HIPAA Compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

• healthcare-phi-compliance remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.
• healthcare-reviewer remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.
• security-review still applies for general auth, input-handling, secrets, API, and deployment hardening.

When to Use

• The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
• Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
• Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
• Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter

How It Works

Treat HIPAA as an overlay on top of the broader healthcare privacy skill: