Skill

domain-healthcare:phi-data-handling

Guides PHI data handling per HIPAA: 18 identifiers, Safe Harbor/Expert Determination de-identification, minimum necessary principle, RBAC access controls, audit logging, encryption at rest/transit, secure disposal.

security

npx claudepluginhub rnavarych/alpha-engineer --plugin domain-healthcare

Popularity

Parent stars

Parent forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/domain-healthcare:phi-data-handling

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

ReadGrepGlobBash

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

- Determining whether a dataset or field constitutes PHI

Supporting Files

references/access-controls-audit-logging.mdreferences/encryption-disposal.mdreferences/identifiers-deidentification.md

SKILL.md

28 lines · ~554 tokens

Similar Skills

hipaa-audit

208

Audits applications and infrastructure for HIPAA compliance: Security Rule safeguards, Privacy Rule, Breach Notification Rule, ePHI scoping, BAA chain, and minimum-necessary standard.

6 tools

cybersecurity-skills

healthcare-phi-compliance

213.3k

Data classification, access control, audit trails, and leak vectors for PHI/PII in healthcare applications. Use when building patient-facing features or reviewing data exposure.

ecc

healthcare-phi-compliance

PHI/PII compliance patterns for healthcare apps covering data classification, row-level security, audit trails, encryption, and common leak vectors.

everything-claude-code

Stats

LanguageShell

Parent stars13

Parent forks1

MaintenanceGood

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

PHI Data Handling

When to use

Determining whether a dataset or field constitutes PHI

Implementing Safe Harbor or Expert Determination de-identification

Designing role-based access controls for a clinical system

Configuring audit logging for PHI access events

Implementing encryption for PHI at rest or in transit

Planning media sanitization or cryptographic erasure of PHI

Core principles

When in doubt it's PHI — if a data element could identify an individual in combination with health information, treat it as PHI; the cost of over-protecting is low, the cost of a breach is not

Minimum necessary is enforced at the API layer — strip fields the caller's role doesn't need before the response leaves your service; don't rely on the client to ignore what it receives

Every PHI access gets a log entry — read access included, not just writes; audit trails without reads are half the story

Cryptographic erasure beats secure delete — destroying the encryption key is faster, more reliable, and more auditable than overwriting data in place

Break-glass access is not a loophole — it must be logged, time-limited, and reviewed post-access; emergency access that goes unreviewed is a compliance finding waiting to happen

Reference Files

references/identifiers-deidentification.md — the 18 HIPAA identifiers, Safe Harbor removal checklist, Expert Determination method and documentation requirements

references/access-controls-audit-logging.md — minimum necessary principle, RBAC table by clinical role, break-glass implementation, required audit log fields, tamper-evident logging, high-risk access review cadence

references/encryption-disposal.md — AES-256-GCM column encryption, TDE, key rotation with cloud KMS, mTLS for microservices, NIST SP 800-88 disposal methods, cryptographic erasure pattern

PHI Data Handling

When to use

Determining whether a dataset or field constitutes PHI
Implementing Safe Harbor or Expert Determination de-identification
Designing role-based access controls for a clinical system
Configuring audit logging for PHI access events
Implementing encryption for PHI at rest or in transit
Planning media sanitization or cryptographic erasure of PHI

Core principles

When in doubt it's PHI — if a data element could identify an individual in combination with health information, treat it as PHI; the cost of over-protecting is low, the cost of a breach is not
Minimum necessary is enforced at the API layer — strip fields the caller's role doesn't need before the response leaves your service; don't rely on the client to ignore what it receives
Every PHI access gets a log entry — read access included, not just writes; audit trails without reads are half the story
Cryptographic erasure beats secure delete — destroying the encryption key is faster, more reliable, and more auditable than overwriting data in place
Break-glass access is not a loophole — it must be logged, time-limited, and reviewed post-access; emergency access that goes unreviewed is a compliance finding waiting to happen

Reference Files

references/identifiers-deidentification.md — the 18 HIPAA identifiers, Safe Harbor removal checklist, Expert Determination method and documentation requirements
references/access-controls-audit-logging.md — minimum necessary principle, RBAC table by clinical role, break-glass implementation, required audit log fields, tamper-evident logging, high-risk access review cadence
references/encryption-disposal.md — AES-256-GCM column encryption, TDE, key rotation with cloud KMS, mTLS for microservices, NIST SP 800-88 disposal methods, cryptographic erasure pattern

domain-healthcare:phi-data-handling

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

domain-healthcare:phi-data-handling

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

PHI Data Handling

When to use

Core principles

Reference Files

Similar Skills

Help us improve

PHI Data Handling

When to use

Core principles

Reference Files