Inferensys

Glossary

SMART on FHIR

An open, standards-based platform that adds a secure authorization layer and embeddable user interface to FHIR APIs, enabling substitutable third-party applications to run seamlessly within any compliant electronic health record system.
Overhead shot of a beautifully lit strategy meeting in a modern WeWork hot desk area, designers and executives gathered around a live AI system diagram projected on smart table surface.
AUTHORIZATION & UI STANDARD

What is SMART on FHIR?

SMART on FHIR is an open standard that adds a secure authorization layer and embeddable user interface capabilities to FHIR APIs, enabling third-party applications to launch seamlessly within an EHR context.

SMART on FHIR (Substitutable Medical Applications and Reusable Technologies) is an open standard that layers an OAuth 2.0-based authorization and user interface integration framework on top of FHIR APIs. It defines a protocol for securely launching third-party clinical applications from within an EHR context, ensuring the app receives a scoped access token tied to the specific patient record and clinician session currently active. This mechanism replaces proprietary, vendor-specific integration methods with a universal, plug-and-play app ecosystem.

The standard defines distinct launch scenarios, including EHR Launch (initiated from within the clinician's workflow) and Standalone Launch (where an app requests access independently). By mandating OpenID Connect for identity federation and defining a standardized CapabilitySet discovery document, SMART on FHIR ensures that any compliant application can securely connect to any compliant FHIR server without custom integration code. This architecture is the technical foundation for mandated patient and provider API access under the ONC Cures Act Final Rule.

APP LAUNCH SPECIFICATION

Core Components of SMART on FHIR

SMART on FHIR defines a standardized protocol for launching third-party applications securely within an EHR context, combining FHIR's data model with OAuth2-based authorization.

02

EHR Launch Context

The mechanism by which an app is launched directly from the EHR interface, receiving contextual parameters to orient itself immediately.

  • Launch Parameters: The EHR passes a launch code and iss (issuer) parameter to the app, which it exchanges for an access token.
  • Patient Context: The app receives a specific patient ID, allowing it to load that patient's data without manual search.
  • Encounter Context: For inpatient settings, the app can be scoped to a specific visit or encounter ID.
03

Standalone Launch Flow

Allows an app to be launched independently of the EHR, such as from a mobile device or a portal link, while still connecting to the FHIR server.

  • Discovery: The app discovers the FHIR endpoint and authorization server via a well-known URL (/.well-known/smart-configuration).
  • Authorization Code Flow with PKCE: Uses Proof Key for Code Exchange to secure the flow for public clients that cannot keep a client secret.
  • User Initiation: The user must still authenticate and authorize the app to access their data on the FHIR server.
06

Scopes & User Identity

The granular permission model that governs what data a SMART app can access and what identity claims it receives.

  • Clinical Scopes: Define access to patient-level data (e.g., patient/Patient.read, patient/Observation.rs).
  • User-Level Scopes: Provide identity claims about the authenticated user (e.g., openid, fhirUser, profile).
  • fhirUser Claim: A critical OpenID Connect claim that returns a URL pointing to the FHIR resource representing the current user (Practitioner, Patient, or RelatedPerson).
SMART ON FHIR

Frequently Asked Questions

Clarifying the open standard that layers secure authorization and embedded user interfaces on top of FHIR APIs to enable interoperable, context-aware healthcare applications.

SMART on FHIR is an open, standards-based technology platform that enables developers to build applications that run seamlessly and securely across the electronic health record ecosystem. It works by combining the FHIR (Fast Healthcare Interoperability Resources) standard for data models and RESTful APIs with the OAuth 2.0 and OpenID Connect protocols for authentication and authorization. This combination allows a third-party application to be launched from within an EHR, request specific clinical data scopes (like patient/Observation.rs), and receive an access token to query the FHIR server directly. The platform defines a launch context that passes critical parameters—such as the current patient ID and encounter—to the app, ensuring it opens in the correct clinical context without requiring a separate login.

INTEGRATION PARADIGM COMPARISON

SMART App Launch vs. Traditional EHR Integration

A technical comparison of the SMART on FHIR authorization and UI integration standard against legacy EHR integration methods.

FeatureSMART App LaunchC-CDA ExchangeHL7 v2 Interface

API Architecture

RESTful FHIR API

Document-based XML

TCP/IP socket or MLLP

Authorization Protocol

OAuth 2.0 + OpenID Connect

VPN or point-to-point TLS

VPN or point-to-point TLS

Single Sign-On Context

Embedded EHR UI Launch

Real-Time Data Access

Standardized Discovery

FHIR CapabilityStatement + .well-known/smart-configuration

Direct Trust Bundle exchange

Manual IP/port configuration

Patient-Scoped Access

OAuth patient/ scopes

Granular Resource Scoping

Per-resource OAuth scopes

Entire document exchange

Message-level filtering

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.