Stats

Actions

Tags

Help us improve

Share bugs, ideas, or general feedback.

hipaa-compliance | everything-claude-code | ClaudePluginHub

Skill

hipaa-compliance

From everything-claude-code

Provides HIPAA-specific guidance for healthcare privacy and security, including PHI handling, BAAs, covered entities, minimum access, and audit trails. For explicit HIPAA compliance tasks.

$

npx claudepluginhub affaan-m/ecc --plugin ecc

Popularity

Stars

192,136

Forks

29,741

Shared by

11

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/everything-claude-code:hipaa-compliance

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

SKILL.md

79 lines · ~905 tokens

Similar Skills

hipaa-compliance

450

Provides HIPAA compliance guidance for healthcare software developers on technical safeguards like encryption, access controls, audit logs. Reviews docs, generates policies, educates on rules.

4 files

hipaa-compliance

domain-healthcare:hipaa-compliance

13

Guides HIPAA compliance for healthcare systems handling PHI: technical/administrative/physical safeguards, BAA checklists, risk assessments, breach notifications.

3 files4 tools

domain-healthcare

assess-hipaa

67

Conducts HIPAA compliance assessments for healthcare systems handling PHI, evaluating safeguards, PHI flows, risks, entity classification, and generating remediation reports.

2 tools

compliance-planning

Stats

LanguageJavaScript

Stars192,136

Forks29,741

MaintenanceExcellent

Last CommitMay 25, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

healthcare-compliance

Help us improve

Share bugs, ideas, or general feedback.

HIPAA Compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

healthcare-phi-compliance remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.
healthcare-reviewer remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.
security-review still applies for general auth, input-handling, secrets, API, and deployment hardening.

When to Use

The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter

How It Works

Treat HIPAA as an overlay on top of the broader healthcare privacy skill:

Start with healthcare-phi-compliance for the concrete implementation rules.
Apply HIPAA-specific decision gates:
- Is this data PHI?
- Is this actor a covered entity or business associate?
- Does a vendor or model provider require a BAA before touching the data?
- Is access limited to the minimum necessary scope?
- Are read/write/export events auditable?
Escalate to healthcare-reviewer if the task affects patient safety, clinical workflows, or regulated production architecture.

HIPAA-Specific Guardrails

Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings.
Never expose PHI in URLs, browser storage, screenshots, or copied example payloads.
Require authenticated access, scoped authorization, and audit trails for PHI reads and writes.
Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear.
Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task.
Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers.

Examples

Example 1: Product request framed as HIPAA

User request:

Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant.

Response pattern:

Activate hipaa-compliance
Use healthcare-phi-compliance to review PHI movement, logging, storage, and prompt boundaries
Verify whether the summarization provider is covered by a BAA before any PHI is sent
Escalate to healthcare-reviewer if the summaries influence clinical decisions

Example 2: Vendor/tooling decision

User request:

Can we send support transcripts and patient messages into our analytics stack?

Response pattern:

Assume those messages may contain PHI
Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized
Require redaction or a non-PHI event model when possible

Related Skills

healthcare-phi-compliance
healthcare-reviewer
healthcare-emr-patterns
healthcare-eval-harness
security-review