HL7 FHIR Security Framework
The HL7 FHIR Security Framework is the foundational security + privacy + access control framework for FHIR (Fast Healthcare Interoperability Resources) - the global standard for healthcare data exchange APIs. Developed + maintained by HEALTH LEVEL 7 INTERNATIONAL (HL7), the framework covers all aspects of API-based healthcare data exchange security. KEY HISTORY: FHIR DSTU1 (2014) + DSTU2 (2015) + STU3 (2017) + R4 normative (October 2019) + R4B (2022) + R5 (2023) + R6 (planning). FHIR is now the DEFACTO global standard for healthcare interoperability APIs + foundation for ONC Cures Act Final Rule + USCDI + TEFCA + e-prescribing + telehealth + research + EHR-to-EHR + patient + provider + payer + public health + AI + clinical decision support APIs. SECURITY FRAMEWORK PILLARS: (a) TRANSPORT SECURITY - TLS 1.2+ + certificate pinning + secure communications; (b) AUTHENTICATION - SMART App Launch + OAuth 2.0 + OpenID Connect + Backend Services (asymmetric key) + user + system authentication; (c) AUTHORIZATION - OAuth 2.0 scopes (patient/Resource.* + user/* + system/* + scope granularity) + SMART scope syntax + Security Labels + Consent Resource enforcement; (d) AUDIT + PROVENANCE - AuditEvent Resource logging + Provenance tracking + retention + integrity; (e) CONSENT - Consent Resource modeling + enforcement + patient authorization + breach disclosure; (f) BULK DATA - Bulk Data Export Authorization (Backend Services + SMART Bulk Data); (g) DIGITAL SIGNATURES - Resource-level digital signatures + Provenance signatures; (h) CROSS-ORGANIZATIONAL - Backend services to backend services + JWT Bearer Tokens + Asymmetric keys; (i) PRIVACY - de-identification + research + Security Labels + consent integration; (j) EMERGENCY ACCESS - Break the Glass + override procedures; (k) RESILIENCE - Rate Limiting + Anti-Abuse + Server CapabilityStatement security + CORS + Token lifetime + Refresh. SMART ON FHIR (Substitutable Medical Applications + Reusable Technologies): SMART App Launch IG v2.2.0 (current) + EHR-Launch + Standalone-Launch + Backend Services Launch + PKCE + asymmetric key + OAuth 2.1 + OpenID Connect + scopes + capabilities; SMART Health Cards + SMART Health Links + SMART Cards Framework. KEY HL7 FHIR SECURITY SPECIFICATIONS: hl7.org/fhir/security.html (R4/R5 core) + SMART App Launch Implementation Guide + FHIR Bulk Data IG + FHIR Consent Resource + AuditEvent Resource + Provenance Resource + Security Labels + FHIR Operations + FHIR Subscriptions. COORDINATION: (1) HIPAA Privacy + Security Rules (verified separately) - foundational US healthcare privacy + security law; (2) ONC Information Blocking Final Rule (verified separately as HITECH-coordinated) - mandates FHIR-based APIs + Open APIs + USCDI; (3) 21st Century Cures Act - Section 4002 ONC requirements + FHIR + Open APIs; (4) USCDI United States Core Data for Interoperability v1-v4+ - FHIR-mapped data elements; (5) TEFCA Trusted Exchange Framework + Common Agreement (2022+) - voluntary nationwide interoperability + QHINs + FHIR coordination; (6) FDA UDI + DSCSA + clinical research + drug + device registries + FHIR coordination; (7) ONC EHR Certification 2015 Edition Cures Update + FHIR R4 + USCDI + Open APIs; (8) GLOBAL ADOPTION - UK NHS + Israel + Canada + Australia + India + Singapore + Brazil + many countries adopting FHIR for interoperability. 