We Value Your Privacy

    We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. You can customize your preferences or learn more in our Cookie Policy.

    Back to Blog
    Healthcare

    Demystifying Smart on FHIR: Building Smart on FHIR App

    Before understanding Smart on FHIR, let's understand what is FHIR?

    Abhishek Ray
    CEO & Director
    July 19, 2024
    35 min read

    Table of Contents

    Key Takeaways

    • FHIR provides standardized healthcare data models and APIs
    • SMART on FHIR adds authentication, authorization, and UI integration
    • OAuth 2.0 and OpenID Connect ensure secure access to healthcare data
    • EHR UI integration simplifies clinician workflows
    • Industry adoption is growing but still requires improvement

    FHIR (Fast Healthcare Interoperability Resources), developed by HL7, plays a pivotal role in addressing the critical issue of data interoperability in healthcare systems. The need for FHIR arises from the inherent challenges faced when organizations with different EHR systems or departments utilizing diverse software solutions attempt to communicate and share patient information.

    Healthcare Interoperability Challenge

    Within a healthcare institution like a hospital, different departments often employ separate computer systems to manage various aspects of patient data, such as appointments, medical records, and billing. When patients transition between these departments, the details are often manually re-entered into the new system, leading to potential data loss and inconsistencies.

    01.The Interoperability Crisis: Why Healthcare Needed FHIR

    Before FHIR, healthcare systems operated in isolated silos. A 2019 study by the Office of the National Coordinator for Health Information Technology (ONC) found that only 48% of hospitals could electronically send patient data to outside providers, and only 35% could receive and integrate external data into their EHR systems. This fragmentation had profound consequences:

    Clinical Impact

    • Duplicated tests: Patients undergo the same diagnostic tests multiple times when transitioning between providers, costing the US healthcare system an estimated $200 billion annually
    • Medication errors: Without complete medication history, physicians prescribe conflicting drugs, contributing to 1.3 million adverse drug events per year
    • Delayed care: Critical diagnostic information takes days or weeks to transfer, delaying treatment decisions
    • Patient safety risks: Incomplete allergy records lead to preventable adverse reactions

    Economic & Operational Impact

    • Administrative burden: Healthcare workers spend 25-30% of their time on administrative tasks related to data entry and retrieval
    • Integration costs: Custom HL7 v2 interfaces cost 30,00030,000-150,000 per connection to develop and maintain
    • Innovation barriers: New healthcare applications require months to integrate with each EHR vendor
    • Vendor lock-in: Healthcare organizations struggle to switch EHR systems due to proprietary data formats

    The Pre-FHIR Landscape: HL7 v2 and v3

    Healthcare informatics has long relied on HL7 standards, but each had critical limitations:

    • HL7 v2 (1987-present): Widely adopted but highly flexible, leading to implementation variability. Two "HL7 v2 compliant" systems might still be unable to communicate without custom interface development. Messages are pipe-delimited text that's difficult to parse and extend.
    • HL7 v3 (2005-present): Attempted to address v2's shortcomings with rigorous semantic models (RIM - Reference Information Model), but became overly complex. XML-based messages were verbose and difficult to implement, leading to poor adoption.
    • CDA (Clinical Document Architecture): XML document standard for clinical notes, but limited to document exchange rather than granular data access.

    02.How FHIR Ensures Interoperability: Architecture and Design Principles

    FHIR revolutionizes healthcare interoperability through three fundamental design principles that set it apart from previous standards:

    1. RESTful API

    FHIR leverages standard HTTP methods (GET, POST, PUT, DELETE) that web developers already understand. This reduces the learning curve dramatically compared to SOAP-based HL7 v3.

    GET /Patient/123
GET /Observation?patient=123&category=vital-signs
POST /MedicationRequest
PUT /Appointment/456

    Standard web architecture means developers can use familiar tools, libraries, and debugging techniques.

