SkillRepo
Sign InSign Up
Catalog
affaan-m/hipaa-compliance

affaan-m

hipaa-compliance

HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.

global
New~880
v1.1Saved May 11, 2026

HIPAA Compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

  • healthcare-phi-compliance remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.
  • healthcare-reviewer remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.
  • security-review still applies for general auth, input-handling, secrets, API, and deployment hardening.

When to Use

  • The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
  • Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
  • Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
  • Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter

How It Works

Treat HIPAA as an overlay on top of the broader healthcare privacy skill:

  1. Start with healthcare-phi-compliance for the concrete implementation rules.
  2. Apply HIPAA-specific decision gates:
    • Is this data PHI?
    • Is this actor a covered entity or business associate?
    • Does a vendor or model provider require a BAA before touching the data?
    • Is access limited to the minimum necessary scope?
    • Are read/write/export events auditable?
  3. Escalate to healthcare-reviewer if the task affects patient safety, clinical workflows, or regulated production architecture.

HIPAA-Specific Guardrails

  • Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings.
  • Never expose PHI in URLs, browser storage, screenshots, or copied example payloads.
  • Require authenticated access, scoped authorization, and audit trails for PHI reads and writes.
  • Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear.
  • Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task.
  • Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers.

Examples

Example 1: Product request framed as HIPAA

User request:

Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant.

Response pattern:

  • Activate hipaa-compliance
  • Use healthcare-phi-compliance to review PHI movement, logging, storage, and prompt boundaries
  • Verify whether the summarization provider is covered by a BAA before any PHI is sent
  • Escalate to healthcare-reviewer if the summaries influence clinical decisions

Example 2: Vendor/tooling decision

User request:

Can we send support transcripts and patient messages into our analytics stack?

Response pattern:

  • Assume those messages may contain PHI
  • Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized
  • Require redaction or a non-PHI event model when possible

Related Skills

  • healthcare-phi-compliance
  • healthcare-reviewer
  • healthcare-emr-patterns
  • healthcare-eval-harness
  • security-review
Files1
1 files · 1.0 KB

Select a file to preview

Overall Score

87/100

Grade

A

Excellent

Safety

92

Quality

85

Clarity

88

Completeness

80

Summary

This skill is a HIPAA-specific decision gateway that routes healthcare compliance tasks to specialized downstream skills. It clarifies when to use `healthcare-phi-compliance`, `healthcare-reviewer`, and `security-review` based on whether a request involves PHI, covered entities, or BAA requirements. The skill itself contains no code execution—it purely documents HIPAA guardrails and decision logic.

Detected Capabilities

Task routingDecision logicDocumentation and guidance

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

hipaa compliance checkphi handling decisionbaa requirement verificationhealthcare data routingvendor hipaa assessmentpatient data boundariesclinical workflow audit

Use Cases

  • Route HIPAA-framed healthcare tasks to appropriate specialized skills
  • Assess PHI exposure in logging, analytics, and LLM prompts
  • Verify vendor/SaaS BAA requirements before accessing patient data
  • Design minimum-necessary access controls for clinical workflows
  • Determine if a task requires escalation to healthcare-reviewer for patient safety review

Quality Notes

  • Skill is well-scoped as a decision entrypoint, not an implementation skill
  • Clear decision gates provided (Is this PHI? Covered entity? BAA required?)
  • Explicitly delegates to downstream skills rather than attempting comprehensive implementation
  • HIPAA guardrails are concise and actionable (no PHI in logs, URLs, analytics, prompts)
  • Two realistic examples (dashboard summarization, analytics transcript routing) illustrate the skill's routing purpose
  • Minimal but complete—skill avoids scope creep while remaining self-contained
  • Related skills are named and their roles are clearly differentiated
Model: claude-haiku-4-5-20251001Analyzed: May 11, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Version History

v1.1

Content updated

2026-04-20

Latest
v1.0

No changelog

2026-04-12

Add affaan-m/hipaa-compliance to your library

Get Started Free

Command Palette

Search for a command to run...