Skill

domain-healthcare:hipaa-compliance

HIPAA compliance implementation covering technical, administrative, and physical safeguards, Business Associate Agreement checklists, risk assessment methodology, and breach notification procedures. Use when building or reviewing healthcare systems that handle PHI.

Install

npx claudepluginhub rnavarych/alpha-engineer --plugin domain-healthcare

Tool Access

This skill is limited to using the following tools:

ReadGrepGlobBash

Preview

- Designing or auditing encryption for PHI at rest and in transit

Supporting Assets

references/administrative-physical-safeguards.mdreferences/baa-risk-breach.mdreferences/technical-safeguards.md

SKILL.md

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.6k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.6k

Hook Development

10 files

Guides implementation of event-driven hooks in Claude Code plugins using prompt-based validation and bash commands for PreToolUse, Stop, and session events.

plugin-dev

83.2k

Stats

Parent Repo Stars9

Parent Repo Forks0

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

When to use

Designing or auditing encryption for PHI at rest and in transit

Implementing access controls, audit logging, or session management for clinical systems

Evaluating a new vendor and determining BAA requirements

Conducting or documenting a formal HIPAA risk assessment

Responding to a suspected PHI breach and navigating notification timelines

Reviewing workforce training or physical security gaps

Core principles

AES-256-GCM at rest, TLS 1.3 in transit, KMS for keys — these three together cover the encryption baseline; anything less needs a documented exception

Every PHI access gets a log entry — who, what resource, when, from where, and outcome; 6-year retention minimum, tamper-evident storage required

BAA before byte one — no PHI reaches a vendor system without a signed BAA in place; subcontractor flow-down is not optional

Risk assessment is continuous, not annual — reassess after every significant system change, incident, or regulatory update

Breach notification clock starts at discovery — 60 days to notify individuals and HHS; do not wait for the investigation to conclude before starting the clock

Reference Files

references/technical-safeguards.md — encryption (AES-256-GCM, TDE, envelope encryption), access controls (RBAC, break-glass, session timeout), audit controls, transmission security (TLS, mTLS)

references/administrative-physical-safeguards.md — security officer designation, workforce training, access management workflows, incident response, contingency planning, risk analysis, physical facility and device controls

references/baa-risk-breach.md — BAA checklist for vendor onboarding, risk assessment methodology (8-step), breach notification procedures and HHS reporting timelines

HIPAA Compliance Implementation

When to use

Designing or auditing encryption for PHI at rest and in transit
Implementing access controls, audit logging, or session management for clinical systems
Evaluating a new vendor and determining BAA requirements
Conducting or documenting a formal HIPAA risk assessment
Responding to a suspected PHI breach and navigating notification timelines
Reviewing workforce training or physical security gaps

Core principles

AES-256-GCM at rest, TLS 1.3 in transit, KMS for keys — these three together cover the encryption baseline; anything less needs a documented exception
Every PHI access gets a log entry — who, what resource, when, from where, and outcome; 6-year retention minimum, tamper-evident storage required
BAA before byte one — no PHI reaches a vendor system without a signed BAA in place; subcontractor flow-down is not optional
Risk assessment is continuous, not annual — reassess after every significant system change, incident, or regulatory update
Breach notification clock starts at discovery — 60 days to notify individuals and HHS; do not wait for the investigation to conclude before starting the clock

Reference Files

references/technical-safeguards.md — encryption (AES-256-GCM, TDE, envelope encryption), access controls (RBAC, break-glass, session timeout), audit controls, transmission security (TLS, mTLS)
references/administrative-physical-safeguards.md — security officer designation, workforce training, access management workflows, incident response, contingency planning, risk analysis, physical facility and device controls
references/baa-risk-breach.md — BAA checklist for vendor onboarding, risk assessment methodology (8-step), breach notification procedures and HHS reporting timelines