Skill

assess-hipaa

Conducts HIPAA compliance assessments for healthcare systems handling PHI, evaluating safeguards, PHI flows, risks, entity classification, and generating remediation reports.

security

npx claudepluginhub melodic-software/claude-code-plugins --plugin compliance-planning

Tool Access

This skill is limited to using the following tools:

TaskSkill

Preview

Conduct a comprehensive HIPAA compliance assessment.

SKILL.md

Similar Skills

hipaa-compliance

117

Provides HIPAA compliance guidance for healthcare software developers on technical safeguards like encryption, access controls, audit logs. Reviews docs, generates policies, educates on rules.

4 files

hipaa-compliance

Guides HIPAA compliance planning for healthcare apps handling PHI, covering safeguards, BAAs, risk assessments, 18 identifiers, and de-identification methods.

6 tools

compliance-planning

hipaa-compliance

175.2k

Provides HIPAA-specific guidance for healthcare privacy and security, including PHI handling, BAAs, covered entities, minimum access, and audit trails. For explicit HIPAA compliance tasks.

everything-claude-code

Stats

Parent Repo Stars40

Parent Repo Forks6

Last CommitFeb 15, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

HIPAA Compliance Assessment

Conduct a comprehensive HIPAA compliance assessment.

Workflow

Step 1: Load Required Skills

Load these skills:

hipaa-compliance - HIPAA requirements and safeguards
data-classification - PHI identification
security-frameworks - Security control mapping

Step 2: Spawn Compliance Analyst Agent

Spawn the compliance-analyst agent with the following prompt:

Conduct a comprehensive HIPAA compliance assessment for: $ARGUMENTS

Perform the following assessments:

1. PHI Identification
   - Identify all Protected Health Information
   - Map PHI data flows
   - Document storage locations
   - Identify all access points

2. Entity Classification
   - Determine if Covered Entity or Business Associate
   - Identify all Business Associate relationships
   - Review BAA coverage

3. Administrative Safeguards
   - Security management process
   - Workforce security
   - Information access management
   - Security awareness and training
   - Incident response procedures
   - Contingency planning

4. Physical Safeguards
   - Facility access controls
   - Workstation security
   - Device and media controls

5. Technical Safeguards
   - Access controls (unique user ID, MFA)
   - Audit controls
   - Integrity controls
   - Transmission security

6. Risk Assessment
   - Identify threats and vulnerabilities
   - Assess likelihood and impact
   - Calculate risk levels
   - Recommend mitigations

7. Breach Notification Readiness
   - Incident detection capabilities
   - Breach assessment procedures
   - Notification procedures

Provide a complete HIPAA assessment with:
- Safeguard compliance scores
- Gap analysis with severity
- Risk assessment summary
- Remediation priorities

Step 3: Generate Assessment Report

Ensure the report includes:

Executive summary with compliance posture
Detailed safeguard assessment
Risk register
BAA inventory
Remediation roadmap

Example Usage

# Assess a patient portal
/compliance-planning:assess-hipaa "patient portal with PHI access and messaging"

# Assess a medical records system
/compliance-planning:assess-hipaa "electronic health record system with multi-provider access"

# Assess a healthcare analytics platform
/compliance-planning:assess-hipaa "healthcare analytics platform processing de-identified data"

Output Format

# HIPAA Compliance Assessment: [System Name]

## Executive Summary

### Entity Type: [Covered Entity / Business Associate]

### Overall Compliance: [COMPLIANT / PARTIAL / NON-COMPLIANT]

| Safeguard Category | Score | Status |
|--------------------|-------|--------|
| Administrative | [X/10] | [Status] |
| Physical | [X/10] | [Status] |
| Technical | [X/10] | [Status] |
| **Overall** | **[X/10]** | **[Status]** |

### Critical Findings
- [Finding 1]
- [Finding 2]

---

## PHI Inventory

| Data Element | HIPAA Identifier | Location | Access |
|--------------|------------------|----------|--------|

---

## Safeguard Assessment

### Administrative Safeguards
| Requirement | Status | Evidence | Gap |
|-------------|--------|----------|-----|

### Physical Safeguards
| Requirement | Status | Evidence | Gap |
|-------------|--------|----------|-----|

### Technical Safeguards
| Requirement | Status | Evidence | Gap |
|-------------|--------|----------|-----|

---

## Business Associate Analysis

| BA Name | Services | BAA Status | Last Review |
|---------|----------|------------|-------------|

---

## Risk Assessment

| Risk | Threat | Vulnerability | Likelihood | Impact | Score | Mitigation |
|------|--------|---------------|------------|--------|-------|------------|

---

## Gap Analysis

### Critical Gaps
| Gap | Safeguard | Risk | Priority | Remediation |
|-----|-----------|------|----------|-------------|

---

## Remediation Roadmap

### Phase 1: Critical (Immediate)
1. [Action with owner]

### Phase 2: High Priority (30 days)
1. [Action]

### Phase 3: Improvements (90 days)
1. [Action]

---

## Breach Notification Readiness

- [ ] Incident detection in place
- [ ] Breach assessment procedure documented
- [ ] Notification templates ready
- [ ] HHS reporting procedure defined