Hipaa Compliance

Name: Hipaa Compliance
Author: affaan-m

affaan-m/everything-claude-code

Route HIPAA-framed work to the right healthcare privacy, reviewer, and general security skills without re-deriving the compliance stack each time.

Install

npx skills add https://github.com/affaan-m/everything-claude-code --skill hipaa-compliance

What is this skill?

Thin HIPAA-specific entrypoint that defers implementation to healthcare-phi-compliance
Chains to healthcare-reviewer for architecture and product behavior second passes
Keeps security-review in scope for auth, secrets, APIs, and deployment hardening
Triggers on PHI, covered entities, business associates, and BAA language
Frames HIPAA as an overlay on broader healthcare privacy rules rather than a duplicate skill

Adoption & trust: 3k installs on skills.sh; 210k GitHub stars; 3/3 security scanners passed (skills.sh audits).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

HIPAA review and breach posture land on the Ship security shelf even when implementation started earlier in Build. The skill is an explicit compliance entrypoint for auth, logging, BAAs, and minimum-necessary access—not generic feature coding.

Common Questions / FAQ

Is Hipaa Compliance safe to install?

skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Hipaa Compliance

# HIPAA Compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

- `healthcare-phi-compliance` remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.
- `healthcare-reviewer` remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.
- `security-review` still applies for general auth, input-handling, secrets, API, and deployment hardening.

## When to Use

- The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
- Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
- Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
- Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter

## How It Works

Treat HIPAA as an overlay on top of the broader healthcare privacy skill:

1. Start with `healthcare-phi-compliance` for the concrete implementation rules.
2. Apply HIPAA-specific decision gates:
   - Is this data PHI?
   - Is this actor a covered entity or business associate?
   - Does a vendor or model provider require a BAA before touching the data?
   - Is access limited to the minimum necessary scope?
   - Are read/write/export events auditable?
3. Escalate to `healthcare-reviewer` if the task affects patient safety, clinical workflows, or regulated production architecture.

## HIPAA-Specific Guardrails

- Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings.
- Never expose PHI in URLs, browser storage, screenshots, or copied example payloads.
- Require authenticated access, scoped authorization, and audit trails for PHI reads and writes.
- Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear.
- Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task.
- Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers.

## Examples

### Example 1: Product request framed as HIPAA

User request:

> Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant.

Response pattern:

- Activate `hipaa-compliance`
- Use `healthcare-phi-compliance` to review PHI movement, logging, storage, and prompt boundaries
- Verify whether the summarization provider is covered by a BAA before any PHI is sent
- Escalate to `healthcare-reviewer` if the summaries influence clinical decisions

### Example 2: Vendor/tooling decision

User request:

> Can we send support transcripts and patient messages into our analytics stack?

Response pattern:

- Assume those messages may contain PHI
- Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized
- Require redaction or a non-PHI event model when possible

## Related Skills

- `healthcare-phi-compliance`
- `healthcare-reviewer`
- `healthcare-emr-patterns`
- `healthcare-eval-harness`
- `security-review`

What is this skill?

Thin HIPAA-specific entrypoint that defers implementation to healthcare-phi-compliance

Chains to healthcare-reviewer for architecture and product behavior second passes

Keeps security-review in scope for auth, secrets, APIs, and deployment hardening

Triggers on PHI, covered entities, business associates, and BAA language

Frames HIPAA as an overlay on broader healthcare privacy rules rather than a duplicate skill

Adoption & trust: 3k installs on skills.sh; 210k GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Hipaa Compliance

# HIPAA Compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

- `healthcare-phi-compliance` remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.
- `healthcare-reviewer` remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.
- `security-review` still applies for general auth, input-handling, secrets, API, and deployment hardening.

## When to Use

- The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
- Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
- Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
- Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter

## How It Works

Treat HIPAA as an overlay on top of the broader healthcare privacy skill:

1. Start with `healthcare-phi-compliance` for the concrete implementation rules.
2. Apply HIPAA-specific decision gates:
   - Is this data PHI?
   - Is this actor a covered entity or business associate?
   - Does a vendor or model provider require a BAA before touching the data?
   - Is access limited to the minimum necessary scope?
   - Are read/write/export events auditable?
3. Escalate to `healthcare-reviewer` if the task affects patient safety, clinical workflows, or regulated production architecture.

## HIPAA-Specific Guardrails

- Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings.
- Never expose PHI in URLs, browser storage, screenshots, or copied example payloads.
- Require authenticated access, scoped authorization, and audit trails for PHI reads and writes.
- Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear.
- Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task.
- Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers.

## Examples

### Example 1: Product request framed as HIPAA

User request:

> Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant.

Response pattern:

- Activate `hipaa-compliance`
- Use `healthcare-phi-compliance` to review PHI movement, logging, storage, and prompt boundaries
- Verify whether the summarization provider is covered by a BAA before any PHI is sent
- Escalate to `healthcare-reviewer` if the summaries influence clinical decisions

### Example 2: Vendor/tooling decision

User request:

> Can we send support transcripts and patient messages into our analytics stack?

Response pattern:

- Assume those messages may contain PHI
- Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized
- Require redaction or a non-PHI event model when possible

## Related Skills

- `healthcare-phi-compliance`
- `healthcare-reviewer`
- `healthcare-emr-patterns`
- `healthcare-eval-harness`
- `security-review`

Install

What is this skill?

Recommended Skills

Journey fit

Is Hipaa Compliance safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Hipaa Compliance safe to install?

SKILL.md