원클릭으로 Manus에서 모든 스킬 실행

hipaa-compliance

HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.

Manus에서 실행

스타212,062

포크32,560

업데이트2026년 4월 5일 23:10

출처

affaan-m

affaan-m/ECC

GitHub 저장소 열기 Creator 저장소 보기

설치 명령

다운로드

Manus에서 실행

유용한 대상SOC

컴플라이언스 담당자비즈니스 및 금융 운영직13-1041L4

SKILL.md

readonly

name	hipaa-compliance
description	HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.
origin	ECC direct-port adaptation
version	1.0.0

HIPAA Compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

healthcare-phi-compliance remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.
healthcare-reviewer remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.
security-review still applies for general auth, input-handling, secrets, API, and deployment hardening.

When to Use

The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter

How It Works

Treat HIPAA as an overlay on top of the broader healthcare privacy skill:

Start with healthcare-phi-compliance for the concrete implementation rules.
Apply HIPAA-specific decision gates:
- Is this data PHI?
- Is this actor a covered entity or business associate?
- Does a vendor or model provider require a BAA before touching the data?
- Is access limited to the minimum necessary scope?
- Are read/write/export events auditable?
Escalate to healthcare-reviewer if the task affects patient safety, clinical workflows, or regulated production architecture.

HIPAA-Specific Guardrails

Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings.
Never expose PHI in URLs, browser storage, screenshots, or copied example payloads.
Require authenticated access, scoped authorization, and audit trails for PHI reads and writes.
Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear.
Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task.
Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers.

Examples

Example 1: Product request framed as HIPAA

User request:

Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant.

Response pattern:

Activate hipaa-compliance
Use healthcare-phi-compliance to review PHI movement, logging, storage, and prompt boundaries
Verify whether the summarization provider is covered by a BAA before any PHI is sent
Escalate to healthcare-reviewer if the summaries influence clinical decisions

Example 2: Vendor/tooling decision

User request:

Can we send support transcripts and patient messages into our analytics stack?

Response pattern:

Assume those messages may contain PHI
Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized
Require redaction or a non-PHI event model when possible

Related Skills

healthcare-phi-compliance
healthcare-reviewer
healthcare-emr-patterns
healthcare-eval-harness
security-review

이 저장소의 다른 Skills

같은 저장소

continuous-learning-v2

affaan-m/ECC

Instinct-based learning system that observes sessions via hooks, creates atomic instincts with confidence scoring, and evolves them into skills/commands/agents. v2.1 adds project-scoped instincts to prevent cross-project contamination.

2026-06-10212.1k

orch-add-feature

affaan-m/ECC

Orchestrate building a brand-new feature end to end — research, plan, TDD implementation, review, and gated commit — by delegating each phase to the matching ECC agent. Use when adding a capability that does not exist yet.

2026-06-07212.1k

orch-build-mvp

affaan-m/ECC

Orchestrate bootstrapping a working MVP from a design or spec document — ingest the doc, plan thin vertical slices, scaffold the first end-to-end slice, then TDD-implement, review, and gated commit. Use to turn an SDD/PRD into a running starting point.

2026-06-07212.1k

orch-change-feature

affaan-m/ECC

Orchestrate altering an existing, working feature to new desired behavior — update its tests to the new spec, change the implementation to match, review, and gated commit. Use when behavior is not broken but should be different.

2026-06-07212.1k

orch-fix-defect

affaan-m/ECC

Orchestrate fixing a bug — reproduce it as a failing regression test, fix to green, review, and gated commit — by delegating each phase to the matching ECC agent. Use when existing behavior is broken or wrong.

2026-06-07212.1k

orch-pipeline

affaan-m/ECC

Shared orchestration engine for the orch-* skill family. Defines the gated Research-Plan-TDD-Review-Commit pipeline, the size classifier, the agent map, and the two human gates that the orch-* operation skills delegate to. Not usually invoked directly.

2026-06-07212.1k

name	hipaa-compliance
description	HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.
origin	ECC direct-port adaptation
version	1.0.0

HIPAA Compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

healthcare-phi-compliance remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.
healthcare-reviewer remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.
security-review still applies for general auth, input-handling, secrets, API, and deployment hardening.

When to Use

The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter

How It Works

Treat HIPAA as an overlay on top of the broader healthcare privacy skill:

Start with healthcare-phi-compliance for the concrete implementation rules.
Apply HIPAA-specific decision gates:
- Is this data PHI?
- Is this actor a covered entity or business associate?
- Does a vendor or model provider require a BAA before touching the data?
- Is access limited to the minimum necessary scope?
- Are read/write/export events auditable?
Escalate to healthcare-reviewer if the task affects patient safety, clinical workflows, or regulated production architecture.

HIPAA-Specific Guardrails

Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings.
Never expose PHI in URLs, browser storage, screenshots, or copied example payloads.
Require authenticated access, scoped authorization, and audit trails for PHI reads and writes.
Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear.
Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task.
Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers.

Examples

Example 1: Product request framed as HIPAA

User request:

Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant.

Response pattern:

Activate hipaa-compliance
Use healthcare-phi-compliance to review PHI movement, logging, storage, and prompt boundaries
Verify whether the summarization provider is covered by a BAA before any PHI is sent
Escalate to healthcare-reviewer if the summaries influence clinical decisions

Example 2: Vendor/tooling decision

User request:

Can we send support transcripts and patient messages into our analytics stack?

Response pattern:

Assume those messages may contain PHI
Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized
Require redaction or a non-PHI event model when possible

Related Skills

healthcare-phi-compliance
healthcare-reviewer
healthcare-emr-patterns
healthcare-eval-harness
security-review