2024-2025+ DIRECTIONS: (a) AI + ML INTEGRATION - FHIR APIs + AI + clinical decision support + agentic AI + Subscriptions; (b) BULK DATA + ANALYTICS + AI - large-scale data exchange + research; (c) QUANTUM-RESISTANT CRYPTOGRAPHY - transition planning for OAuth + TLS + JWT; (d) PATIENT-DIRECTED EXCHANGE - patient access + Apps + 3rd-party + Open Banking-style consent; (e) RANSOMWARE + CYBERSECURITY - sectoral cybersecurity + Change Healthcare crisis + healthcare-specific threat landscape; (f) FHIR R6 PLANNING + further security enhancements + new IGs + Federated Identity + Verifiable Credentials integration. STATUS: HL7 FHIR is FREELY available + open standard published under HL7 SPECIFICATIONS license; broad sectoral adoption + Fortune 500 healthcare + payers + EHRs + Mainland China + global + ongoing R6 planning + emerging cybersecurity + AI + tokenization features.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
FHIR Security Framework: Scope, FHIR R4/R5/R6 Versions, HL7 Specification + Security/Privacy Module
| Code | Title |
|---|---|
| HL7-FHIR-Scope-Versions-HL7-Specification | HL7 FHIR Security Framework Scope, FHIR Versions (R4/R4B/R5/R6), HL7 Specification + Security/Privacy Module |
FHIR Security: Audit + Provenance + Digital Signatures + AuditEvent + Resource Integrity
| Code | Title |
|---|---|
| HL7-FHIR-Audit-Provenance-DigitalSignatures-Integrity | HL7 FHIR Audit + Provenance + Digital Signatures + AuditEvent Resource + Audit Log Integrity + Retention |
FHIR Security: Authentication + SMART App Launch + OpenID Connect + Backend Services + Token Lifetime
| Code | Title |
|---|---|
| HL7-FHIR-Auth-SMART-OAuth-OIDC-Backend | HL7 FHIR Authentication - SMART App Launch + OAuth 2.0 + OpenID Connect + Backend Services + Token Lifetime |
FHIR Security: Authorization + OAuth 2.0 Scopes + Security Labels + Consent + Patient Compartment + Bulk Data + Break the Glass
| Code | Title |
|---|---|
| HL7-FHIR-Authorization-Scopes-Consent-Bulk-Break-Glass | HL7 FHIR Authorization - OAuth 2.0 Scopes + Security Labels + Consent + Patient Compartment + Bulk Data + Break the Glass |
FHIR Security: Coordination with HIPAA + ONC + Cures + USCDI + TEFCA, 2024-2025 Pipeline
| Code | Title |
|---|---|
| HL7-FHIR-Coord-HIPAA-ONC-Cures-USCDI-TEFCA | HL7 FHIR Coordination with HIPAA, ONC Information Blocking, 21st Century Cures Act, USCDI, TEFCA + 2024-2025 Pipeline |
FHIR Security: Resilience + Rate Limiting + CORS + Anti-Abuse + SMART Health Cards + De-identification
| Code | Title |
|---|---|
| HL7-FHIR-Resilience-RateLimit-CORS-AntiAbuse-SmartHealth | HL7 FHIR Resilience - Rate Limiting + Anti-Abuse + CORS + SMART Health Cards + De-identification + Privacy |
FHIR Security: Transport TLS + Communication + Time Keeping + Server CapabilityStatement
| Code | Title |
|---|---|
| HL7-FHIR-Transport-TLS-Communication | HL7 FHIR Transport Security - TLS 1.2+, Communication Security, Time Keeping, Server CapabilityStatement |
Your Compliance Coverage
If you comply with HL7 FHIR Security Framework, you already cover:
NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)
43%
3 controls mapped
Compare →MITRE D3FEND
43%
3 controls mapped
Compare →IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems
43%
3 controls mapped
Compare →+ 77 more: BSI IT-Grundschutz (43%), OWASP ASVS (43%)
See all 80 mapped frameworks ↓Maps to 80 other frameworks
Frequently Asked Questions
What is HL7 FHIR Security Framework?
