health-hipaa-review
HIPAA Code Audit
Overview
Use this skill to inspect healthcare software and produce an audit report of code and delivery areas where HIPAA-aligned handling of PHI, ePHI, or adjacent sensitive PII appears incomplete, risky, or unsupported by evidence.
Operating Rules
- Never change code, configs, infrastructure, or documentation.
- Do not present the output as legal advice, certification, or a formal compliance determination.
- Bias toward code-observable evidence and clearly separate:
- confirmed evidence from the code or config
- likely inferences from nearby implementation
- non-code dependencies that require policy, vendor, ops, or legal validation
- If a safeguard is addressable under HIPAA, treat missing implementation or missing documented alternative as a finding candidate, not an automatic pass.
- When PII appears without clear PHI, still report the privacy risk and note that HIPAA scope may depend on context.
Workflow
More from reason-healthcare/health-skills
health-fhir-api-design
Design FHIR R4 API interactions — search queries, operations ($), validation, workflow patterns, and custom SearchParameter / OperationDefinition resources. The user provides requirements; the skill recommends a concrete R4 approach with trade-offs.
15health-docs
Audit and consolidate documentation for healthcare engineering systems. Supports two modes — analyze (coverage audit — writes only .health-docs/analysis.md) and document (consolidate existing docs + fill gaps). Detects applicable jurisdiction overlays and regulatory regimes from codebase signals, composes existing skills as subagents for deep-dimension analysis, and produces a structured handoff artifact consumed by document mode.
11health-product-discovery
Healthcare product discovery skill that maps incentive structures, adoption dynamics, and clinical workflow constraints before shaping solutions. Uses a jurisdiction-neutral core workflow plus explicit US and EU market overlays. Supports explore and document modes for early-stage ideation, consulting, pilot scoping, and strategic planning.
11health-human-factors
Review healthcare and EHR software interfaces against a comprehensive design style guide grounded in NIST, FDA, IEC 62366, ISO 9241, ISO 14971, WCAG 2.1, ONC SAFER, and HL7 FHIR standards. Produces a report-only assessment without modifying code or designs. Use when an agent needs to evaluate clinical UI screens, data display, forms, alerts, or workflows for patient-safety, usability, accessibility, and data-clarity compliance.
11health-refactor
Produce a scope-bounded, plan-only refactoring assessment for healthcare codebases. Resolves a bounded file set via git range, file area, or symbol/dependency context, proposes `us`, `eu`, or `us+eu` overlays from evidence, then orchestrates healthcare-aware refactoring, human-factors review, and regulatory review into a unified plan. Never modifies code.
10health-fhir-modeling
Map domain concepts to FHIR R4 resources and understand profile compliance. Select the right base resources, read US Core and QI Core profile constraints, model relationships, find existing extensions, and apply terminology bindings correctly. Outputs annotated example instances — not StructureDefinition or profile artifacts.
9