HIPAA Compliance for AI Agents
Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents.
About this skill
This AI agent skill empowers healthcare organizations to navigate the complexities of HIPAA compliance when integrating AI solutions. It provides a comprehensive framework for generating critical compliance documentation, including detailed checklists for Business Associate Agreements (BAAs), PHI data flow mapping, and minimum necessary standard application guides. The skill also facilitates robust risk assessments by outlining technical safeguards like access controls, audit controls, and transmission security, alongside an an AI-specific risk matrix addressing unique challenges such as prompt injection and model training on Protected Health Information (PHI). Furthermore, the skill assists in proactive breach preparedness with a structured incident response timeline and offers guidance on compliance by AI use case, categorizing risks for patient scheduling, billing, clinical decision support, and other applications. By leveraging this skill, organizations can ensure their AI deployments adhere strictly to regulatory requirements, mitigate potential risks, and build a strong foundation for secure and compliant AI integration in healthcare. It serves as a vital resource for compliance officers, legal teams, and development leads.
Best use case
The primary use case is assisting healthcare organizations and their AI vendors in achieving and maintaining HIPAA compliance for AI agent deployments. Compliance officers, legal teams, IT security managers, and AI development leads benefit most by receiving structured, AI-generated guidance and documentation to ensure secure and compliant integration of artificial intelligence in sensitive healthcare environments.
Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents.
Users should expect well-structured, comprehensive documentation including compliance checklists, risk assessments, audit frameworks, and breach response timelines tailored to HIPAA regulations for AI agents.
Practical example
Example input
Generate a HIPAA compliance checklist for deploying a new AI agent for patient scheduling, including BAA requirements and technical safeguards.
Example output
Here is a HIPAA compliance checklist for your AI agent deployment for patient scheduling, focusing on pre-deployment and technical safeguards: **Pre-Deployment Compliance Gate:** - **BAA requirements:** Ensure vendor signs a BAA, define PHI access, specify security measures. - **PHI data flow:** Map all PHI ingress/egress points for the AI, identify storage. - **Minimum Necessary:** Define data fields strictly required for scheduling function, minimize access. **Technical Safeguards (Access Controls):** - **Unique IDs:** Each AI agent instance/service should have a distinct ID. - **Auto-logoff:** Implement 15-minute idle session termination. - **Role-based permissions:** Limit access to only necessary functions (e.g., patient lookup, appointment booking).
When to use this skill
- Developing or deploying a new AI agent in a healthcare setting.
- Conducting a HIPAA risk assessment for an existing AI system.
- Auditing AI agent compliance with HIPAA technical safeguards.
- Training teams on AI-specific HIPAA compliance challenges.
When not to use this skill
- Seeking legal advice from a human attorney.
- For general HIPAA compliance not related to AI agents.
- If the organization does not handle Protected Health Information (PHI).
- When requiring real-time, dynamic legal or security system integration (this is a document generation skill).
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/afrexai-hipaa-compliance/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How HIPAA Compliance for AI Agents Compares
| Feature / Agent | HIPAA Compliance for AI Agents | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | easy | N/A |
Frequently Asked Questions
What does this skill do?
Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents.
How difficult is it to install?
The installation complexity is rated as easy. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
Best AI Skills for ChatGPT
Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.
