Healthcare Phi Compliance
Apply PHI/PII classification, access control, encryption, audit logging, and leak-review patterns when building or reviewing healthcare-related features.
Overview
healthcare-phi-compliance is an agent skill most often used in Ship (also Build integrations, Operate monitoring) that teaches PHI/PII classification, access control, encryption, audit trails, and leak patterns for healt
Install
npx skills add https://github.com/affaan-m/everything-claude-code --skill healthcare-phi-complianceWhat is this skill?
- Three-layer model: data classification, access control, and audit of who accessed PHI
- PHI scope covers identifiable patient data tied to health—names, IDs, diagnoses, labs, imaging, insurance
- Use cases: schemas, clinical APIs, authentication, audit trails, RLS for multi-tenant healthcare
- Frames US HIPAA, India DISHA, EU GDPR, and general healthcare data protection patterns
- Contributor origin: Health1 Super Speciality Hospitals patterns (Dr. Keyur Patel), version 1.0.0
- Three protection layers: classification, access control, audit
- Skill version 1.0.0
Adoption & trust: 3.5k installs on skills.sh; 210k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are adding patient or clinician data to a SaaS feature without a clear map of what counts as PHI, who may access it, or how to prove compliant handling.
Who is it for?
Indie developers building EHR-adjacent, telehealth, billing, or clinical workflow APIs who need agent-guided HIPAA-style guardrails during design and review.
Skip if: Non-health apps with no regulated personal data, or teams that need certified legal sign-off without any human compliance review.
When should I use this skill?
Building features touching patient records, clinical auth, healthcare schemas or APIs, audit trails, logging, or RLS; reviewing code for healthcare data exposure.
What do I get? / Deliverables
Your agent applies structured classification, access, and audit patterns—including RLS and API exposure checks—so schemas and endpoints reduce common healthcare data leaks.
- PHI/PII classification notes aligned to feature scope
- Access control and audit-trail implementation guidance
- Code-review checklist for common healthcare leak vectors
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship → security because the skill encodes compliance guardrails and exposure review right before and after features touch live patient data. Security subphase fits HIPAA-, DISHA-, and GDPR-oriented controls, RLS, and vulnerability review rather than greenfield UI work.
Where it fits
Model patient identifiers and clinical fields with explicit PHI classification before migrations.
Shape FHIR or custom APIs so responses minimize unnecessary identifiable fields.
Run a pre-launch pass for encryption, access roles, and leak vectors in new record features.
Pair compliance patterns with code review on endpoints returning clinician or patient payloads.
Extend audit logging and tenant isolation when scaling hosted clinical workloads.
How it compares
Skill-delivered compliance patterns and code-review prompts—not a replacement for a SOC 2 audit platform or automated PHI discovery scanner.
Common Questions / FAQ
Who is healthcare-phi-compliance for?
Solo and small teams shipping healthcare software who want Claude/Cursor-guided PHI handling, RLS, and audit patterns without guessing regulatory basics.
When should I use healthcare-phi-compliance?
In Build when modeling patient tables and clinical APIs, in Ship during security review before launch, and in Operate when extending logging or fixing suspected exposure in production healthcare tenants.
Is healthcare-phi-compliance safe to install?
Check the Security Audits panel on this Prism page for the package hash and audit status; treat recommendations as engineering patterns, not legal advice.
SKILL.md
READMESKILL.md - Healthcare Phi Compliance
# Healthcare PHI/PII Compliance Patterns Patterns for protecting patient data, clinician data, and financial data in healthcare applications. Applicable to HIPAA (US), DISHA (India), GDPR (EU), and general healthcare data protection. ## When to Use - Building any feature that touches patient records - Implementing access control or authentication for clinical systems - Designing database schemas for healthcare data - Building APIs that return patient or clinician data - Implementing audit trails or logging - Reviewing code for data exposure vulnerabilities - Setting up Row-Level Security (RLS) for multi-tenant healthcare systems ## How It Works Healthcare data protection operates on three layers: **classification** (what is sensitive), **access control** (who can see it), and **audit** (who did see it). ### Data Classification **PHI (Protected Health Information)** — any data that can identify a patient AND relates to their health: patient name, date of birth, address, phone, email, national ID numbers (SSN, Aadhaar, NHS number), medical record numbers, diagnoses, medications, lab results, imaging, insurance policy and claim details, appointment and admission records, or any combination of the above. **PII (Non-patient-sensitive data)** in healthcare systems: clinician/staff personal details, doctor fee structures and payout amounts, employee salary and bank details, vendor payment information. ### Access Control: Row-Level Security ```sql ALTER TABLE patients ENABLE ROW LEVEL SECURITY; -- Scope access by facility CREATE POLICY "staff_read_own_facility" ON patients FOR SELECT TO authenticated USING (facility_id IN ( SELECT facility_id FROM staff_assignments WHERE user_id = auth.uid() AND role IN ('doctor','nurse','lab_tech','admin') )); -- Audit log: insert-only (tamper-proof) CREATE POLICY "audit_insert_only" ON audit_log FOR INSERT TO authenticated WITH CHECK (user_id = auth.uid()); CREATE POLICY "audit_no_modify" ON audit_log FOR UPDATE USING (false); CREATE POLICY "audit_no_delete" ON audit_log FOR DELETE USING (false); ``` ### Audit Trail Every PHI access or modification must be logged: ```typescript interface AuditEntry { timestamp: string; user_id: string; patient_id: string; action: 'create' | 'read' | 'update' | 'delete' | 'print' | 'export'; resource_type: string; resource_id: string; changes?: { before: object; after: object }; ip_address: string; session_id: string; } ``` ### Common Leak Vectors **Error messages:** Never include patient-identifying data in error messages thrown to the client. Log details server-side only. **Console output:** Never log full patient objects. Use opaque internal record IDs (UUIDs) — not medical record numbers, national IDs, or names. **URL parameters:** Never put patient-identifying data in query strings or path segments that could appear in logs or browser history. Use opaque UUIDs only. **Browser storage:** Never store PHI in localStorage or sessionStorage. Keep PHI in memory only, fetch on demand. **Service role keys:** Never use the service_role key in client-side code. Always use the anon/publishable key and let RLS enforce access. **Logs and monitoring:** Never log full patient records. Use opaque record IDs only (not medical record numbers). Sanitize stack traces before sending to error tracking services. ### Database Schema Tagging Mark PHI/PII columns at the schema level: ```sql COMMENT ON COLUMN patients.name IS 'PHI: patient_name'; COMMENT ON COLUMN patients.dob IS 'PHI: date_of_birth'; COMMENT ON COLUMN patients.aadhaar IS 'PHI: national_id'; COMMENT