hipaa-compliance
HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.
Best use case
hipaa-compliance is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.
Teams using hipaa-compliance should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/hipaa-compliance/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How hipaa-compliance Compares
| Feature / Agent | hipaa-compliance | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# HIPAA Compliance Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical: - `healthcare-phi-compliance` remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention. - `healthcare-reviewer` remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass. - `security-review` still applies for general auth, input-handling, secrets, API, and deployment hardening. ## When to Use - The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs - Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI - Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure - Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter ## How It Works Treat HIPAA as an overlay on top of the broader healthcare privacy skill: 1. Start with `healthcare-phi-compliance` for the concrete implementation rules. 2. Apply HIPAA-specific decision gates: - Is this data PHI? - Is this actor a covered entity or business associate? - Does a vendor or model provider require a BAA before touching the data? - Is access limited to the minimum necessary scope? - Are read/write/export events auditable? 3. Escalate to `healthcare-reviewer` if the task affects patient safety, clinical workflows, or regulated production architecture. ## HIPAA-Specific Guardrails - Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings. - Never expose PHI in URLs, browser storage, screenshots, or copied example payloads. - Require authenticated access, scoped authorization, and audit trails for PHI reads and writes. - Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear. - Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task. - Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers. ## Examples ### Example 1: Product request framed as HIPAA User request: > Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant. Response pattern: - Activate `hipaa-compliance` - Use `healthcare-phi-compliance` to review PHI movement, logging, storage, and prompt boundaries - Verify whether the summarization provider is covered by a BAA before any PHI is sent - Escalate to `healthcare-reviewer` if the summaries influence clinical decisions ### Example 2: Vendor/tooling decision User request: > Can we send support transcripts and patient messages into our analytics stack? Response pattern: - Assume those messages may contain PHI - Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized - Require redaction or a non-PHI event model when possible ## Related Skills - `healthcare-phi-compliance` - `healthcare-reviewer` - `healthcare-emr-patterns` - `healthcare-eval-harness` - `security-review`
Related Skills
healthcare-phi-compliance
Protected Health Information (PHI) and Personally Identifiable Information (PII) compliance patterns for healthcare applications. Covers data classification, access control, audit trails, encryption, and common leak vectors.
customs-trade-compliance
Codified expertise for customs documentation, tariff classification, duty optimization, restricted party screening, and regulatory compliance across multiple jurisdictions. Informed by trade compliance specialists with 15+ years experience. Includes HS classification logic, Incoterms application, FTA utilization, and penalty mitigation. Use when handling customs clearance, tariff classification, trade compliance, import/export documentation, or duty optimization.
x-api
X/Twitter API integration for posting tweets, threads, reading timelines, search, and analytics. Covers OAuth auth patterns, rate limits, and platform-native content posting. Use when the user wants to interact with X programmatically.
workspace-surface-audit
Audit the active repo, MCP servers, plugins, connectors, env surfaces, and harness setup, then recommend the highest-value ECC-native skills, hooks, agents, and operator workflows. Use when the user wants help setting up Gemini CLI or understanding what capabilities are actually available in their environment.
visa-doc-translate
Translate visa application documents (images) to English and create a bilingual PDF with original and translation
videodb
See, Understand, Act on video and audio. See- ingest from local files, URLs, RTSP/live feeds, or live record desktop; return realtime context and playable stream links. Understand- extract frames, build visual/semantic/temporal indexes, and search moments with timestamps and auto-clips. Act- transcode and normalize (codec, fps, resolution, aspect ratio), perform timeline edits (subtitles, text/image overlays, branding, audio overlays, dubbing, translation), generate media assets (image, audio, video), and create real time alerts for events from live streams or desktop capture.
video-editing
AI-assisted video editing workflows for cutting, structuring, and augmenting real footage. Covers the full pipeline from raw capture through FFmpeg, Remotion, ElevenLabs, fal.ai, and final polish in Descript or CapCut. Use when the user wants to edit video, cut footage, create vlogs, or build video content.
verification-loop
Comprehensive verification system for code changes
unified-notifications-ops
Operate notifications as one ECC-native workflow across GitHub, Linear, desktop alerts, hooks, and connected communication surfaces. Use when the real problem is alert routing, deduplication, escalation, or inbox collapse.
ui-demo
Record polished UI demo videos using Playwright. Use when the user asks to create a demo, walkthrough, screen recording, or tutorial video of a web application. Produces WebM videos with visible cursor, natural pacing, and professional feel.
token-budget-advisor
Offers the user an informed choice about how much response depth to consume before answering. Use this skill when the user explicitly wants to control response length, depth, or token budget. TRIGGER when: "token budget", "token count", "token usage", "token limit", "response length", "answer depth", "short version", "brief answer", "detailed answer", "exhaustive answer", "respuesta corta vs larga", "cuántos tokens", "ahorrar tokens", "responde al 50%", "dame la versión corta", "quiero controlar cuánto usas", or clear variants where the user is explicitly asking to control answer size or depth. DO NOT TRIGGER when: user has already specified a level in the current session (maintain it), the request is clearly a one-word answer, or "token" refers to auth/session/payment tokens rather than response size.
terminal-ops
Evidence-first repo execution workflow for ECC. Use when the user wants a command run, a repo checked, a CI failure debugged, or a narrow fix pushed with exact proof of what was executed and verified.