    2. Resource-Based Model

    FHIR data models, termed "resources," structure healthcare data as discrete, self-contained entities with defined attributes, relationships, and semantics.

    FHIR R5 includes 157 resources across categories:

    • • Clinical (Patient, Observation, Condition, Procedure)
    • • Medications (MedicationRequest, MedicationAdministration)
    • • Diagnostics (DiagnosticReport, ImagingStudy)
    • • Financial (Claim, Coverage, Invoice)
    • • Workflow (Appointment, Schedule, Task)

    3. Modern Data Formats

    FHIR supports JSON (primary), XML, and RDF/Turtle formats. JSON's lightweight, human-readable format makes FHIR accessible to modern web and mobile developers.

    {
  "resourceType": "Patient",
  "id": "example",
  "name": [{
    "family": "Smith",
    "given": ["John", "Q"]
  }],
  "birthDate": "1974-12-25"
}

    FHIR Resource Structure: Deep Dive

    Each FHIR resource follows a consistent structure that balances flexibility with standardization:

    Example: Patient Resource

    {
  "resourceType": "Patient",
  "id": "pat-12345",
  "meta": {
    "versionId": "2",
    "lastUpdated": "2024-01-15T09:30:00Z",
    "profile": ["http://hl7.org/fhir/us/core/StructureDefinition/us-core-patient"]
  },
  "identifier": [
    {
      "use": "official",
      "system": "http://hospital.org/mrn",
      "value": "MRN123456"
    },
    {
      "system": "http://hl7.org/fhir/sid/us-ssn",
      "value": "123-45-6789"
    }
  ],
  "active": true,
  "name": [
    {
      "use": "official",
      "family": "Smith",
      "given": ["John", "Robert"],
      "prefix": ["Mr."]
    }
  ],
  "telecom": [
    {
      "system": "phone",
      "value": "(555) 123-4567",
      "use": "home"
    },
    {
      "system": "email",
      "value": "john.smith@email.com"
    }
  ],
  "gender": "male",
  "birthDate": "1974-12-25",
  "address": [
    {
      "use": "home",
      "line": ["123 Main St", "Apt 4B"],
      "city": "Boston",
      "state": "MA",
      "postalCode": "02101",
      "country": "US"
    }
  ],
  "maritalStatus": {
    "coding": [{
      "system": "http://terminology.hl7.org/CodeSystem/v3-MaritalStatus",
      "code": "M",
      "display": "Married"
    }]
  },
  "contact": [
    {
      "relationship": [{
        "coding": [{
          "system": "http://terminology.hl7.org/CodeSystem/v2-0131",
          "code": "C",
          "display": "Emergency Contact"
        }]
      }],
      "name": {
        "family": "Smith",
        "given": ["Jane"]
      },
      "telecom": [{
        "system": "phone",
        "value": "(555) 987-6543"
      }]
    }
  ]
}
    Key Elements
    • resourceType: Always identifies the resource type
    • id: Unique identifier within the server
    • meta: Metadata about the resource itself
    • identifier: Business identifiers (MRN, SSN, etc.)
    • extensions: Custom data not in the base spec
    Extensibility

    FHIR's 80/20 rule: The base specification covers 80% of use cases. For the remaining 20%, FHIR provides formal extension mechanisms without breaking interoperability.

    FHIR Search and Query Capabilities

    FHIR's search capabilities go far beyond simple record retrieval, enabling sophisticated queries across related resources:

    Search Parameters

    // Find all observations for a patient
GET /Observation?patient=123

// Find vital signs from last 7 days
GET /Observation?patient=123&category=vital-signs&date=ge2024-01-08

// Find lab results with specific LOINC code
GET /Observation?patient=123&code=2339-0&_sort=-date&_count=10

// Chained search: Find observations for patients in a specific location
GET /Observation?patient.address-city=Boston&category=laboratory

// Reverse chained search: Find patients who have diabetes diagnosis
GET /Patient?_has:Condition:patient:code=http://snomed.info/sct|73211009

    Includes and Reverse Includes

    // Get patient and include all their conditions
GET /Patient/123?_include=Patient:general-practitioner

// Get condition and include the patient
GET /Condition?_include=Condition:patient

// Get patient and reverse-include all observations about them
GET /Patient/123?_revinclude=Observation:patient

    This reduces round trips by retrieving related resources in a single request.

