hipaa-compliance
Ensure HIPAA compliance when handling PHI (Protected Health Information). Use when writing code that accesses user health data, check-ins, journal entries, or any sensitive information. Activates for audit logging, data access, security events, and compliance questions.
Best use case
hipaa-compliance is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Ensure HIPAA compliance when handling PHI (Protected Health Information). Use when writing code that accesses user health data, check-ins, journal entries, or any sensitive information. Activates for audit logging, data access, security events, and compliance questions.
Teams using hipaa-compliance should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/hipaa-compliance/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How hipaa-compliance Compares
| Feature / Agent | hipaa-compliance | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Ensure HIPAA compliance when handling PHI (Protected Health Information). Use when writing code that accesses user health data, check-ins, journal entries, or any sensitive information. Activates for audit logging, data access, security events, and compliance questions.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# HIPAA Compliance for Recovery Coach
This skill helps you maintain HIPAA compliance when developing features that handle Protected Health Information (PHI).
## What is PHI in This Application?
| Data Type | PHI Status | Handling |
|-----------|------------|----------|
| Check-in mood/cravings | PHI | Audit all access |
| Journal entries | PHI | Audit all access |
| Chat conversations | PHI | Audit all access |
| User profile (name, email) | PHI | Audit modifications |
| Sobriety date | PHI | Audit access |
| Emergency contacts | PHI | Audit access |
| Usage analytics (aggregated) | NOT PHI | No audit needed |
| Page views (no content) | NOT PHI | No audit needed |
## Audit Logging Requirements
### When to Log
**Always log these operations:**
- Viewing any PHI (check-ins, journal, messages)
- Creating/updating/deleting PHI
- Exporting user data
- Admin access to user information
- Failed authentication attempts
- Security events (rate limiting, unauthorized access)
### How to Log
Use the audit logging utilities in `src/lib/hipaa/audit.ts`:
```typescript
import {
logPHIAccess,
logPHIModification,
logSecurityEvent,
logAdminAction
} from '@/lib/hipaa/audit';
// Viewing PHI
await logPHIAccess(
userId,
'checkin', // targetType
checkinId, // targetId
AuditAction.PHI_VIEW
);
// Modifying PHI
await logPHIModification(
userId,
'journal',
journalId,
AuditAction.PHI_UPDATE,
{ field: 'content' } // Never include actual content!
);
// Security event
await logSecurityEvent(
userId,
AuditAction.RATE_LIMIT,
{ path: '/api/chat', attempts: 60 }
);
// Admin action
await logAdminAction(
adminId,
AuditAction.ADMIN_USER_VIEW,
'user',
targetUserId
);
```
## Data Sanitization
### Never Log These Fields
The audit system automatically sanitizes, but be explicit:
```typescript
// BAD - Contains PHI
await logPHIAccess(userId, 'journal', id, action, {
content: journalEntry.content // NEVER DO THIS
});
// GOOD - Only metadata
await logPHIAccess(userId, 'journal', id, action, {
wordCount: journalEntry.content.length,
hasAttachments: false
});
```
### Sanitized Fields (Auto-Redacted)
- `password`, `token`, `secret`, `key`
- `authorization`, `cookie`, `session`
- `credential`, `content`, `message`, `notes`
## Session Security Requirements
From `src/lib/auth.ts`:
- **Session timeout**: 15 minutes of inactivity (HIPAA requirement)
- **Max session**: 8 hours absolute maximum
- **Failed login lockout**: 5 attempts = 30 minute ban
- **Password requirements**: 12+ chars, mixed case, numbers, special chars
## Code Patterns
### API Route with Audit Logging
```typescript
import { getSession, requireAuth } from '@/lib/auth';
import { logPHIAccess } from '@/lib/hipaa/audit';
export async function GET(request: Request) {
const session = await getSession();
if (!session) {
return Response.json({ error: 'Unauthorized' }, { status: 401 });
}
// Fetch the data
const data = await fetchUserData(session.userId);
// Log the access
await logPHIAccess(
session.userId,
'userdata',
session.userId,
AuditAction.PHI_VIEW
);
return Response.json(data);
}
```
### Component with PHI Access
```typescript
'use client';
import { useEffect } from 'react';
export function JournalViewer({ entryId }: { entryId: string }) {
useEffect(() => {
// Log view on mount (server-side preferred, but client backup)
