Inventories protected health information (PHI) per HIPAA Security Rule: identifies ePHI repositories, maps data flows, classifies PHI sensitivity, supports risk analysis.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
The HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(A) requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. This risk analysis is impossible without first knowing where ePHI resides, how it flows, and who has access. The PHI inventor...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
The HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(A) requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. This risk analysis is impossible without first knowing where ePHI resides, how it flows, and who has access. The PHI inventory is the foundational step of HIPAA compliance, supporting risk analysis (§164.308(a)(1)), access management (§164.312(a)), device and media controls (§164.310(d)), and business associate management (§164.502(e)).
OCR guidance identifies the first step of risk analysis as: "Identify where ePHI is created, received, maintained, or transmitted." This requires a comprehensive inventory covering:
PHI includes individually identifiable health information transmitted or maintained in any form that relates to past, present, or future physical or mental health condition, provision of healthcare, or payment for healthcare. The 18 HIPAA identifiers are:
| # | Identifier | Examples |
|---|---|---|
| 1 | Names | Full name, maiden name |
| 2 | Geographic data smaller than state | Street address, city, ZIP code |
| 3 | Dates related to individual | Birth date, admission date, discharge date, date of death |
| 4 | Phone numbers | Home, mobile, work |
| 5 | Fax numbers | All fax numbers |
| 6 | Email addresses | Personal and work email |
| 7 | Social Security numbers | SSN |
| 8 | Medical record numbers | MRN, chart number |
| 9 | Health plan beneficiary numbers | Insurance ID, member ID |
| 10 | Account numbers | Patient account, billing account |
| 11 | Certificate/license numbers | Professional license, birth certificate |
| 12 | Vehicle identifiers and serial numbers | VIN, license plate |
| 13 | Device identifiers and serial numbers | Implant serial, medical device ID |
| 14 | Web URLs | Patient portal URLs, personal websites |
| 15 | IP addresses | Device IP addresses |
| 16 | Biometric identifiers | Fingerprints, retinal scans, voiceprints |
| 17 | Full-face photographs | Photos, images |
| 18 | Any other unique identifying number | Any code or characteristic that could identify an individual |
| System Category | Examples | Typical PHI Content |
|---|---|---|
| Electronic Health Record (EHR) | Epic, Cerner, MEDITECH | Complete clinical records, demographics, diagnoses, medications, lab results |
| Practice Management System | Athenahealth, eClinicalWorks | Scheduling, demographics, insurance, billing |
| Laboratory Information System (LIS) | Sunquest, Orchard | Lab orders, results, specimen data |
| Radiology (PACS/RIS) | Change Healthcare, Sectra | Imaging studies, radiology reports, patient demographics |
| Pharmacy System | Pyxis, Omnicell | Medication orders, dispensing records, patient allergies |
| Billing/Revenue Cycle | Waystar, R1 RCM | Claims, EOBs, patient financial data, demographics |
| Patient Portal | MyChart, Cerner Health | Patient-accessible clinical data, messages, appointments |
| Telehealth Platform | Zoom for Healthcare, Amwell | Session recordings, clinical notes, patient identity |
| Email System | Microsoft 365, Google Workspace | ePHI in attachments and message body |
| File Shares | Network drives, SharePoint | Unstructured clinical documents, reports |
| Mobile Devices | Smartphones, tablets | EHR access, clinical photos, messaging |
| Medical Devices | Infusion pumps, monitors | Patient vitals, device-patient association |
| Backup Systems | Commvault, Veeam | Complete copies of all source system ePHI |
| Flow Type | Source | Destination | Method | Encryption |
|---|---|---|---|---|
| Clinical documentation | Provider workstation | EHR database | HTTPS | TLS 1.2+ |
| Lab orders/results | EHR | LIS | HL7v2 / FHIR | TLS 1.2+ |
| Claims submission | Billing system | Clearinghouse/payer | EDI 837 | TLS 1.2+ |
| Patient portal access | Patient device | Portal server | HTTPS | TLS 1.2+ |
| HIE exchange | EHR | HIE/HIN | FHIR / Direct | TLS 1.2+ |
| BA data sharing | CE system | BA system | SFTP/API | TLS 1.2+ |
| Backup | Production systems | Backup storage | Backup agent | AES-256 |
| Mobile access | Mobile device | EHR (Citrix/VPN) | VPN + HTTPS | TLS 1.2+ |