Agent skill

hipaa-compliance

Ensure HIPAA compliance when handling PHI (Protected Health Information). Use when writing code that accesses user health data, check-ins, journal entries, or any sensitive information. Activates for audit logging, data access, security events, and compliance questions.

Stars 81
Forks 12

Install this agent skill to your Project

npx add-skill https://github.com/curiositech/some_claude_skills/tree/main/.claude/skills/hipaa-compliance

Metadata

Additional technical details for this skill

tags
hipaa compliance security
category
Code Quality & Testing
pairs with
[
    {
        "skill": "recovery-app-legal-terms",
        "reason": "HIPAA requirements directly inform privacy policy and terms of service content for health apps"
    },
    {
        "skill": "security-auditor",
        "reason": "HIPAA technical safeguards overlap with security vulnerability scanning and access controls"
    },
    {
        "skill": "recovery-social-features",
        "reason": "Social features handling health data must comply with HIPAA privacy and consent rules"
    },
    {
        "skill": "crisis-response-protocol",
        "reason": "Crisis responses involving health disclosures must follow HIPAA breach notification rules"
    }
]

SKILL.md

HIPAA Compliance for Recovery Coach

This skill helps you maintain HIPAA compliance when developing features that handle Protected Health Information (PHI).

What is PHI in This Application?

Data Type PHI Status Handling
Check-in mood/cravings PHI Audit all access
Journal entries PHI Audit all access
Chat conversations PHI Audit all access
User profile (name, email) PHI Audit modifications
Sobriety date PHI Audit access
Emergency contacts PHI Audit access
Usage analytics (aggregated) NOT PHI No audit needed
Page views (no content) NOT PHI No audit needed

Audit Logging Requirements

When to Log

Always log these operations:

  • Viewing any PHI (check-ins, journal, messages)
  • Creating/updating/deleting PHI
  • Exporting user data
  • Admin access to user information
  • Failed authentication attempts
  • Security events (rate limiting, unauthorized access)

How to Log

Use the audit logging utilities in src/lib/hipaa/audit.ts:

typescript
import {
  logPHIAccess,
  logPHIModification,
  logSecurityEvent,
  logAdminAction
} from '@/lib/hipaa/audit';

// Viewing PHI
await logPHIAccess(
  userId,
  'checkin',        // targetType
  checkinId,        // targetId
  AuditAction.PHI_VIEW
);

// Modifying PHI
await logPHIModification(
  userId,
  'journal',
  journalId,
  AuditAction.PHI_UPDATE,
  { field: 'content' }  // Never include actual content!
);

// Security event
await logSecurityEvent(
  userId,
  AuditAction.RATE_LIMIT,
  { path: '/api/chat', attempts: 60 }
);

// Admin action
await logAdminAction(
  adminId,
  AuditAction.ADMIN_USER_VIEW,
  'user',
  targetUserId
);

Data Sanitization

Never Log These Fields

The audit system automatically sanitizes, but be explicit:

typescript
// BAD - Contains PHI
await logPHIAccess(userId, 'journal', id, action, {
  content: journalEntry.content  // NEVER DO THIS
});

// GOOD - Only metadata
await logPHIAccess(userId, 'journal', id, action, {
  wordCount: journalEntry.content.length,
  hasAttachments: false
});

Sanitized Fields (Auto-Redacted)

  • password, token, secret, key
  • authorization, cookie, session
  • credential, content, message, notes

Session Security Requirements

From src/lib/auth.ts:

  • Session timeout: 15 minutes of inactivity (HIPAA requirement)
  • Max session: 8 hours absolute maximum
  • Failed login lockout: 5 attempts = 30 minute ban
  • Password requirements: 12+ chars, mixed case, numbers, special chars

Code Patterns

API Route with Audit Logging

typescript
import { getSession, requireAuth } from '@/lib/auth';
import { logPHIAccess } from '@/lib/hipaa/audit';

export async function GET(request: Request) {
  const session = await getSession();
  if (!session) {
    return Response.json({ error: 'Unauthorized' }, { status: 401 });
  }

  // Fetch the data
  const data = await fetchUserData(session.userId);

  // Log the access
  await logPHIAccess(
    session.userId,
    'userdata',
    session.userId,
    AuditAction.PHI_VIEW
  );

  return Response.json(data);
}

Component with PHI Access

typescript
'use client';

import { useEffect } from 'react';

export function JournalViewer({ entryId }: { entryId: string }) {
  useEffect(() => {
    // Log view on mount (server-side preferred, but client backup)
    fetch('/api/audit/log', {
      method: 'POST',
      body: JSON.stringify({
        action: 'PHI_VIEW',
        targetType: 'journal',
        targetId: entryId
      })
    });
  }, [entryId]);

