hipaa-compliance
HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.
How do I install this agent skill?
npx skills add https://github.com/affaan-m/everything-claude-code --skill hipaa-complianceIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill provides high-level guidelines and best practices for HIPAA compliance and handling Protected Health Information (PHI). It is purely instructional and contains no executable code, network requests, or external dependencies.
- Socketpass
No alerts
- Snykpass
Risk: LOW · No issues
- ZeroLeakspass
Score: 93/100 · 2 sections analyzed
What does this agent skill do?
HIPAA Compliance
Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:
healthcare-phi-complianceremains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.healthcare-reviewerremains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.security-reviewstill applies for general auth, input-handling, secrets, API, and deployment hardening.
When to Use
- The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
- Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
- Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
- Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter
How It Works
Treat HIPAA as an overlay on top of the broader healthcare privacy skill:
- Start with
healthcare-phi-compliancefor the concrete implementation rules. - Apply HIPAA-specific decision gates:
- Is this data PHI?
- Is this actor a covered entity or business associate?
- Does a vendor or model provider require a BAA before touching the data?
- Is access limited to the minimum necessary scope?
- Are read/write/export events auditable?
- Escalate to
healthcare-reviewerif the task affects patient safety, clinical workflows, or regulated production architecture.
HIPAA-Specific Guardrails
- Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings.
- Never expose PHI in URLs, browser storage, screenshots, or copied example payloads.
- Require authenticated access, scoped authorization, and audit trails for PHI reads and writes.
- Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear.
- Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task.
- Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers.
Examples
Example 1: Product request framed as HIPAA
User request:
Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant.
Response pattern:
- Activate
hipaa-compliance - Use
healthcare-phi-complianceto review PHI movement, logging, storage, and prompt boundaries - Verify whether the summarization provider is covered by a BAA before any PHI is sent
- Escalate to
healthcare-reviewerif the summaries influence clinical decisions
Example 2: Vendor/tooling decision
User request:
Can we send support transcripts and patient messages into our analytics stack?
Response pattern:
- Assume those messages may contain PHI
- Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized
- Require redaction or a non-PHI event model when possible
Related Skills
healthcare-phi-compliancehealthcare-reviewerhealthcare-emr-patternshealthcare-eval-harnesssecurity-review
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/affaan-m/everything-claude-code/hipaa-compliance">View hipaa-compliance on skillZs</a>