    03.What is SMART on FHIR? Bridging Data Access with Security

    FHIR solved the data interoperability problem—healthcare systems can now exchange structured clinical data in a standard format. But a critical piece was still missing: How do third-party applications securely access this data?

    Enter SMART on FHIR (Substitutable Medical Applications, Reusable Technologies), developed in 2010 by a team at Boston Children's Hospital and Harvard Medical School. SMART adds three crucial layers on top of FHIR:

    Authentication & Authorization

    OAuth 2.0 and OpenID Connect provide industry-standard security protocols, ensuring only authorized applications and users can access patient data with appropriate permissions.

    App Launch Framework

    Standardized launch sequences enable apps to be embedded directly in EHR user interfaces, launched with patient context automatically passed in.

    Substitutability

    Apps written once work across any SMART-compliant EHR without custom integration work, enabling true interchangeability of healthcare applications.

    The "Write Once, Run Anywhere" Promise for Healthcare

    Before SMART on FHIR, healthcare apps required custom integration for each EHR vendor—sometimes even for each hospital using the same vendor. A diabetes management app might need:

    • Custom Epic integration using Epic's proprietary Interconnect platform (50,00050,000-200,000 per integration)
    • Different Cerner integration using Cerner's APIs and authentication model
    • Yet another integration for Meditech, Allscripts, athenahealth, etc.
    • Ongoing maintenance as each vendor updates their proprietary systems

    SMART on FHIR changes this paradigm completely. A SMART app authenticated against one EHR will work with any SMART-compliant EHR, just like a web app works in any standards-compliant browser. This has profound implications:

    Real-World Impact: Growth of Healthcare App Ecosystem

    Before SMART (Pre-2015)
    • • ~200 healthcare apps across all EHR vendors
    • • Average integration cost: $150,000 per EHR
    • • Time to market: 12-18 months
    • • Limited to large vendors with resources
    • • Startups largely excluded from EHR integration market
    After SMART (2024)
    • • 734+ registered SMART apps (2023 data)
    • • Integration cost: 5,0005,000-20,000 (developer time)
    • • Time to market: 2-6 months
    • • Accessible to startups and individual developers
    • • Vibrant ecosystem of specialized clinical applications

    SMART App Launch Flows: How Apps Get Patient Context

    SMART defines two primary launch workflows that handle authentication, authorization, and context passing:

    1. EHR Launch (Provider-Facing Apps)

    The clinician launches the app from within the EHR interface. The EHR automatically passes the patient context.

    Launch Sequence:
    1. 1. Clinician clicks "Launch Growth Chart App" button in EHR while viewing Patient 12345
    2. 2. EHR redirects to app with launch token and iss (FHIR server URL)
    3. 3. App exchanges launch token for authorization code at EHR's OAuth server
    4. 4. App exchanges authorization code for access token
    5. 5. Access token includes patient context (patient=12345)
    6. 6. App queries FHIR API: GET /Observation?patient=12345&code=29463-7
    Use cases: Clinical decision support tools, risk calculators, specialized charting interfaces, diagnostic viewers

    2. Standalone Launch (Patient-Facing Apps)

    Patient opens the app independently (mobile app, web portal). The app guides them through login and patient selection.

