Run any Skill in Manus with one click

$pwd:

hipaa-compliance

Name: Hipaa Compliance
Author: affaan-m

// HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.

Run Skill in Manus

$ git log --oneline --stat

stars:188,749

forks:29,203

updated:April 5, 2026 at 23:10

SKILL.md

readonly

name	hipaa-compliance
description	HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.
origin	ECC direct-port adaptation
version	1.0.0

HIPAA Compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

healthcare-phi-compliance remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.
healthcare-reviewer remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.
security-review still applies for general auth, input-handling, secrets, API, and deployment hardening.

When to Use

The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter

How It Works

Treat HIPAA as an overlay on top of the broader healthcare privacy skill:

Start with healthcare-phi-compliance for the concrete implementation rules.
Apply HIPAA-specific decision gates:
- Is this data PHI?
- Is this actor a covered entity or business associate?
- Does a vendor or model provider require a BAA before touching the data?
- Is access limited to the minimum necessary scope?
- Are read/write/export events auditable?
Escalate to healthcare-reviewer if the task affects patient safety, clinical workflows, or regulated production architecture.

HIPAA-Specific Guardrails

Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings.
Never expose PHI in URLs, browser storage, screenshots, or copied example payloads.
Require authenticated access, scoped authorization, and audit trails for PHI reads and writes.
Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear.
Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task.
Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers.

Examples

Example 1: Product request framed as HIPAA

User request:

Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant.

Response pattern:

Activate hipaa-compliance
Use healthcare-phi-compliance to review PHI movement, logging, storage, and prompt boundaries
Verify whether the summarization provider is covered by a BAA before any PHI is sent
Escalate to healthcare-reviewer if the summaries influence clinical decisions

Example 2: Vendor/tooling decision

User request:

Can we send support transcripts and patient messages into our analytics stack?

Response pattern:

Assume those messages may contain PHI
Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized
Require redaction or a non-PHI event model when possible

Related Skills

healthcare-phi-compliance
healthcare-reviewer
healthcare-emr-patterns
healthcare-eval-harness
security-review

related-skills.json

same repository

continuous-learning-v2.md

from "affaan-m/ECC"

Instinct-based learning system that observes sessions via hooks, creates atomic instincts with confidence scoring, and evolves them into skills/commands/agents. v2.1 adds project-scoped instincts to prevent cross-project contamination.

2026-05-19188.7k

blender-motion-state-inspection.md

from "affaan-m/ECC"

Use this skill when inspecting Blender characters, rigs, poses, animation retargeting, ground contact, facing direction, or model-vs-motion alignment where screenshots alone are not enough.

2026-05-18188.7k

strategic-compact.md

from "affaan-m/ECC"

Suggests manual context compaction at logical intervals to preserve context through task phases rather than arbitrary auto-compaction.

2026-05-18188.7k

uncloud.md

from "affaan-m/ECC"

Use when managing an Uncloud cluster — deploying services, configuring Caddy ingress, adding static proxy routes for non-cluster devices, publishing ports, scaling, inspecting logs, or managing machines and volumes with the `uc` CLI.

2026-05-18188.7k

autonomous-loops.md

from "affaan-m/ECC"

自動Claude Codeループのパターンとアーキテクチャ — シンプルな順序パイプラインからRFC駆動マルチエージェントDAGシステムまで。

2026-05-17188.7k

angular-developer.md

from "affaan-m/ECC"

Angular コードを生成し、アーキテクチャガイダンスを提供します。プロジェクトの作成、コンポーネント、またはサービスを作成するとき、または反応性（シグナル、linkedSignal、リソース）、フォーム、依存性注入、ルーティング、SSR、アクセシビリティ（ARIA）、アニメーション、スタイリング（コンポーネントスタイル、Tailwind CSS）、テスト、または CLI ツール作成のベストプラクティスについてトリガーされます。

2026-05-17188.7k

package.json

"author": "affaan-m"

"repository": "affaan-m/ECC"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Compliance OfficersBusiness and Financial Operations Occupations13-1041L4

name	hipaa-compliance
description	HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements.
origin	ECC direct-port adaptation
version	1.0.0

HIPAA Compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical:

healthcare-phi-compliance remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention.
healthcare-reviewer remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass.
security-review still applies for general auth, input-handling, secrets, API, and deployment hardening.

When to Use

The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs
Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI
Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure
Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter

How It Works

Treat HIPAA as an overlay on top of the broader healthcare privacy skill:

Start with healthcare-phi-compliance for the concrete implementation rules.
Apply HIPAA-specific decision gates:
- Is this data PHI?
- Is this actor a covered entity or business associate?
- Does a vendor or model provider require a BAA before touching the data?
- Is access limited to the minimum necessary scope?
- Are read/write/export events auditable?
Escalate to healthcare-reviewer if the task affects patient safety, clinical workflows, or regulated production architecture.

HIPAA-Specific Guardrails

Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings.
Never expose PHI in URLs, browser storage, screenshots, or copied example payloads.
Require authenticated access, scoped authorization, and audit trails for PHI reads and writes.
Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear.
Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task.
Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers.

Examples

Example 1: Product request framed as HIPAA

User request:

Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant.

Response pattern:

Activate hipaa-compliance
Use healthcare-phi-compliance to review PHI movement, logging, storage, and prompt boundaries
Verify whether the summarization provider is covered by a BAA before any PHI is sent
Escalate to healthcare-reviewer if the summaries influence clinical decisions

Example 2: Vendor/tooling decision

User request:

Can we send support transcripts and patient messages into our analytics stack?

Response pattern:

Assume those messages may contain PHI
Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized
Require redaction or a non-PHI event model when possible

Related Skills

healthcare-phi-compliance
healthcare-reviewer
healthcare-emr-patterns
healthcare-eval-harness
security-review

hipaa-compliance

HIPAA Compliance

When to Use

How It Works

HIPAA-Specific Guardrails

Examples

Example 1: Product request framed as HIPAA

Example 2: Vendor/tooling decision

Related Skills

More from this repository

More from this repository

HIPAA Compliance

When to Use

How It Works

HIPAA-Specific Guardrails

Examples

Example 1: Product request framed as HIPAA

Example 2: Vendor/tooling decision

Related Skills