HEART Working Group - Overview

The HEART working group intends to harmonize and develop a set of privacy and security specifications that enable an individual to control the authorization of access to RESTful health-related data sharing APIs, and to facilitate interoperable implementations of these specifications by others.

HEART Working Group

HEART Working Group

HEART Working Group

HEART Working Group

What is HEART Working Group?

HEART (Health Relationship Trust) is a set of profiles that enables patients to control how, when, and with whom their clinical data is shared. The HEART model builds on existing state-of-the-art security and adds additional components to ensure that patient clinical data is securely exchanged. In addition to giving patients control over how their own data is shared, HEART defines the interoperable process for systems to exchange patient-authorized healthcare data consistent with open standards, specifically FHIR (Fast Healthcare Interoperability Resources), OAuth, OpenID Connect, and UMA (User-Managed Access).

Today, attempts to enable patients to electronically manage authorizations for sharing their data have only worked within narrow ecosystems, such as a single healthcare system. This is problematic for patients because it is difficult to share healthcare data with an external physician or with a healthcare system in a different region. It is problematic for organizations and providers because there are no processes, rules, or standards for ensuring that the clinical data being shared has been authorized by patients. This lack is likely to limit adoption and use of data-sharing APIs because it will be far more difficult to ensure that apps seeking to use APIs actually have the approval to obtain access to individual patients’ data.

The goal in developing the HEART profiles was to address these issues by creating best practices that accomplish the following practical tasks:

  • Enables organizations and other entities to electronically determine whether requests for data are valid (i.e., have been authorized by the patient) and what data the requesting entity is authorized to obtain.
  • Creates a protocol for managing both sharing of permissions and data that adheres to the highest levels of security and privacy. In the process, both patients and providers increase trust that the data is authorized and accurate.
  • Supports, and integrates with, systems that allow patients to set up permissions and authorizations for sharing their clinical data to ensure that their data is only shared with individuals, institutions, and apps that they choose.

HEART provides a standard to enable patient-mediated interoperability implementation through the FHIR APIs. To obtain the full benefit of open APIs, we need to enable the HEART standard and attain widespread adoption.

Papers and Presentations

Whitepaper Draft June 21, 2022: “The Global Open Health Movement: Empowering People and Saving Lives by Unlocking Data”

The US Office of the National Coordinator for Health Information Technology (ONC for Health IT) lists HEART as a Health IT Standard to Watch, and sponsored a two-hour webinar/workshop on 23 April 2019. Slides and a recording are available.

The HEART Work Group co-chairs presented on Emerging Identity Standards in Healthcare at the Identiverse conference in June 2018 (slides, video).

The group has written the following use cases to crystalize key needs in patient-directed health data exchange and how HEART can contribute to the solution:

Working Group Chairs

  • Debbie Bucci (Equideum Health)


To monitor progress and connect with working group members, join the mailing list.

To participate in or contribute to a specification within the working group requires the submission of an Intellectual Property Rights (IPR) contribution agreement.  You can complete this electronically or by paper at openid.net/intellectual-property.
Be sure to specify, in the working groups box, the exact name:

Meeting Schedule