To All Articles

The Role of HITRUST Compliance in SMART on FHIR Applications

Alexei Chizhmakov

Published on June 29, 2023

In the rapidly evolving landscape of healthcare technology, securing sensitive patient information has become as critical as the life-saving treatments this data enables. As medical organizations around the globe increasingly shift to digitized solutions, the emphasis on the safety and regulatory compliance of these systems is more profound than ever. The urgency is necessitated by the growing threats that cyber vulnerabilities pose to the sanctity of patients’ personal health data and the potential of disruptive impacts on health service delivery. 

Amid the extensive compliance standards, the Health Information Trust Alliance, commonly known as HITRUST, has cemented its position as a comprehensive, reliable security framework. It serves as the industry’s bedrock, enabling organizations to ensure the highest level of protection for their digital assets, particularly those containing sensitive patient information.

At the same time, we are witnessing a surge in the adoption of Substitutable Medical Applications, Reusable Technologies (SMART) on Fast Healthcare Interoperability Resources (FHIR) applications. These technologies are revolutionizing the way healthcare data is shared and managed, enhancing care coordination and patient outcomes. SMART on FHIR applications are driving a transformative shift in healthcare, seamlessly integrating a wide variety of medical apps within various healthcare systems. This new paradigm offers vast potential for personalization and innovation, yet it also brings to the forefront a need for robust security measures to safeguard data integrity and patient privacy.

As a leader in the healthcare software development arena, Seattle-based Itirra finds itself at the intersection of these two pivotal areas. Leveraging its deep expertise in HITRUST compliance and its extensive experience with SMART on FHIR applications, Itirra is poised to provide invaluable insights into the synergy between these domains.

What is HITRUST compliance?

HITRUST, or the Health Information Trust Alliance, is a universally recognized, third-party standard for regulatory compliance and risk management in the healthcare sector. It was developed to ensure the security of sensitive patient data against cyber threats, while addressing the challenges of meeting various compliance requirements in an increasingly complex regulatory environment.

At its core, HITRUST is a certifiable framework that harmonizes numerous healthcare laws, standards, and best practices, including the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST) guidelines. HITRUST’s strength lies in its comprehensiveness and specificity, but it also goes beyond the broad mandates of individual regulations to provide a detailed, prescriptive set of controls that organizations must implement for robust data security.

Acquiring HITRUST Certification is a rigorous process. Organizations undergo a comprehensive assessment of their information protection controls, including a thorough review of their systems, processes, and policies. This involves measuring the organization’s security protocols against the HITRUST CSF – a scalable, certifiable framework that organizations use to validate their adherence to high-quality data protection standards. Successfully obtaining HITRUST certification demonstrates to clients, partners, and regulatory bodies that an organization has a robust, fully compliant security program, and is committed to the highest levels of data protection.

hitrust 2
What is the role of SMART on FHIR applications?

Substitutable Medical Applications and Reusable Technologies (SMART) on Fast Healthcare Interoperability Resources (FHIR) applications are transforming how healthcare data is accessed, shared, and utilized, all to significantly enhance patient care and health outcomes. These applications employ a set of open specifications that integrate diverse healthcare systems, allowing apps to be ‘plugged in’ seamlessly. The interoperability that SMART on FHIR promotes makes it a game-changer in the healthcare sector.

The principle behind SMART on FHIR is to promote interoperability and the secure exchange of health information. FHIR, an HL7 standard, creates a robust and extensible data model for health information with standardized semantics and data exchange services. This, in turn, ensures that the data transferred between healthcare apps and services is consistent and usable. When coupled with SMART, a technology that adds a layer of security with its ability to launch apps across platforms, it facilitates the creation of a wide array of innovative applications that can interact seamlessly with different health IT systems.

These applications serve various functions, from facilitating electronic health record (EHR) integration and enabling secure data sharing, to enhancing clinical decision support and streamlining administrative tasks. By providing physicians and healthcare providers with detailed, timely access to health information, SMART on FHIR applications are playing a critical role in enhancing patient care. They facilitate better clinical decisions, improve health outcomes, reduce errors, and streamline health processes.

