ワンクリックで
healthcare-fde
FDEOS overlay for healthcare. HIPAA, PHI handling, audit trails, break-glass, AI policy.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
FDEOS overlay for healthcare. HIPAA, PHI handling, audit trails, break-glass, AI policy.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
The operating system for Forward Deployed Engineers. 34 skills across 6 domains — from first meeting to final handoff. Tell it your situation, it routes to the right skill, does the work, and the engagement memory writes itself.
Taking over mid-engagement. Reads what exists, separates what works from what was assumed.
Safe implementation in any codebase. Characterisation tests first, Strangler Fig for fragile code.
End of engagement. Retrospective, pattern extraction, clean handoff so the team can sustain it.
Generate a status dashboard across all active engagements from .fde/ data.
Systematic debugging. Reproduce first, isolate second, fix third. Never guess.
| name | healthcare-fde |
| description | FDEOS overlay for healthcare. HIPAA, PHI handling, audit trails, break-glass, AI policy. |
Cover HIPAA and PHI in normal conversation — what data moves where, what's off-limits for AI. Topics below are must-haves, not a script to recite.
Load trust-profile.md always -- PHI classification and AI policy must be confirmed before any action. Load terrain.md only when reviewing code that handles patient data. Do not load other .fde/ files unless the active phase skill requires them.
Healthcare engagements carry risks that don't exist elsewhere. A data breach involving PHI (Protected Health Information) can end an organisation's operating licence. An audit trail gap can invalidate a clinical trial. An AI model trained on patient data without proper consent can trigger federal investigation. This overlay adds the layer of judgment that healthcare environments require.
Load this alongside the core FDEOS skills for any engagement involving patient data, clinical systems, or regulated health information.
Before any technical work, establish what PHI is in scope. Ask:
"Walk me through what patient data this system touches, what it stores, what it transmits, and who has access."
PHI includes more than names and records. IP addresses, device identifiers, geographic data below state level, and dates (other than year) can all constitute PHI in context. When in doubt, treat it as PHI.
Tag everything identified as PHI in trust-profile.md under <private> markers. This data must never enter AI context in plaintext, not in prompts, not in test fixtures, not in log files used during development.
Many healthcare organisations prohibit AI tools from processing PHI or generating code that directly handles PHI. Ask before writing a single line:
"Does your organisation have a policy on AI tools accessing or processing patient data? Is there a BAA (Business Associate Agreement) in place that covers the tools we're using?"
If the answer is unclear, treat it as prohibited until confirmed otherwise. The cost of asking is zero. The cost of getting it wrong is catastrophic.
Every action on PHI must be logged: who accessed it, what they did, when, from where. This is not a feature, it's a compliance requirement under HIPAA's Security Rule.
When reviewing or building code that touches PHI, verify:
If the system lacks audit logging and you're asked to build a feature that touches PHI, build the audit trail first. It's not optional.
Clinical systems need emergency override mechanisms, a clinician must be able to access a patient record even if normal authentication fails. This is called "break-glass."
Every break-glass event must generate an alert and be reviewed. When you encounter break-glass patterns:
The principle: collect and store the minimum PHI necessary for the stated purpose. When building or reviewing features, ask: does this need to store the full record, or would an anonymised aggregate answer the same question?
If a feature can work with de-identified data, it should. De-identification under HIPAA Safe Harbor requires removing 18 specific identifiers, it's not "remove the name."
Patient data collected for one purpose cannot be used for another without consent. If the engagement involves analytics, ML training, or any secondary use of patient data, verify that consent covers it. This applies to AI model training, a model trained on patient records without explicit consent is an immediate legal exposure.
At rest and in transit, minimum:
Check trust-profile.md for any organisation-specific requirements that exceed the minimums.
trust-profile.md: PHI scope, AI policy confirmation, consent coverage, BAA status.
risks.md: any compliance gaps identified, with severity and remediation path.
<private> and handle it outside the model.