Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From faos-ciso
<!-- AUTO-GENERATED by export-plugins.py — DO NOT EDIT -->
npx claudepluginhub frank-luongt/faos-skills-marketplace --plugin faos-cisoHow this skill is triggered — by the user, by Claude, or both
Slash command
/faos-ciso:hipaa-security-ruleThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
<!-- AUTO-GENERATED by export-plugins.py — DO NOT EDIT -->
Guides HIPAA compliance for healthcare systems handling PHI: technical/administrative/physical safeguards, BAA checklists, risk assessments, breach notifications.
Guides implementation of HIPAA Security Rule §164.312 technical safeguards for ePHI, covering access controls (unique user ID, emergency access, auto logoff), encryption, audit/integrity controls, transmission security.
Guides HIPAA compliance planning for healthcare apps handling PHI, covering safeguards, BAAs, risk assessments, 18 identifiers, and de-identification methods.
Share bugs, ideas, or general feedback.
The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) establishes national standards for protecting electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of ePHI.
The rule organizes requirements into three safeguard categories, each containing standards with implementation specifications. Specifications are classified as either Required (R) -- must be implemented exactly as described -- or Addressable (A) -- the entity must assess whether the specification is reasonable and appropriate, and if not, document why and implement an equivalent alternative.
Inventory all electronic protected health information your organization creates, receives, maintains, or transmits. Map data flows to understand where ePHI resides at rest, in transit, and in use. Document every system, application, and endpoint that touches ePHI.
Perform a comprehensive risk assessment as required by 164.308(a)(1)(ii)(A). Identify threats and vulnerabilities to ePHI for each system. Evaluate the likelihood and impact of each threat. Assign risk levels and document findings in a risk register.
Align each identified risk to the applicable HIPAA safeguard category and standard:
Administrative Safeguards (164.308):
| Standard | Key Specifications | Type |
|---|---|---|
| Security Management Process | Risk analysis, risk management, sanction policy, information system activity review | R, R, R, R |
| Assigned Security Responsibility | Designate a security official | R |
| Workforce Security | Authorization/supervision, workforce clearance, termination procedures | A, A, A |
| Information Access Management | Access authorization, access establishment and modification | A, A |
| Security Awareness and Training | Security reminders, malicious software protection, log-in monitoring, password management | A, A, A, A |
| Security Incident Procedures | Response and reporting | R |
| Contingency Plan | Data backup plan, disaster recovery, emergency mode operations, testing, criticality analysis | R, R, R, A, A |
| Evaluation | Periodic technical and non-technical evaluation | R |
| BAA Contracts | Written contracts with business associates | R |
Physical Safeguards (164.310):
| Standard | Key Specifications | Type |
|---|---|---|
| Facility Access Controls | Contingency operations, facility security plan, access control and validation, maintenance records | A, A, A, A |
| Workstation Use | Policies for workstation functions and environment | R |
| Workstation Security | Physical safeguards restricting access to workstations | R |
| Device and Media Controls | Disposal, media re-use, accountability, data backup and storage | R, R, A, A |
Technical Safeguards (164.312):
| Standard | Key Specifications | Type |
|---|---|---|
| Access Control | Unique user identification, emergency access procedure, automatic logoff, encryption and decryption | R, R, A, A |
| Audit Controls | Hardware, software, and procedural mechanisms to record and examine ePHI access | R |
| Integrity | Mechanism to authenticate ePHI, protect from improper alteration or destruction | A |
| Person or Entity Authentication | Verify identity of persons seeking access to ePHI | R |
| Transmission Security | Integrity controls, encryption | A, A |
Deploy technical and organizational controls that satisfy each standard. For Addressable specifications, document your assessment: if the specification is reasonable and appropriate, implement it; if not, document the rationale and implement an equivalent alternative measure.
Create written policies and procedures for each safeguard. HIPAA requires documentation to be retained for six years from the date of creation or the date it was last in effect, whichever is later. Maintain evidence of training, risk assessments, incident responses, and policy reviews.
A healthcare SaaS platform managing patient records implements HIPAA Technical Safeguard 164.312(a):
# Access control architecture for ePHI-handling application
access_control:
unique_user_identification: # 164.312(a)(2)(i) - Required
- enforce_individual_accounts: true
- prohibit_shared_credentials: true
- user_provisioning: "HR-triggered via SCIM"
- deprovisioning_sla: "24 hours after termination"
emergency_access_procedure: # 164.312(a)(2)(ii) - Required
- break_glass_accounts: 2
- break_glass_mfa: "hardware token only"
- break_glass_audit: "real-time alert to security team"
- review_frequency: "every use, within 24 hours"
automatic_logoff: # 164.312(a)(2)(iii) - Addressable
- session_timeout: "15 minutes idle"
- reauthentication: "required after timeout"
- sensitive_screens: "5 minutes idle"
encryption_and_decryption: # 164.312(a)(2)(iv) - Addressable
- at_rest: "AES-256 via cloud KMS"
- key_rotation: "annual, automated"
- database_encryption: "TDE enabled"
rbac_model:
roles:
- physician: "read/write own patients"
- nurse: "read/write assigned unit"
- admin: "user management, no clinical data"
- billing: "read demographics and codes only"
enforcement: "application-layer + database row-level security"
Implementing Audit Controls per 164.312(b) to record and examine activity in systems containing ePHI:
# Audit log schema for HIPAA-compliant ePHI access logging
AUDIT_LOG_FIELDS = {
"event_id": "UUID - unique identifier for the event",
"timestamp": "ISO 8601 with timezone - when the event occurred",
"user_id": "Unique user identifier who performed the action",
"user_role": "Role at time of access (physician, nurse, admin)",
"patient_id": "Identifier of the patient whose ePHI was accessed",
"action": "CREATE | READ | UPDATE | DELETE | EXPORT | PRINT",
"resource_type": "medical_record | lab_result | prescription | image",
"resource_id": "Identifier of the specific resource accessed",
"access_reason": "treatment | payment | operations | emergency",
"source_ip": "IP address of the requesting system",
"user_agent": "Application or browser identifier",
"outcome": "success | failure | error",
"data_fields_accessed": "List of specific ePHI fields viewed or modified",
}
# Audit log retention and protection requirements
AUDIT_REQUIREMENTS = {
"retention_period": "6 years minimum (HIPAA documentation requirement)",
"immutability": "write-once storage, no modification or deletion",
"encryption": "AES-256 at rest, TLS 1.2+ in transit",
"access_to_logs": "security team only, separate from clinical access",
"review_frequency": "daily automated anomaly detection, weekly manual review",
"alerting": "real-time alerts for: bulk access, after-hours access, "
"break-glass use, access to VIP patients, export operations",
}
Administrative Safeguards:
Physical Safeguards:
Technical Safeguards: