implementing-hipaa-security-rule-safeguards
Installation
SKILL.md
Implementing HIPAA Security Rule Safeguards
When to Use
- When an organization is a covered entity (health plan, clearinghouse, or provider transmitting electronic transactions) or a business associate handling ePHI on their behalf.
- When standing up or maturing controls to protect electronic protected health information.
- When performing the mandatory HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) — the single most-cited gap in OCR enforcement.
- When preparing for an OCR audit/investigation or responding to a suspected breach.
- When drafting, reviewing, or remediating a Business Associate Agreement (BAA).
- When mapping existing security controls to the HIPAA safeguard standards and implementation specifications.
Scope note: this skill covers the Security Rule (ePHI). The Privacy Rule (uses/disclosures of all PHI) and the Breach Notification Rule are related but distinct; this skill touches breach readiness and BAAs where they intersect security.
Prerequisites
- A clear determination of the organization's role (covered entity vs business associate) and where ePHI lives, flows, and is stored (an ePHI data map).
- An asset inventory of systems that create, receive, maintain, or transmit ePHI.
- Knowledge of the current rule's structure (45 CFR §§164.302–318) and the required vs addressable distinction.
- Awareness that a 2025 NPRM proposes significant changes (see Workflow step 7 and
references/standards.md) — track but do not assume them as in force.