  // ... render
}

Compliance Checklist

Before shipping any feature that touches PHI:

  • All PHI access is audit logged
  • No PHI content in logs (only IDs and metadata)
  • Data access requires authentication
  • Admin access has separate audit trail
  • Failed access attempts are logged
  • Data export includes audit entry
  • Sensitive fields are encrypted at rest
  • Session timeout is enforced

Audit Log Retention

  • Minimum: 6 years (HIPAA requirement)
  • Format: Raw logs for 1 year, compressed thereafter
  • Location: audit_log table in database
  • Export: Encrypted exports for compliance audits

Emergency Access (Break Glass)

For emergency situations, use break-glass access:

typescript
import { requestBreakGlassAccess } from '@/lib/hipaa/break-glass';

// This creates enhanced audit trail
const access = await requestBreakGlassAccess(
  adminId,
  targetUserId,
  'Emergency support required - user reported crisis'
);

Break glass access:

  • Requires written justification
  • Creates permanent audit record
  • Triggers alert to compliance officer
  • Must be reviewed within 24 hours

Resources

  • HIPAA Security Rule: 45 C.F.R. § 164.312
  • Audit controls standard: 45 C.F.R. § 164.312(b)
  • Incident response plan: docs/INCIDENT-RESPONSE-PLAN.md
  • Security documentation: docs/SECURITY-HARDENING.md

Expand your agent's capabilities with these related and highly-rated skills.

curiositech/some_claude_skills

3d-cv-labeling-2026

Expert in 3D computer vision labeling tools, workflows, and AI-assisted annotation for LiDAR, point clouds, and sensor fusion. Covers SAM4D/Point-SAM, human-in-the-loop architectures, and vertical-specific training strategies. Activate on '3D labeling', 'point cloud annotation', 'LiDAR labeling', 'SAM 3D', 'SAM4D', 'sensor fusion annotation', '3D bounding box', 'semantic segmentation point cloud'. NOT for 2D image labeling (use clip-aware-embeddings), general ML training (use ml-engineer), video annotation without 3D (use computer-vision-pipeline), or VLM prompt engineering (use prompt-engineer).

81 12
Explore
curiositech/some_claude_skills

project-management-guru-adhd

Expert project manager for ADHD engineers managing multiple concurrent projects. Specializes in hyperfocus management, context-switching minimization, and parakeet-style gentle reminders. Activate on 'ADHD project management', 'context switching', 'hyperfocus', 'task prioritization', 'multiple projects', 'productivity for ADHD', 'task chunking', 'deadline management'. NOT for neurotypical project management, rigid waterfall processes, or general productivity advice without ADHD context.

81 12
Explore
curiositech/some_claude_skills

large-scale-map-visualization

Master of high-performance web map implementations handling 5,000-100,000+ geographic data points. Specializes in Leaflet.js optimization, Supercluster algorithms, viewport-based loading, canvas rendering, and progressive disclosure UX patterns.

81 12
Explore
curiositech/some_claude_skills

adhd-design-expert

Designs digital experiences for ADHD brains using neuroscience research and UX principles. Expert in reducing cognitive load, time blindness solutions, dopamine-driven engagement, and compassionate design patterns. Activate on 'ADHD design', 'cognitive load', 'accessibility', 'neurodivergent UX', 'time blindness', 'dopamine-driven', 'executive function'. NOT for general accessibility (WCAG only), neurotypical UX design, or simple UI styling without ADHD context.

81 12
Explore
curiositech/some_claude_skills

liaison

Translate multi-agent ecosystem activity into human-readable status briefings, decision requests, and progress summaries. Use for 'status update', 'brief me', 'what happened', 'summarize progress'. NOT for project planning (use project-management-guru-adhd), code review, or technical documentation.

81 12
Explore
curiositech/some_claude_skills

windows-95-web-designer

Modern web applications with authentic Windows 95 aesthetic. Gradient title bars, Start menu paradigm, taskbar patterns, 3D beveled chrome. Extrapolates Win95 to AI chatbots, mobile UIs, responsive layouts. Activate on 'windows 95', 'win95', 'start menu', 'taskbar', 'retro desktop', '95 aesthetic', 'clippy'. NOT for Windows 3.1 (use windows-3-1-web-designer), vaporwave/synthwave, macOS, flat design.

81 12
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results