It's easy to understand HEART once you adopt the JASON perspective of separating data storage from data access authorization. Once you do that, the way to interop for all sorts of data sources (EHR, PHR, wearable, implant) becomes much easier to understand in both clinical and research use-cases.
The only thing HEART has in common with Blue Button and C-CDA is that a HEART FHIR resource also applies to _only one patient_. HEART is not about a data model or format in the sense that BB is structured text and C-CDA is XML. HEART is purely about FHIR and other restful APIs when these APIs pertain to a single patient. This single patient is the UMA Resource Owner, or the legal Principal, or the research Subject, or the Patient, or the person named Alice.
In HEART, a data storage entity (hospital, personal health records biz, wearable cloud, substance abuse treatment clinic) is willing to expose resources via a FHIR API that accepts authorization tokens one patient per resource. A single patient can have multiple resources, of course.
Once one accepts the separation of storage from authorization on the basis of single-patient resources, the discussion shifts to: What or who is the data access authorization server? There are two possible answers: Either it's the patient's own personal AS or it's some entity that is not controlled directly by the patient. In the latter case, where a single entity (e.g.: a Health Information Exchange, Epic, athenaHealth, Apple) is delegated to control access, the question becomes what governance mechanism applies to the entity and can it cover exchange across HIPAA, research, 42CFR part 2, and wearables boundaries?
HEART is designed to handle both the personal AS and the shared AS alternatives for data access authorization. FHIR, as long as it provides resources that pertain to only one patient, can be totally agnostic to what kind of AS each patient chooses. There's no reason to build any governance or policy structure into the FHIR standards. Governance and policy can live in a separate authorization layer like HEART. That's the JASON model.