    Launch Sequence:
    1. 1. Patient opens "MyHealth Dashboard" app
    2. 2. App discovers FHIR server endpoints (via .well-known/smart-configuration)
    3. 3. App redirects to EHR's authorization server
    4. 4. Patient authenticates (username/password, SSO, or MFA)
    5. 5. Patient grants app permissions (read observations, read medications)
    6. 6. Authorization server redirects back with authorization code
    7. 7. App exchanges code for access token with patient context
    8. 8. App queries FHIR API for patient's data
    Use cases: Patient portals, personal health records, chronic disease management apps, remote monitoring dashboards

    04.OAuth 2.0 and OpenID Connect: The Security Foundation

    SMART on FHIR leverages OAuth 2.0 for authorization and OpenID Connect (OIDC) for authentication, providing enterprise-grade security that healthcare regulators require.

    OAuth 2.0 in Healthcare Context

    OAuth 2.0 solves a critical problem: How can a third-party app access patient data without the app ever seeing the user's EHR credentials?

    OAuth Token Types and Lifetimes

    Token Type Purpose Typical Lifetime Storage
    Authorization Code One-time exchange for access token 1-10 minutes Query parameter only
    Access Token Proves authorization to access FHIR APIs 1-60 minutes Memory only (never localStorage)
    Refresh Token Obtains new access token without re-login Days to months Secure storage with encryption
    ID Token (OIDC) Contains user identity information (JWT) 5-60 minutes Can be stored, contains no secrets

    OAuth 2.0 Features

    • Issues access tokens to third-party applications
    • Defines permissions known as "scopes"
    • Specifies what data or actions applications can access
    • Ensures secure and controlled access to healthcare data
    • Safeguards user privacy through controlled access

    OpenID Connect Benefits

    • Enhances OAuth 2.0 with identity management capabilities
    • Provides secure access and identity verification
    • Requests additional user information for enhanced UX
    • Enables Single Sign-On (SSO) reducing multiple logins
    • Critical role in SMART on FHIR identity management

    05.How SMART Builds on Top of FHIR: Architectural Layers

    SMART on FHIR creates a complete application ecosystem by adding authentication, authorization, and application launch capabilities to FHIR's data access layer. Understanding how these layers interact is crucial for implementing SMART applications.

    SMART Scopes: Fine-Grained Permissions

    SMART defines a granular scoping system that controls exactly what data an application can access and what actions it can perform:

    SMART Scope Syntax

    // Scope format: [user|patient|system]/[Resource].[read|write|*]
//
// User scopes - access data the user can see
user/Observation.read          // Read observations in patient chart user is viewing
user/Patient.read             // Read patient demographics
user/MedicationRequest.*      // Full access to medications

// Patient scopes - access data for authenticated patient only
patient/Observation.read      // Patient reads their own observations
patient/AllergyIntolerance.*  // Patient manages their allergy list
patient/*.read                // Patient reads all their clinical data

// System scopes - backend services (no user present)
system/Patient.read           // Backend system reads any patient
system/Observation.write      // Backend system can write observations
    Common Scope Combinations
    Clinical Decision Support:
    launch/patient user/Patient.read user/Observation.read user/Condition.read
    Patient Portal:
    openid profile patient/Patient.read patient/Observation.read patient/MedicationRequest.read
    Population Health Tool:
    system/Patient.read system/Observation.read system/Encounter.read
    Special Scopes
    • launch - Participate in EHR launch
    • launch/patient - Request patient context
    • launch/encounter - Request encounter context
    • offline_access - Request refresh token
    • online_access - Access only while online
    • openid profile email - User identity info

    The table below summarizes how SMART builds on top of FHIR:

    Component SMART on FHIR FHIR
    Authorization OAuth2 None
    Authentication OpenID Connect None
    Data Models From FHIR FHIR Resources
    Profiles SMART profiles None
    Data Access From FHIR FHIR REST API
    Data Format From FHIR FHIR JSON or XML
    EHR UI Integration SMART Launch Specification None

    06.Key Enhancements SMART Provides: Beyond Basic FHIR

    EHR UI Integration

    Perhaps one of the most crucial features of SMART is enabling integration with the user interface of EHRs, thus simplifying the process of navigating between applications by bringing them together in one interface.

