How this command is triggered — by the user, by Claude, or both
Slash command
/us-hipaa-security:assessThe summary Claude sees in its command listing — used to decide when to auto-load this command
# HIPAA Security Rule Assessment Run a comprehensive gap assessment of the HIPAA Security Rule (45 CFR Part 164, Subpart C) against the SCF crosswalk for US-HIPAA-Security. ## Usage ## Arguments - `--scope`: Optional safeguard category to limit assessment scope - `administrative` - Administrative Safeguards only (§164.308) - `physical` - Physical Safeguards only (§164.310) - `technical` - Technical Safeguards only (§164.312) - `organizational` - Organizational Requirements only (§164.314) - `policies` - Policies & Documentation only (§164.316) - Default: All five categorie...
Run a comprehensive gap assessment of the HIPAA Security Rule (45 CFR Part 164, Subpart C) against the SCF crosswalk for US-HIPAA-Security.
/us-hipaa-security:assess [--scope=<category>]
--scope: Optional safeguard category to limit assessment scope
administrative - Administrative Safeguards only (§164.308)physical - Physical Safeguards only (§164.310)technical - Technical Safeguards only (§164.312)organizational - Organizational Requirements only (§164.314)policies - Policies & Documentation only (§164.316)Before starting the assessment, confirm the following with the user:
Entity Type: Are you a Covered Entity (healthcare provider, health plan, clearinghouse) or Business Associate (vendor handling ePHI on behalf of a CE)?
ePHI Systems in Scope: What systems handle electronic Protected Health Information?
Risk Analysis Status: When was your last organization-wide risk analysis conducted (required under §164.308(a)(1)(ii)(A))? Does it cover all ePHI systems?
Enforcement History: Any prior OCR investigations, breaches, or enforcement actions?
This command routes to /grc-engineer:gap-assessment HIPAA and leverages the SCF crosswalk to map HIPAA Security Rule implementation specifications to standardized compliance controls.
The assessment generates findings grouped by safeguard category:
| Control Reference | CFR Section | SCF Control ID | Current Status | Risk Level | Recommended Remediation | Req/Addr |
|---|---|---|---|---|---|---|
| Example: Risk Analysis | §164.308(a)(1)(ii)(A) | PRI-01 | Gap | Critical | Conduct organization-wide risk analysis covering all ePHI systems | Required |
| Example: Security Awareness Training | §164.308(a)(5)(i) | CFG-02 | Partially | High | Implement formal training program with completion tracking | Required |
| Example: Encryption at Rest | §164.312(a)(2)(iv) | IAC-08 | Implemented | Low | Continue current implementation | Addressable |
Status Categories:
Risk Levels:
Req/Addr Column:
Same format as Administrative Safeguards, covering:
Same format, covering:
Same format, covering:
Same format, covering:
For any Addressable implementation specifications marked as "Gap" or "Partially":
Document Rationale: Explain why the specification is not reasonable and appropriate for your organization
Implement Equivalent Alternative (if applicable):
Maintain Documentation:
# Full HIPAA Security Rule assessment (all categories)
/us-hipaa-security:assess
# Assessment limited to Administrative Safeguards only
/us-hipaa-security:assess --scope=administrative
# Assessment focused on Technical Safeguards
/us-hipaa-security:assess --scope=technical
This assessment leverages the Secure Controls Framework (SCF) crosswalk for US-HIPAA-Security, which maps HIPAA Security Rule implementation specifications to standardized SCF controls.
SCF ID: US-HIPAA-Security Regulator: US HHS OCR Region: Americas Depth: Reference (tier 2 of 3)
/us-hipaa-security:evidence-checklist - Generate evidence request list for audits/grc-engineer:gap-assessment - Direct access to gap assessment with framework optionsBased on OCR enforcement actions and Resolution Agreements, the most common HIPAA Security Rule gaps include:
OCR Audit Priorities (based on publicly available information):
Penalty Tiers (per violation category per year)
As of January 28, 2026 (45 CFR 102.3 / Federal Register annual inflation adjustment)
Annual cap: $2,190,294 per violation category.
Applicability: Covered Entities and Business Associates handling ePHI Citation: 45 CFR Part 164, Subpart C Enforcement: US Department of Health and Human Services (HHS) - Office for Civil Rights (OCR) Guidance: NIST SP 800-66 Rev. 2
/assessCompares a local repository against a topic wiki's research body and the broader market, producing a gap analysis with opportunities and competitive landscape.
/assessAssesses DORA compliance readiness for EU financial entities and ICT providers. Requires scope (full, pillar-specific, entity-type); optional entity classification.
/assessAssesses GLBA compliance readiness for specified scope (full, safeguards, privacy, pretexting) and institution type, producing compliance score and detailed evaluation.
/assessAssesses compliance with NIST 800-53 controls for a specified control family (e.g., AC) or baseline (low, moderate, high), with optional revision (r4 or r5).
/assessAssesses SOC 2 Type I or II audit readiness for specified scope (security, availability, confidentiality, processing integrity, privacy), producing readiness scores, control gaps, evidence requirements, remediation recommendations, and timeline.
/assessAssesses ISMS compliance against ISO 27001:2022 clauses and Annex A controls, producing status reports, gap analysis, Statement of Applicability guidance, and certification readiness.
2plugins reuse this command
First indexed Jul 18, 2026
npx claudepluginhub vantainc/claude-grc-engineering --plugin us-hipaa-security