HL7 FHIR Security Framework is a compliance framework from International (Healthcare) with 7 domains and 7 controls. The HL7 FHIR Security Framework is the foundational security + privacy + access control framework for FHIR (Fast Healthcare Interoperability Resources) - the global standard for healthcare data exchange APIs. Developed + maintained by HEALTH LEVEL 7 INTERNATIONAL (HL7), the framework covers all aspects of API-based healthcare data exchange security. KEY HISTORY: FHIR DSTU1 (2014) + DSTU2 (2015) + STU3 (2017) + R4 normative (October 2019) + R4B (2022) + R5 (2023) + R6 (planning). FHIR is now the DEFACTO global standard for healthcare interoperability APIs + foundation for ONC Cures Act Final Rule + USCDI + TEFCA + e-prescribing + telehealth + research + EHR-to-EHR + patient + provider + payer + public health + AI + clinical decision support APIs. SECURITY FRAMEWORK PILLARS: (a) TRANSPORT SECURITY - TLS 1.2+ + certificate pinning + secure communications; (b) AUTHENTICATION - SMART App Launch + OAuth 2.0 + OpenID Connect + Backend Services (asymmetric key) + user + system authentication; (c) AUTHORIZATION - OAuth 2.0 scopes (patient/Resource.* + user/* + system/* + scope granularity) + SMART scope syntax + Security Labels + Consent Resource enforcement; (d) AUDIT + PROVENANCE - AuditEvent Resource logging + Provenance tracking + retention + integrity; (e) CONSENT - Consent Resource modeling + enforcement + patient authorization + breach disclosure; (f) BULK DATA - Bulk Data Export Authorization (Backend Services + SMART Bulk Data); (g) DIGITAL SIGNATURES - Resource-level digital signatures + Provenance signatures; (h) CROSS-ORGANIZATIONAL - Backend services to backend services + JWT Bearer Tokens + Asymmetric keys; (i) PRIVACY - de-identification + research + Security Labels + consent integration; (j) EMERGENCY ACCESS - Break the Glass + override procedures; (k) RESILIENCE - Rate Limiting + Anti-Abuse + Server CapabilityStatement security + CORS + Token lifetime + Refresh. SMART ON FHIR (Substitutable Medical Applications + Reusable Technologies): SMART App Launch IG v2.2.0 (current) + EHR-Launch + Standalone-Launch + Backend Services Launch + PKCE + asymmetric key + OAuth 2.1 + OpenID Connect + scopes + capabilities; SMART Health Cards + SMART Health Links + SMART Cards Framework. KEY HL7 FHIR SECURITY SPECIFICATIONS: hl7.org/fhir/security.html (R4/R5 core) + SMART App Launch Implementation Guide + FHIR Bulk Data IG + FHIR Consent Resource + AuditEvent Resource + Provenance Resource + Security Labels + FHIR Operations + FHIR Subscriptions. COORDINATION: (1) HIPAA Privacy + Security Rules (verified separately) - foundational US healthcare privacy + security law; (2) ONC Information Blocking Final Rule (verified separately as HITECH-coordinated) - mandates FHIR-based APIs + Open APIs + USCDI; (3) 21st Century Cures Act - Section 4002 ONC requirements + FHIR + Open APIs; (4) USCDI United States Core Data for Interoperability v1-v4+ - FHIR-mapped data elements; (5) TEFCA Trusted Exchange Framework + Common Agreement (2022+) - voluntary nationwide interoperability + QHINs + FHIR coordination; (6) FDA UDI + DSCSA + clinical research + drug + device registries + FHIR coordination; (7) ONC EHR Certification 2015 Edition Cures Update + FHIR R4 + USCDI + Open APIs; (8) GLOBAL ADOPTION - UK NHS + Israel + Canada + Australia + India + Singapore + Brazil + many countries adopting FHIR for interoperability. 2024-2025+ DIRECTIONS: (a) AI + ML INTEGRATION - FHIR APIs + AI + clinical decision support + agentic AI + Subscriptions; (b) BULK DATA + ANALYTICS + AI - large-scale data exchange + research; (c) QUANTUM-RESISTANT CRYPTOGRAPHY - transition planning for OAuth + TLS + JWT; (d) PATIENT-DIRECTED EXCHANGE - patient access + Apps + 3rd-party + Open Banking-style consent; (e) RANSOMWARE + CYBERSECURITY - sectoral cybersecurity + Change Healthcare crisis + healthcare-specific threat landscape; (f) FHIR R6 PLANNING + further security enhancements + new IGs + Federated Identity + Verifiable Credentials integration. STATUS: HL7 FHIR is FREELY available + open standard published under HL7 SPECIFICATIONS license; broad sectoral adoption + Fortune 500 healthcare + payers + EHRs + Mainland China + global + ongoing R6 planning + emerging cybersecurity + AI + tokenization features. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does HL7 FHIR Security Framework have?
HL7 FHIR Security Framework has 7 controls organised across 7 domains. The largest domains are FHIR Security Framework: Scope, FHIR R4/R5/R6 Versions, HL7 Specification + Security/Privacy Module (1 controls), FHIR Security: Audit + Provenance + Digital Signatures + AuditEvent + Resource Integrity (1 controls), FHIR Security: Authentication + SMART App Launch + OpenID Connect + Backend Services + Token Lifetime (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does HL7 FHIR Security Framework map to?
HL7 FHIR Security Framework maps to 80 other compliance frameworks. The top mapping partners are NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI) (43% coverage), MITRE D3FEND (43% coverage), IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems (43% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with HL7 FHIR Security Framework compliance?
Start your HL7 FHIR Security Framework compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about HL7 FHIR Security Framework requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 7 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required