    With SMART, clinicians can access all integrated applications directly within their EHR, enter information, view data and make informed decisions without needing to leave the EHR environment.

    Enhanced Security

    In SMART on FHIR, OAuth Authorization is employed to provide secure access to healthcare data, allowing only authorized apps to retrieve patient information, while OpenID Connect is used to securely confirm the identity of users accessing healthcare data.

    The focus of FHIR is on organizing and exchanging healthcare data and it does not directly incorporate OAuth Authorization or OpenID Connect for security purposes.

    07.Industry Adoption and Compliance

    According to the Journal of the American Medical Informatics Association (JAMIA), while the number of unique healthcare applications rose from 600 to 734 in 2023, only 22% of the applications conformed to the FHIR standard. To improve compliance to FHIR, the Lantern tool, developed by the ONC (The Office of the National Coordinator) was set up to help ONC monitor and share insights on the presence and uniformity of FHIR compliant applications. Click here to view the Lantern dashboard

    Source: Journal of the American Medical Informatics Association (JAMIA) - FHIR application usage across different healthcare categories

    As federal regulations come into play and FHIR gains more traction, the number of applications conforming to SMART on FHIR is expected to increase significantly across all healthcare categories.

    [value + '%', 'FHIR Compliance Rate']} />

    Future Outlook

    As federal regulations come into play and FHIR gains more traction, the number of applications conforming to SMART on FHIR is expected to increase significantly across all healthcare categories.

    08.How Finarb Analytics Implemented SMART in a Web-Based Application

    Finarb Analytics collaborated with a leading public hospital in Texas in developing a web-based application for early sepsis detection and prevention. This case study demonstrates practical SMART on FHIR implementation.

    Application Features

    • Seamless integration with multiple data sources
    • User-friendly dashboard with real-time patient data
    • Historical data analysis for trend identification
    • Real-time alert system for abnormal values
    • Risk score calculation and monitoring

    Technical Implementation

    • EHR platform selection supporting SMART on FHIR
    • API compatibility verification
    • FHIR standards adherence
    • SMART App Launch framework utilization
    • Authentication and authorization handling

    09.Development Process and Considerations

    EHR Interoperability

    SMART on FHIR is designed to be interoperable with various Electronic Health Record (EHR) systems. An EHR platform needs to be selected that supports the SMART on the FHIR standard. The process involves researching different EHR vendors, their compatibility with SMART on FHIR, and their reputation in the healthcare industry.

    Application Development

    The development involves using the FHIR resources and SMART App Launch framework to create a web-based application. There is a demand for developers who are familiar with FHIR standards and web application development. The SMART on FHIR framework provides libraries and tools that simplify this process and ensures proper authentication, authorization, and data exchange.

    Key Success Factors

    • • Choosing technology firms that understand business needs and HL7/SMART guidelines
    • • Ensuring compliance with HIPAA regulations
    • • Implementing robust authentication and authorization mechanisms
    • • Designing user-friendly interfaces that integrate seamlessly with existing workflows
    • • Thorough testing and validation of FHIR compliance

    SMART on FHIR represents a significant advancement in healthcare interoperability, enabling the development of applications that can work across different healthcare systems while maintaining security and data integrity. As the healthcare industry continues to embrace digital transformation, SMART on FHIR will play an increasingly important role in enabling innovation and improving patient care.

    FHIR Resources Architecture

    FHIR Resources Structure

    Administrative
    Clinical
    Financial
    Workflow
    FHIR Resources
    Patient
    Practitioner
    Organization
    Observation
    Condition
    Medication
    Procedure
    Claim
    Coverage
    Appointment
    Encounter
    Mini Map
    React Flow
    FHIR
    Healthcare
    Integration
    AI
    Interoperability
    Smart on FHIR

    Share this article

    1 like