health-compliance-review
Healthcare Regulatory & Security Compliance Review
When To Use
Invoke when you need to audit healthcare code, configurations, or delivery systems for regulatory and security control gaps. Use for HIPAA, GDPR, ONC, FDA, or multi-market compliance evidence — during security reviews, pre-release audits, or as a subagent from health-refactor or health-docs.
Overview
Use this skill to audit and validate healthcare software against regulatory and security controls. Every control gap is a finding. Every finding carries a declared severity. Jurisdiction is selected from evidence — not assumed.
Select one of us, eu, us+eu, or unclear before reviewing:
- Read
.health-context.yamlif it exists. - Check the repository scope for confirming or conflicting signals.
- Load the regulatory overlays matching the selected set:
us→ loadreferences/us-regulatory-overlay.md;eu→ loadreferences/eu-regulatory-overlay.md;us+eu→ load both;unclear→ load both pending clarification. - If evidence is mixed, state the conflict explicitly. Do not silently default to US assumptions. Declare the most defensible overlay set.
- If jurisdiction remains
unclearafter the evidence scan, ask the user to confirm before proceeding.
Operating Rules
More from reason-healthcare/health-skills
health-fhir-api-design
Design FHIR R4 API interactions — search queries, operations ($), validation, workflow patterns, and custom SearchParameter / OperationDefinition resources. The user provides requirements; the skill recommends a concrete R4 approach with trade-offs.
15health-docs
Audit and consolidate documentation for healthcare engineering systems. Supports two modes — analyze (coverage audit — writes only .health-docs/analysis.md) and document (consolidate existing docs + fill gaps). Detects applicable jurisdiction overlays and regulatory regimes from codebase signals, composes existing skills as subagents for deep-dimension analysis, and produces a structured handoff artifact consumed by document mode.
11health-product-discovery
Healthcare product discovery skill that maps incentive structures, adoption dynamics, and clinical workflow constraints before shaping solutions. Uses a jurisdiction-neutral core workflow plus explicit US and EU market overlays. Supports explore and document modes for early-stage ideation, consulting, pilot scoping, and strategic planning.
11health-human-factors
Review healthcare and EHR software interfaces against a comprehensive design style guide grounded in NIST, FDA, IEC 62366, ISO 9241, ISO 14971, WCAG 2.1, ONC SAFER, and HL7 FHIR standards. Produces a report-only assessment without modifying code or designs. Use when an agent needs to evaluate clinical UI screens, data display, forms, alerts, or workflows for patient-safety, usability, accessibility, and data-clarity compliance.
11health-refactor
Produce a scope-bounded, plan-only refactoring assessment for healthcare codebases. Resolves a bounded file set via git range, file area, or symbol/dependency context, proposes `us`, `eu`, or `us+eu` overlays from evidence, then orchestrates healthcare-aware refactoring, human-factors review, and regulatory review into a unified plan. Never modifies code.
10health-fhir-modeling
Map domain concepts to FHIR R4 resources and understand profile compliance. Select the right base resources, read US Core and QI Core profile constraints, model relationships, find existing extensions, and apply terminology bindings correctly. Outputs annotated example instances — not StructureDefinition or profile artifacts.
9