Full definition
SMART on FHIR (Substitutable Medical Apps, Reusable Technology) is the OAuth 2.0 + FHIR-based standard that enables third-party apps to integrate securely into EHRs. Apps register with the EHR; users (patients or clinicians) grant scoped access; apps make FHIR API calls authorised by OAuth tokens. Supports both patient-facing apps (read patient's own data) and clinician-facing apps (read patient context within EHR session).
SMART on FHIR is mandated by US 21st Century Cures Act for certified EHRs — patients must be able to access their data via SMART-conformant apps; clinicians must be able to launch SMART apps from within the EHR. Major EHRs (Epic, Cerner, Meditech, Allscripts) all support SMART on FHIR.
For clinic technology: SMART on FHIR is the standard for app integration in 2026. MOVO-X supports SMART on FHIR — apps can launch within MOVO-X with authorised access to patient data; MOVO-X itself can launch within other EHRs as a SMART app.
Where smart on fhir + oauth is used
- Patient-facing health apps
- Clinician decision-support tools
- Cross-system clinical integration
- Telehealth integration into EHR
- Specialty-tool integration into general EHR
Types of smart on fhir + oauth
EHR launch
App launches from within EHR with patient context.
Standalone launch
Patient-facing app launches independently with patient credentials.
Backend services
Server-to-server access without user UI.
OAuth scopes
Granular permission control (patient/Patient.read, user/Observation.write, etc.).
Quantified benefits
- ▸Standardised app integration across EHRs
- ▸Granular permission control
- ▸OAuth-based security
- ▸Enables ecosystem of healthcare apps
Frequently asked
Is SMART on FHIR required?+
For US ONC-certified EHRs serving patients under Cures Act, yes. Increasingly expected globally for modern EHR procurement.
Does MOVO-X support SMART on FHIR?+
Yes both directions. Third-party apps can integrate into MOVO-X. MOVO-X can launch as a SMART app within Epic, Cerner, Meditech, etc.
OAuth scopes for clinical data?+
Standard SMART scopes (patient/*, user/*, system/*) plus FHIR-resource-specific scopes (Patient.read, Observation.write, etc.). Granular permission control per app per user.
What about backend services?+
SMART backend services profile supports server-to-server integration without user-mediated authorisation. Used for population-health analytics, AI processing, etc.