Request Early Access

Valinor — SMART on FHIR Patient Application

Valinor — SMART on FHIR Patient Application

Last updated on 15 Jan 2026

Overview

Valinor is a patient-facing application that allows individuals to connect their healthcare providers and assemble their complete medical history in one place. Valinor uses the SMART on FHIR standard (OAuth 2.0) to request patient-authorized, read-only access to clinical data from supported health systems.

Valinor is currently in development and uses Epic’s sandbox environment for testing and validation.

Authorization & Consent (SMART on FHIR)

Valinor uses the SMART on FHIR standalone launch pattern.

How it works:

  • The patient initiates a connection from within Valinor

  • The patient is redirected to the provider’s portal (e.g., Epic MyChart)

  • The patient authenticates directly with the provider

  • The patient explicitly consents to share selected data

  • Valinor receives OAuth 2.0 access tokens and retrieves data via FHIR APIs

  • Valinor never stores or accesses provider usernames or passwords

  • The patient can disconnect and revoke access at any time

Valinor implements:

  • OAuth 2.0 Authorization Code flow

  • PKCE (Proof Key for Code Exchange)

  • State parameter validation (CSRF protection)

Data Access & Scope Transparency

Valinor requests read-only access to the minimum necessary FHIR resources to present a patient’s medical history clearly.



Clinical Notes Handling (Epic Sandbox)

Valinor plans to retrieve clinical notes using standard FHIR patterns supported by Epic:

  • DocumentReference for clinical document metadata

  • Binary for document content (e.g., PDF, HTML)

At present:

  • Valinor is validating this workflow using Epic’s sandbox environment

  • Clinical notes retrieved from the sandbox are used strictly for testing and demonstration

  • Notes are displayed to the patient and may be summarized to improve readability

Clinical documents are handled securely and are never altered.

Security Controls

Valinor is designed with healthcare security best practices in mind.

Application Security

  • SMART on FHIR OAuth 2.0 with PKCE

  • Redirect URI allowlisting

  • No credential storage

  • Token-based access only

Data Security

  • TLS encryption in transit

  • Encryption at rest using AWS KMS

  • OAuth tokens encrypted at rest

  • Secure handling of clinical documents

Access & Audit

  • Role-based access (patient vs provider views)

  • Internal least-privilege access controls

  • Audit logging of data access and synchronization events

Privacy & User Control

  • Valinor acts as a patient-directed third-party application

  • Patients control which providers are connected

  • Patients may disconnect providers and revoke access at any time

  • Patients may request deletion of their data

Privacy Policy:
https://valinorlabs.dev/privacy

Terms of Use:
https://valinorlabs.dev/terms

Sandbox & Testing Status

Valinor is currently using Epic’s sandbox environment with test patients to validate SMART on FHIR workflows. No live production patient data from real health systems is accessed in this environment.

© 2025 Valinor

© 2025 Valinor

Request Early Access

Request Early Access

Request Early Access

Request Early Access