SMART on FHIR · Developer Documentation
InclusiCare FHIR Integration
Patient-facing SMART on FHIR® application for caregivers of neurodivergent individuals. Read-only health record integration with Epic via patient-authorized OAuth 2.0.
Last updated: May 2026
What InclusiCare does
InclusiCare is a care coordination platform that helps caregivers manage daily life for neurodivergent individuals — children with autism, ADHD, sensory processing differences, anxiety, and similar conditions. The app lets caregivers:
- Track daily mood, energy, sleep, and behavioral patterns
- Record meaningful events and the interventions that helped
- Build personalized coping strategy libraries
- Coordinate with care team members (family, teachers, therapists, providers)
- Hand off care context to substitute caregivers
- Talk to CARLA, an AI care assistant, for in-the-moment support and pattern insights
Connecting a health record gives caregivers a unified view of medical context alongside the behavioral and developmental tracking that InclusiCare’s core experience is built around.
What data InclusiCare reads from your health record
When you connect your MyChart account, InclusiCare requests read-only access to the following FHIR R4 resource categories. These map to the standard SMART on FHIR scopes you’ll see on Epic’s consent screen. All scopes use the patient/{Resource}.read prefix — none use .write.
| Category | Why it’s useful for caregiving |
|---|---|
| Patient demographics | Name, date of birth, basic identifiers — needed to identify whose record you’re viewing. |
| Conditions / Diagnoses | Active and historical diagnoses — context for behavior, medications, and goals. |
| Allergies & intolerances | Critical for daily safety, school/babysitter handoffs, and ER readiness. |
| Medications | Current and historical prescriptions; dose changes that may affect behavior. |
| Immunizations | Vaccination history for school enrollment, travel, and provider visits. |
| Observations | Vitals, labs, growth, social history, behavioral assessments. |
| Diagnostic reports | Lab and imaging summaries. |
| Procedures | Surgical and clinical procedures performed. |
| Encounters | Recent visits — context for everything else in the record. |
| Document references | Clinical notes, school evaluations, IEP/504 documents stored in the record. |
| Care plans | Provider-authored treatment and care plans. |
| Care team | The list of clinicians involved in the patient’s care. |
| Goals | Care goals set by the provider team. |
| Related persons | Family relationships, guardians, healthcare proxies. |
| Appointments | Upcoming and past appointments. |
The full SMART scope list is published in our JWKS-registered Epic application configuration: /.well-known/jwks-epic.json
What InclusiCare does not do
No writes back to your health record
The application is read-only. Notes, observations, and tracking data you create in InclusiCare are stored in InclusiCare’s own system — they are never sent back to your provider’s EHR.
No bulk extraction
Data is fetched per authenticated patient session, not in bulk.
No sharing with advertisers or data brokers
We do not sell user data, run advertising on user data, or share identifiable health information with third parties for marketing.
No clinical decision support presented as medical advice
CARLA, our AI assistant, is a coordination and documentation tool. It does not diagnose, prescribe, or replace professional medical judgment.
How the integration works
InclusiCare uses the standard SMART App Launch v2.2.0 Standalone Launch flow.
- 1
You initiate the connection
Inside InclusiCare you choose your healthcare provider organization from the directory of MyChart-connected systems.
- 2
Provider discovery
InclusiCare fetches your provider’s .well-known/smart-configuration via Epic’s published endpoint list (open.epic.com) to learn the authorization and token endpoints.
- 3
Authorization with MyChart
You’re redirected to your provider’s MyChart login. InclusiCare never sees your MyChart username or password. Your provider authenticates you and returns an authorization code.
- 4
Token exchange
InclusiCare’s backend exchanges the code for an access token, authenticating itself to your provider’s Epic with a signed JWT client assertion (RFC 7523) verified against our published JWKS.
- 5
Resource retrieval
InclusiCare uses the access token to fetch the FHIR resources listed above, scoped to your patient identifier only.
- 6
Display in InclusiCare
The data is shown to you in the app and is available to CARLA for coordination and contextual conversation. Access tokens are short-lived (~5 minutes); refresh tokens allow background re-auth without re-prompting for MyChart credentials.
Privacy & security
Where your data lives
- At your provider: Your original health record stays at your provider’s Epic instance. InclusiCare doesn’t change it.
- At InclusiCare: Data shown to you in the app is processed by InclusiCare’s backend, which runs on Microsoft Azure (App Service, US East region). Persisted user-generated content — your notes, tracking entries, care plan items, and conversations with CARLA — is stored in MongoDB Atlas. Data is encrypted in transit (TLS 1.2+) and at rest.
- Tokens: OAuth access and refresh tokens are stored using platform-native secure storage — Keychain on iOS, Keystore on Android, and encrypted session storage on web. Tokens are never transmitted to third parties.
Audit logging
Every access to health data through InclusiCare’s API is logged with a timestamped audit record. Audit logs are retained for the minimum period required by applicable law and are available to InclusiCare’s security and compliance team for review.
