HIPAA Compliance Skill

0 0 Updated: 2026-07-15 14:37:48

The HIPAA Compliance Skill is part of the ECC (Agent Harness Performance Optimization System), specifically designed to help AI agents and development tools meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). This skill provides guidelines, policies, and best practices for securely handling Protected Health Information (PHI), ensuring that AI applications developed in environments like Claude Code, Codex, Opencode, and Cursor comply with healthcare data privacy and security standards. Ideal for AI projects handling medical data, health tech applications, and healthcare IT systems.

Install
bunx skills add https://github.com/affaan-m/ECC --skill hipaa-compliance
Skill Details readonly

1. Skill Overview

This skill is invoked when a task explicitly involves US healthcare compliance. It covers core compliance domains including PHI/PII handling, data classification, audit logging, encryption, and data leakage prevention. Acting as the top-level entry point for the healthcare compliance knowledge suite, it operates alongside these complementary specialist skills:
Companion Skill Core Responsibility
healthcare-phi-compliance Primary implementation skill for PHI/PII processing, data classification, audit logging, encryption, and leakage prevention
healthcare-reviewer Specialist secondary review for code, architecture, or product behavior requiring healthcare-aware compliance audit
security-review General security audit for authentication, input sanitization, secret management, API hardening, and production security controls
healthcare-emr-patterns Standardized EMR workflow patterns
healthcare-eval-harness Dedicated healthcare compliance evaluation tooling

2. Core Capabilities

2.1 Trigger Conditions

This skill must be activated for any of the following scenarios:
  1. Requests explicitly referencing HIPAA, PHI, covered entities, business associates, or BAAs
  2. Building or auditing US healthcare software that stores, processes, exports, or transmits PHI
  3. Evaluating logging, analytics, LLM prompt injection, persistent storage, or support workflows that introduce HIPAA exposure risks
  4. Designing patient/clinician-facing systems where minimum necessary access and full auditability are critical compliance requirements

2. Standard Execution Workflow

Treat HIPAA rules as an overlay layer applied on top of base healthcare privacy logic:
  1. Start with healthcare-phi-compliance to retrieve granular implementation specifications
  2. Apply HIPAA-specific decision gate validation with these mandatory audit questions:
    • Does this dataset qualify as PHI?
    • Is the participating party a covered entity or designated business associate?
    • Does the vendor/model provider require a signed BAA before handling PHI data?
    • Is access restricted to the minimum necessary PHI subset required to complete the task?
    • Are all read/write/export events fully auditable with immutable tracking records?
  3. Escalate to healthcare-reviewer if the workflow impacts patient safety, clinical workflows, or regulated production architecture

2.2 Mandatory HIPAA Compliance Guardrails

The skill enforces non-negotiable HIPAA security rules:
Compliance Guardrail Full Specification
PHI prohibited in all logs PHI must never appear in application logs, analytics events, crash reports, LLM prompt payloads, or user-facing error message strings
PHI blocked from URLs & client storage PHI cannot be embedded in URLs, persisted in browser storage, included in screenshots, or hardcoded within sample API payloads shared for debugging
Mandatory authentication + full audit trails All PHI read/write operations require authenticated, scoped user access with immutable audit logging for every interaction
Third-party service default deny policy All SaaS observability tools, support platforms, and LLM providers are blocked from processing PHI by default until BAA status and strict data boundary controls are formally validated
Minimum necessary access enforcement Each authorized user may only view the smallest subset of PHI required to complete their assigned job function
Prefer opaque internal identifiers Use non-identifiable internal record IDs instead of raw names, MRNs, phone numbers, physical addresses, or other direct patient identifiers wherever possible

3. Primary Use Cases

  1. Compliance-aligned healthcare software design
     
    Enforce full HIPAA adherence during development of software serving US clinics, hospitals, and clinical practices
  2. Third-party vendor & tool risk assessment
     
    Evaluate whether external vendors (analytics platforms, LLM inference providers) are permitted to ingest or process PHI data
  3. AI clinical feature compliance auditing
     
    Audit PHI data flow, logging rules, persistent storage, and prompt boundaries when building AI-assisted clinical functionality such as AI-generated patient visit summaries
  4. Logging & observability compliance audit
     
    Validate that logging pipelines, analytics tracking, and crash reporting systems do not contain unredacted PHI
  5. Healthcare-aware code & architecture secondary review
     
    Perform specialized compliance audits of source code, system architecture, and end-user product behavior
  6. BAA eligibility decision support
     
    Determine whether a vendor is legally required to execute a Business Associate Agreement before handling PHI

4. Critical Guiding Principles

  1. PHI log exclusion rule: No PHI may exist in logs, analytics events, crash dumps, LLM prompts, or client-side error strings
  2. PHI URL/client storage ban: PHI must never be embedded in URLs, browser local storage, screenshots, or shared sample payloads
  3. Third-party default deny: External services cannot process PHI until BAA coverage and strict data boundary controls are fully verified
  4. Minimum necessary access standard: Users are restricted to only the minimal PHI dataset required to complete their authorized tasks
  5. Opaque identifier priority: Replace direct patient identifiers (names, MRNs, contact information) with non-identifiable internal IDs wherever feasible
  6. Full auditability for all PHI operations: Every read, write, and export action involving PHI must generate immutable audit trail records
  7. General security controls still apply: All standard authentication, input sanitization, secret management, API, and production hardening rules from security-review remain fully enforceable alongside HIPAA compliance rules

5. Standard Implementation Examples

Example 1: AI Clinical Feature Compliance

User Request: Add AI-generated clinical visit summary functionality to a clinician dashboard for a US clinic deployment, requiring full HIPAA compliance.
 
Standard Response Workflow:
  1. Activate the core HIPAA compliance skill
  2. Leverage healthcare-phi-compliance to audit PHI data flow, logging pipelines, persistent storage rules, and LLM prompt boundary controls
  3. Verify the summary generation LLM vendor is fully covered by a signed BAA before any PHI data is transmitted to the model
  4. Escalate to healthcare-reviewer if the AI summary output directly impacts clinical patient care decisions

Example 2: Third-Party Vendor Risk Evaluation

User Request: Can support ticket threads containing patient messages be forwarded to an external analytics platform?
 
Standard Response Workflow:
  1. Classify all patient message content as potential PHI by default
  2. Block the proposed integration unless the analytics vendor is formally approved for HIPAA-regulated workloads with fully minimized data transfer paths
  3. Mandate full PHI redaction or non-PHI event-only ingestion models where technically feasible

Summary

HIPAA Compliance is the top-tier entry skill for US healthcare data compliance within the ECC project. It implements a layered decision framework that applies HIPAA regulatory requirements as an overlay on top of base healthcare privacy tooling. It covers core compliance domains including PHI classification, access control governance, immutable audit tracking, third-party vendor BAA eligibility evaluation, and minimum necessary access enforcement, while enforcing strict hard guardrails prohibiting PHI exposure within logs, URLs, and client-side browser storage, plus a default deny policy for all external third-party services. This skill is used for healthcare software development, third-party vendor risk assessment, AI clinical feature compliance audits, and architectural/code compliance reviews, and is designed to operate in tandem with supporting specialist skills: healthcare-phi-compliance, healthcare-reviewer, and security-review.