region (eastus, westus2, etc.) and confirm your Microsoft HIPAA BAA covers the selected region
Breach Response — Configure Azure Monitor alerts for anomalous access patterns and integrate with your incident response procedures

Conclusion

Azure Health Data Services provides a production-ready foundation for FHIR R4 healthcare applications that eliminates the operational complexity of self-hosting while meeting US HIPAA compliance requirements. The key to production success is correct RBAC configuration, SMART on FHIR setup for clinical applications, bulk export pipeline design for analytics, and the retry/observability patterns that make any distributed system reliable.

Muhammad Moid Shams is a Lead Software Engineer specialising in FHIR R4 integration and Azure health data platforms. He has deployed AHDS and custom FHIR servers for healthcare applications serving 20,000+ clinical facilities.