When developing a healthcare application that needs to integrate with external systems, the first two questions that generally arise are: What data do I need, and how do I connect my application?
We will cover data requirements in a separate blog and focus on the connection in this article. To explain the connection process, we will assume that HL7 FHIR will be the interface standard. Check out this post for more on HL7 v2 interface connections.
The SMART Framework
The SMART framework was developed at Boston Children’s Hospital in 2010 to enable healthcare applications to work at any organization, regardless of system or EHR. The vision would allow providers to pick and choose what applications they want to use, like the app store on one’s iPhone.
SMART ultimately transformed into a layer of the HL7 FHIR standard which was released in 2014. The SMART component of the framework primarily focuses on how solutions can integrate with FHIR interfaces.
SMART defines the launch context of an application. The launch context is how a user accesses the app. Applications can generally be launched from an EHR or standalone. They also may not need to be launched by users if they are backend or headless applications and can interact with the EHR autonomously.
SMART also defines the data the user launching the application should access. Users of applications can be providers or patients who may be restricted to specific access and privileges (read/write). Determining the user and launch context is the critical first step to connecting your healthcare application.
Documentation & More
The SMART framework is also responsible for providing documentation for developers on an application’s FHIR interface capability. Many EHR providers and other healthcare companies have now deployed app stores or galleries for their users, publishing apps for download.
In the most simplistic terms:
- SMART defines access capability and security
- FHIR defines the data structure and communication
- EHR/EMR (or other healthcare apps) owns the data and FHIR server
Here Is a Helpful Glossary of SMART Terminology:
Authentication is verifying the identity of a client application or third party. Authentication is typically done before authorization.
Authorization is verifying and granting access to a client application or third party.
OAuth (Open Authorization) is a framework that enables a third party to obtain limited access to protected resources. OAuth implementations can vary quite a bit depending on the use case but provide general guidelines on the authorization. The specifics should be made clear in the developer documentation.
SMART (Substitutable Medical Apps, Reusable Technologies) is an authorization framework based on OAuth 2.0 standards. Applications can use it to securely integrate with FHIR-based data systems, and it is system and vendor agnostic.
SMART App Launch
A flow that authorizes a user-facing client application and delegates a user’s permissions to the third-party application. SMART App Launch has launch contexts and scopes that indicate to the external third-party application the access that should be granted to the user.
SMART Backend Services
A flow that authorizes a system (headless or automated application) to connect to a FHIR server. No user needs to be involved in the authorization process, and systems like EHRs can freely interact and communicate.
Scopes define specific access permissions that can be given to a client application and are intended to limit access where appropriate. Scopes are based on API definitions of available resources and actions.