Indeed, the healthcare landscape is full of real-world examples that underscore the transformative role of SMART on FHIR applications. For instance, the Boston Children’s Hospital developed and implemented a growth chart application using SMART on FHIR. This app integrates seamlessly with their existing EHR system and provides a user-friendly interface for tracking and visualizing a child’s growth metrics. It showcases how SMART on FHIR applications can enhance the healthcare delivery experience for both providers and patients.

Another notable example is the Sync for Science (S4S) pilot, a collaborative project between the National Institutes of Health (NIH) and the Office of the National Coordinator for Health IT (ONC). This project employs SMART on FHIR technology to enable individuals to access their health data and donate it for scientific research if they choose to. It’s an impressive demonstration of how these applications can empower patients and contribute to medical advancements.

HITRUST compliance in SMART on FHIR applications

SMART on FHIR applications represent a significant step forward in healthcare technology, enabling interoperability and promoting the secure exchange of health information. However, as these applications continue to increase in sophistication and scope, they also become attractive targets for cybersecurity threats. This is where HITRUST compliance comes into play.

In the healthcare industry, the potential damage caused by data breaches is twofold: the violation of patient privacy and the undermining of patient trust. In the event of a breach, not only is the organization exposed to potential legal repercussions and regulatory penalties, but the trust built between healthcare providers and their patients can be significantly eroded. This is a key factor in patient engagement and their willingness to share data, both of which have profound implications for the delivery of care and patient outcomes.

Safeguarding healthcare data

HITRUST compliance mitigates these risks by providing a rigorous, comprehensive security framework that encompasses a broad range of regulatory standards. Organizations that achieve HITRUST certification demonstrate their commitment to the highest standards of data security, enhancing trust and confidence among patients and partners.

HITRUST sets forth stringent standards for protecting healthcare data, and its compliance ensures the security, integrity, and confidentiality of sensitive health information managed by SMART on FHIR applications. By adhering to HITRUST’s prescriptive set of controls, developers of SMART on FHIR applications can build robust security measures into their products from the ground up, minimizing the risk of data breaches and other cybersecurity threats.

Moreover, the HITRUST CSF is regularly updated to address the ever-evolving threat landscape, ensuring that compliance means staying abreast of the latest best practices in cybersecurity. This level of vigilance is particularly relevant in an era of increasing cyber threats and a rapidly evolving healthcare technology ecosystem.

hitrust 4
Source: The HIPAA Journal

Building trust

HITRUST compliance sends a clear signal to clients, partners, and patients that the organization values and prioritizes the security of their data. For SMART on FHIR applications, this not only means improved security but also increased trust and reliability among users. Integrating HITRUST compliance into the development and operation of SMART on FHIR applications is more than a regulatory obligation — it’s a crucial component of maintaining high-quality healthcare services and strengthening patient trust. With HITRUST, developers and healthcare providers can ensure that as they leverage the benefits of SMART on FHIR applications, they are also guaranteeing the highest level of security for their patient’s information.

Unifying standards

HITRUST compliance also has a streamlining effect on the healthcare industry. By creating a unified framework that encompasses many regulatory standards, HITRUST reduces the complexity and redundancy of meeting multiple compliance requirements. This can lead to significant cost savings and efficiency gains for healthcare organizations. As such, it plays a pivotal role in the development and operation of SMART on FHIR applications, which are integral components of the digital healthcare landscape.


The nexus of HITRUST compliance and SMART on FHIR applications represents an evolutionary stride in healthcare’s mission to secure patient data while advancing interoperability and data accessibility. HITRUST compliance is an embodiment of an organization’s commitment to the highest standards of data security, assuring stakeholders that the safety of their sensitive health information is a top priority.

By promoting the seamless integration and exchange of health data across diverse systems, SMART on FHIR applications are setting the stage for a new era in healthcare marked by enhanced patient outcomes and efficient processes. However, the real potential of these applications unfolds when they are developed and operated within the framework of rigorous compliance standards such as HITRUST. This blend not only fortifies the security measures but also amplifies trust among users.

At Itirra, we are at the forefront of these advancements, expertly navigating the intersection of HITRUST compliance and SMART on FHIR applications. Our deep understanding of HITRUST standards, coupled with our expertise in developing SMART on FHIR applications, empowers us to deliver solutions that revolutionize healthcare delivery while prioritizing data security. In this ever-evolving landscape of healthcare technology, Itirra remains steadfast in its pursuit of excellence, driving progress while ensuring the security and confidentiality of patient data.