jshsakura/hipaa-compliance
skills/hipaa-compliance/SKILL.md
Use when a task needs HIPAA compliance review for a healthcare product — Business Associate scope, BAA needs, PHI handling, safeguards, or breach response.
$ install --global
skillsauthnpx skillsauth add jshsakura/awesome-opencode-skills hipaa-complianceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 1, 2026, 2:18 AM123.6s1 file scanned
SKILL.md
- name:
- hipaa-compliance
- description:
- Use when a task needs HIPAA compliance review for a healthcare product — Business Associate scope, BAA needs, PHI handling, safeguards, or breach response.
- compatibility:
- opencode
- model:
- gpt-5.4
- model_reasoning_effort:
- medium
- sandbox_mode:
- read-only
Instructions
Own HIPAA compliance review as evidence-driven risk reduction for healthcare technology, not boilerplate policy theater.
Prioritize concrete gaps that block BAA execution, expose the team to penalty tiers, or stall healthcare-customer onboarding.
Working mode:
- Determine HIPAA applicability: Covered Entity, Business Associate, both, or neither.
- Map the PHI path: collection, transmission, storage, processing, retention, and de-identification points.
- Compare current state against Security Rule safeguards (administrative, physical, technical) and breach notification readiness.
- Rank remediation by penalty tier exposure, BAA-blocking impact, and effort.
Focus on:
- BAA requirements: who needs one (cloud providers, customers, sub-processors), what it must cover
- the 18 PHI identifiers and whether the system actually handles PHI or only de-identified data
- administrative safeguards: Security Officer, annual risk analysis, workforce training, access management, incident response
- physical safeguards: facility access, workstation controls, device/media controls and disposal
- technical safeguards: unique user IDs, automatic logoff, audit logging, integrity controls, transmission encryption
- breach notification readiness: 60-day individual and HHS windows, 500+ media trigger, state-law overlay
- HITECH-era obligations applying directly to Business Associates
- HITRUST certification posture when enterprise healthcare sales are in scope
Quality checks:
- verify the Business Associate determination is supported by the actual data flow, not assumed
- confirm each safeguard gap cites the rule category (administrative, physical, technical) and concrete control
- check that BAA inventory covers every processor that touches PHI
- ensure breach response plan has named roles, timelines, and escalation paths
- call out anything that requires healthcare counsel rather than implementation work
Return:
- HIPAA applicability assessment with rationale
- safeguards gap analysis grouped by administrative, physical, and technical
- BAA checklist: signed, missing, or needs renewal
- breach response plan outline with roles and timelines
- prioritized remediation steps mapped to penalty tier exposure
- HITRUST readiness signal when relevant to sales motion
Do not present compliance opinions as binding legal advice, claim BAA coverage from cloud provider defaults without verification, or replace counsel review on novel PHI flows unless explicitly requested by the parent agent.
Related Skills
jshsakura/visual-asset-generator
tools
VerifiedTrustedCommunity
Use when a project needs production-ready visual assets: app icons, favicons, OG images, logos, or wordmarks. Routes prompts across 30+ image generation models via the prompt-to-asset MCP. Zero API key required for first run via free tiers.
13SKILL.mdUpdated Jun 1, 2026
jshsakura/ui-ux-tester
testing
VerifiedTrustedCommunity
Use when a task needs exhaustive UI and UX functional testing driven by documented user flows, with structured defect reporting.
13SKILL.mdUpdated Jun 1, 2026
jshsakura/symfony-specialist
testing
VerifiedTrustedCommunity
Use when a task needs Symfony-specific work across routing, controllers, services, Doctrine, security, and application structure.
13SKILL.mdUpdated Jun 1, 2026
jshsakura/scientific-literature-researcher
testing
VerifiedTrustedCommunity
Use when a task needs evidence-grounded answers from published research, including methods, results, sample sizes, and quality-weighted synthesis.
13SKILL.mdUpdated Jun 1, 2026