1. Skill Overview
This skill is invoked when a task explicitly involves US healthcare compliance. It covers core compliance domains including PHI/PII handling, data classification, audit logging, encryption, and data leakage prevention. Acting as the top-level entry point for the healthcare compliance knowledge suite, it operates alongside these complementary specialist skills:
| Companion Skill | Core Responsibility |
|---|---|
healthcare-phi-compliance |
Primary implementation skill for PHI/PII processing, data classification, audit logging, encryption, and leakage prevention |
healthcare-reviewer |
Specialist secondary review for code, architecture, or product behavior requiring healthcare-aware compliance audit |
security-review |
General security audit for authentication, input sanitization, secret management, API hardening, and production security controls |
healthcare-emr-patterns |
Standardized EMR workflow patterns |
healthcare-eval-harness |
Dedicated healthcare compliance evaluation tooling |
2. Core Capabilities
2.1 Trigger Conditions
This skill must be activated for any of the following scenarios:
- Requests explicitly referencing HIPAA, PHI, covered entities, business associates, or BAAs
- Building or auditing US healthcare software that stores, processes, exports, or transmits PHI
- Evaluating logging, analytics, LLM prompt injection, persistent storage, or support workflows that introduce HIPAA exposure risks
- Designing patient/clinician-facing systems where minimum necessary access and full auditability are critical compliance requirements
2. Standard Execution Workflow
Treat HIPAA rules as an overlay layer applied on top of base healthcare privacy logic:
- Start with
healthcare-phi-complianceto retrieve granular implementation specifications - Apply HIPAA-specific decision gate validation with these mandatory audit questions:
- Does this dataset qualify as PHI?
- Is the participating party a covered entity or designated business associate?
- Does the vendor/model provider require a signed BAA before handling PHI data?
- Is access restricted to the minimum necessary PHI subset required to complete the task?
- Are all read/write/export events fully auditable with immutable tracking records?
- Escalate to
healthcare-reviewerif the workflow impacts patient safety, clinical workflows, or regulated production architecture
2.2 Mandatory HIPAA Compliance Guardrails
The skill enforces non-negotiable HIPAA security rules:
| Compliance Guardrail | Full Specification |
|---|---|
| PHI prohibited in all logs | PHI must never appear in application logs, analytics events, crash reports, LLM prompt payloads, or user-facing error message strings |
| PHI blocked from URLs & client storage | PHI cannot be embedded in URLs, persisted in browser storage, included in screenshots, or hardcoded within sample API payloads shared for debugging |
| Mandatory authentication + full audit trails | All PHI read/write operations require authenticated, scoped user access with immutable audit logging for every interaction |
| Third-party service default deny policy | All SaaS observability tools, support platforms, and LLM providers are blocked from processing PHI by default until BAA status and strict data boundary controls are formally validated |
| Minimum necessary access enforcement | Each authorized user may only view the smallest subset of PHI required to complete their assigned job function |
| Prefer opaque internal identifiers | Use non-identifiable internal record IDs instead of raw names, MRNs, phone numbers, physical addresses, or other direct patient identifiers wherever possible |
3. Primary Use Cases
- Compliance-aligned healthcare software design
Enforce full HIPAA adherence during development of software serving US clinics, hospitals, and clinical practices
- Third-party vendor & tool risk assessment
Evaluate whether external vendors (analytics platforms, LLM inference providers) are permitted to ingest or process PHI data
- AI clinical feature compliance auditing
Audit PHI data flow, logging rules, persistent storage, and prompt boundaries when building AI-assisted clinical functionality such as AI-generated patient visit summaries
- Logging & observability compliance audit
Validate that logging pipelines, analytics tracking, and crash reporting systems do not contain unredacted PHI
- Healthcare-aware code & architecture secondary review
Perform specialized compliance audits of source code, system architecture, and end-user product behavior
- BAA eligibility decision support
Determine whether a vendor is legally required to execute a Business Associate Agreement before handling PHI
4. Critical Guiding Principles
- PHI log exclusion rule: No PHI may exist in logs, analytics events, crash dumps, LLM prompts, or client-side error strings
- PHI URL/client storage ban: PHI must never be embedded in URLs, browser local storage, screenshots, or shared sample payloads
- Third-party default deny: External services cannot process PHI until BAA coverage and strict data boundary controls are fully verified
- Minimum necessary access standard: Users are restricted to only the minimal PHI dataset required to complete their authorized tasks
- Opaque identifier priority: Replace direct patient identifiers (names, MRNs, contact information) with non-identifiable internal IDs wherever feasible
- Full auditability for all PHI operations: Every read, write, and export action involving PHI must generate immutable audit trail records
- General security controls still apply: All standard authentication, input sanitization, secret management, API, and production hardening rules from
security-reviewremain fully enforceable alongside HIPAA compliance rules
5. Standard Implementation Examples
Example 1: AI Clinical Feature Compliance
User Request: Add AI-generated clinical visit summary functionality to a clinician dashboard for a US clinic deployment, requiring full HIPAA compliance.
Standard Response Workflow:
- Activate the core HIPAA compliance skill
- Leverage
healthcare-phi-complianceto audit PHI data flow, logging pipelines, persistent storage rules, and LLM prompt boundary controls - Verify the summary generation LLM vendor is fully covered by a signed BAA before any PHI data is transmitted to the model
- Escalate to
healthcare-reviewerif the AI summary output directly impacts clinical patient care decisions
Example 2: Third-Party Vendor Risk Evaluation
User Request: Can support ticket threads containing patient messages be forwarded to an external analytics platform?
Standard Response Workflow:
- Classify all patient message content as potential PHI by default
- Block the proposed integration unless the analytics vendor is formally approved for HIPAA-regulated workloads with fully minimized data transfer paths
- Mandate full PHI redaction or non-PHI event-only ingestion models where technically feasible
Summary
HIPAA Compliance is the top-tier entry skill for US healthcare data compliance within the ECC project. It implements a layered decision framework that applies HIPAA regulatory requirements as an overlay on top of base healthcare privacy tooling. It covers core compliance domains including PHI classification, access control governance, immutable audit tracking, third-party vendor BAA eligibility evaluation, and minimum necessary access enforcement, while enforcing strict hard guardrails prohibiting PHI exposure within logs, URLs, and client-side browser storage, plus a default deny policy for all external third-party services. This skill is used for healthcare software development, third-party vendor risk assessment, AI clinical feature compliance audits, and architectural/code compliance reviews, and is designed to operate in tandem with supporting specialist skills:
healthcare-phi-compliance, healthcare-reviewer, and security-review.