fetch('/api/audit/log', {
method: 'POST',
body: JSON.stringify({
action: 'PHI_VIEW',
targetType: 'journal',
targetId: entryId
})
});
}, [entryId]);
// ... render
}
```
## Compliance Checklist
Before shipping any feature that touches PHI:
- [ ] All PHI access is audit logged
- [ ] No PHI content in logs (only IDs and metadata)
- [ ] Data access requires authentication
- [ ] Admin access has separate audit trail
- [ ] Failed access attempts are logged
- [ ] Data export includes audit entry
- [ ] Sensitive fields are encrypted at rest
- [ ] Session timeout is enforced
## Audit Log Retention
- **Minimum**: 6 years (HIPAA requirement)
- **Format**: Raw logs for 1 year, compressed thereafter
- **Location**: `audit_log` table in database
- **Export**: Encrypted exports for compliance audits
## Emergency Access (Break Glass)
For emergency situations, use break-glass access:
```typescript
import { requestBreakGlassAccess } from '@/lib/hipaa/break-glass';
// This creates enhanced audit trail
const access = await requestBreakGlassAccess(
adminId,
targetUserId,
'Emergency support required - user reported crisis'
);
```
Break glass access:
- Requires written justification
- Creates permanent audit record
- Triggers alert to compliance officer
- Must be reviewed within 24 hours
## Resources
- HIPAA Security Rule: 45 C.F.R. § 164.312
- Audit controls standard: 45 C.F.R. § 164.312(b)
- Incident response plan: `docs/INCIDENT-RESPONSE-PLAN.md`
- Security documentation: `docs/SECURITY-HARDENING.md`Related Skills
zinc-database
Access ZINC (230M+ purchasable compounds). Search by ZINC ID/SMILES, similarity searches, 3D-ready structures for docking, analog discovery, for virtual screening and drug discovery.
zarr-python
Chunked N-D arrays for cloud storage. Compressed arrays, parallel I/O, S3/GCS integration, NumPy/Dask/Xarray compatible, for large-scale scientific computing pipelines.
xlsx
Use this skill any time a spreadsheet file is the primary input or output. This means any task where the user wants to: open, read, edit, or fix an existing .xlsx, .xlsm, .csv, or .tsv file (e.g., adding columns, computing formulas, formatting, charting, cleaning messy data); create a new spreadsheet from scratch or from other data sources; or convert between tabular file formats. Trigger especially when the user references a spreadsheet file by name or path — even casually (like "the xlsx in my downloads") — and wants something done to it or produced from it. Also trigger for cleaning or restructuring messy tabular data files (malformed rows, misplaced headers, junk data) into proper spreadsheets. The deliverable must be a spreadsheet file. Do NOT trigger when the primary deliverable is a Word document, HTML report, standalone Python script, database pipeline, or Google Sheets API integration, even if tabular data is involved.
writing-skills
Use when creating new skills, editing existing skills, or verifying skills work before deployment
writing-plans
Use when you have a spec or requirements for a multi-step task, before touching code
wikipedia-search
Search and fetch structured content from Wikipedia using the MediaWiki API for reliable, encyclopedic information
wellally-tech
Integrate digital health data sources (Apple Health, Fitbit, Oura Ring) and connect to WellAlly.tech knowledge base. Import external health device data, standardize to local format, and recommend relevant WellAlly.tech knowledge base articles based on health data. Support generic CSV/JSON import, provide intelligent article recommendations, and help users better manage personal health data.
weightloss-analyzer
分析减肥数据、计算代谢率、追踪能量缺口、管理减肥阶段
<!--
# COPYRIGHT NOTICE
verification-before-completion
Use when about to claim work is complete, fixed, or passing, before committing or creating PRs - requires running verification commands and confirming output before making any success claims; evidence before assertions always
vcf-annotator
Annotate VCF variants with VEP, ClinVar, gnomAD frequencies, and ancestry-aware context. Generates prioritised variant reports.
vaex
Use this skill for processing and analyzing large tabular datasets (billions of rows) that exceed available RAM. Vaex excels at out-of-core DataFrame operations, lazy evaluation, fast aggregations, efficient visualization of big data, and machine learning on large datasets. Apply when users need to work with large CSV/HDF5/Arrow/Parquet files, perform fast statistics on massive datasets, create visualizations of big data, or build ML pipelines that do not fit in memory.