What disconnecting does
When you disconnect a health system in Settings → Health Records, InclusiCare stops importing new data from that provider. Information you have already shared with CARLA or that has been stored as notes, tracking entries, or care records remains in your account until you delete it. To remove that information, edit or delete the records individually, or delete your account.
Account deletion
Deleting your InclusiCare account permanently removes all of your stored data — including conversation history, care notes, tracking entries, and any imported health record content — within 30 days. Backups are purged on the same cycle. Audit logs that are required for compliance purposes may be retained in anonymized form for the minimum period required by law.
To delete your account, visit Settings → Account → Delete Account or contact [email protected].
Right to access, correct, or delete
Residents of jurisdictions that grant a right to access, correct, or delete personal information (including California, Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws) may exercise those rights by contacting [email protected]. InclusiCare responds within the timeframes required by applicable law.
Compliance posture
| Framework | InclusiCare status |
|---|---|
| HIPAA | InclusiCare is a patient-facing application. Patients access their own data through patient-authorized OAuth 2.0 flows. When InclusiCare partners with a covered entity (healthcare organization or insurer), a Business Associate Agreement (BAA) is executed. |
| FTC Health Breach Notification Rule | InclusiCare maintains breach detection and notification procedures consistent with FTC requirements for personal health record vendors. |
| State privacy laws (CCPA, CDPA, CPA, CTDPA, UCPA, etc.) | InclusiCare honors access, correction, and deletion requests under applicable state laws. |
| SMART App Launch v2.2.0 | Patient-facing Standalone Launch with PKCE; production uses RS256 client assertion JWTs (RFC 7523). |
| US Core 6.x | All scopes requested are within USCDIv3 / US Core 6.x. The application is enrolled in Epic’s USCDIv3 automatic distribution program. |
Data Use Questionnaire (Epic)
InclusiCare’s responses to Epic’s Data Use Questionnaire are available to patients during the OAuth consent flow. The summary:
- App provider type
- For-profit organization (InclusiGear / Doolittle Corporation)
- Funding model
- Subscriptions, donations, and grants
- Data storage location
- Servers under the developer’s control (US-based Microsoft Azure / MongoDB Atlas)
- Who has access
- The user, the user’s care circle (people they explicitly invite), and InclusiCare staff for support and security purposes
- User obtains complete record
- Yes — through account deletion or per-record export on request
- Use beyond direct services
- Data may be used in aggregate, de-identified form to improve InclusiCare’s services
- Audit log access for users
- Not currently available in the app; users can request audit information by contacting support
- Retention after deletion
- No identifiable data retained after the 30-day deletion window
Application registration details
For Epic on FHIR reviewers and healthcare partners performing security or compliance reviews.
- Epic registration name
- InclusiCare
- Application audience
- Patients
- Client authentication
- Confidential Client with RS256 JWT assertion (RFC 7523)
- JWK Set — Production
- https://inclusicare-api-gbdhgyhchcdtgjcc.eastus-01.azurewebsites.net/.well-known/jwks-epic.json
- JWK Set — Non-production
- https://inclusicare-api-gbdhgyhchcdtgjcc.eastus-01.azurewebsites.net/.well-known/jwks-epic-sandbox.json
- Application Endpoint URI
- https://inclusicare.net
- Redirect URIs registered
- All InclusiCare web and mobile callback URIs (HTTPS for web, custom scheme
com.inclusicare.app://callbackfor native mobile)
Reporting issues
Security issues
If you discover a security vulnerability in InclusiCare’s FHIR integration or any other aspect of the application, please report it responsibly to [email protected] with “Security” in the subject line. Verified reports receive a response within two business days, and we coordinate disclosure timelines with the reporter.
Connection problems
If you’re a patient and can’t connect your health records, your provider organization may not yet have InclusiCare available in their MyChart app catalog (Epic’s USCDIv3 auto-distribution can take up to 48 hours to reach individual customer instances). If the issue persists, contact [email protected] with your provider’s name and a description of what you see.
Contact
InclusiCare is built and supported by William Kreitzer, founder of InclusiGear / Doolittle Corporation. All inquiries — patient support, security reports, partnerships, BAA requests — go to the same address; please include a relevant subject line so they can be triaged efficiently.
| Reason | Contact | Subject line tip |
|---|---|---|
| Patient support | [email protected] | "Support: ..." |
| Security reports | [email protected] | "Security: ..." |
| Partnerships & BAA inquiries | [email protected] | "Partnership: ..." |
| Privacy policy | inclusicare.net/privacy-policy | |
| Terms of service | inclusicare.net/terms-of-service | |
InclusiCare and the InclusiCare logo are trademarks of InclusiGear / Doolittle Corporation. FHIR®, SMART®, and HL7® are registered trademarks of Health Level Seven International. Epic and Epic on FHIR are trademarks of Epic Systems Corporation.