SKILL.md Source
# HIPAA Compliance for AI Agents Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents. ## What This Skill Does When activated, produce any of these deliverables based on user request: ### 1. Pre-Deployment Compliance Gate - BAA requirements checklist for AI vendors - PHI data flow mapping template - Minimum Necessary standard application guide - Risk assessment framework (45 CFR 164.308(a)(1)) ### 2. Technical Safeguards (45 CFR 164.312) **Access Controls:** - Unique service account IDs for AI agents - Emergency access procedures for system failures - 15-minute auto-logoff configuration - Role-based minimum necessary permissions **Audit Controls:** - PHI access logging (timestamp, user, action, data) - 6-year retention compliance - Anomaly detection on access patterns - AI decision audit trails **Transmission Security:** - TLS 1.3 enforcement - E2E encryption for patient comms - Certificate pinning for API connections - No PHI in URLs, query strings, or logs ### 3. AI-Specific Risk Matrix | Risk | Impact | Mitigation | |------|--------|------------| | Prompt injection → PHI leak | Critical | Input sanitization, output filtering, sandboxing | | Model training on PHI | High | BAA prohibition, single-tenant deployment | | Hallucinated medical info | Critical | Human-in-loop, confidence thresholds | | Shadow AI with PHI | High | Approved tool registry, DLP rules | ### 4. Breach Response Timeline - 0-1 hrs: Contain (disable agent, preserve logs) - 1-24 hrs: Assess scope of PHI exposure - 24-48 hrs: Document root cause, affected individuals - Within 60 days: Notify HHS + individuals + media (if 500+) - 30-90 days: Remediate, patch, retrain ### 5. Compliance by Use Case Rate each AI deployment: - Patient scheduling → Medium risk - Billing/coding → High risk - Clinical decision support → Critical risk - Patient communication → High risk - Medical records summarization → Critical risk ### 6. Penalty Reference | Tier | Per Violation | Annual Cap | |------|-------------|------------| | Unknowing | $141 - $71,162 | $2,134,831 | | Reasonable cause | $1,424 - $71,162 | $2,134,831 | | Willful neglect (corrected) | $14,232 - $71,162 | $2,134,831 | | Willful neglect (not corrected) | $71,162 | $2,134,831 | Average healthcare breach cost: $10.93M (IBM/Ponemon 2025). ## Output Format - Markdown checklist with status columns - Risk matrix with impact/likelihood scoring - Timeline tables for breach response - Department-specific compliance cards ## Resources - [Healthcare AI Context Pack — $47](https://afrexai-cto.github.io/context-packs/) — Full patient journey automation, revenue cycle, EHR integration patterns - [AI Revenue Leak Calculator](https://afrexai-cto.github.io/ai-revenue-calculator/) — Find where manual processes cost you money - [AI Agent Setup Wizard](https://afrexai-cto.github.io/agent-setup/) — Configure compliant AI agents in 5 minutes
Related Skills
Compliance & Audit Readiness Engine
Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.
Compliance Audit Generator
Run internal compliance audits against major frameworks without hiring a consultant.
Data Governance Framework
Assess, score, and remediate your organization's data governance posture across 6 domains.
Cybersecurity Risk Assessment
You are a cybersecurity risk assessment specialist. When the user needs a security audit, threat assessment, or compliance review, follow this framework.
afrexai-cybersecurity-engine
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack — zero external dependencies.
AI Safety Audit
Comprehensive AI safety and alignment audit framework for businesses deploying AI agents. Built around the UK AI Security Institute Alignment Project standards (2026), EU AI Act requirements, and NIST AI RMF.
clickhouse-github-forensics
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks, tracking repository activity, analyzing actor behavior patterns, detecting tag/release tampering, or reconstructing incident timelines from public GitHub data. Triggers on GitHub supply chain attacks, repo compromise investigations, actor attribution, tag poisoning, or "query github events".
security-guardian
Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides structured reports to help maintain a clean and secure codebase.
mema-vault
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets using a mandatory Master Key. Use for managing API keys, database credentials, and other sensitive tokens.
guardian-wall
Mitigate prompt injection attacks, especially indirect ones from external web content or files. Use this skill when processing untrusted text from the internet, user-uploaded files, or any external source to sanitize content and detect malicious instructions (e.g., "ignore previous instructions", "system override").
SX-security-audit
全方位安全审计技能。检查文件权限、环境变量、依赖漏洞、配置文件、网络端口、Git 安全、Shell 安全、macOS 安全、密钥检测等。支持 CLI 参数、JSON 输出、配置文件。当用户要求"安全检查"、"漏洞扫描"、"权限检查"、"安全审计"时使用此技能。
skill-safe-install-l0-strict
Strict secure-install workflow for ClawHub/OpenClaw skills. Use when asked to install a skill safely, inspect skill permissions, review third-party skill risk, or run a pre-install security audit. Enforce full review + sandbox + explicit consent gates, with no author-based trust bypass.