hipaa-safeguards
GitHub用于映射HIPAA安全规则保障措施并执行风险评估。涵盖行政、物理和技术控制,区分强制与可寻址项,生成评估报告、BAA范围及优先级整改计划,确保PHI处理合规且可审计。
触发场景
安装
npx skills add mohitagw15856/pm-claude-skills --skill hipaa-safeguards -g -y
SKILL.md
Frontmatter
{
"name": "hipaa-safeguards",
"description": "Map HIPAA Security Rule safeguards and run a risk analysis for systems handling PHI. Use when asked to become HIPAA-compliant, assess HIPAA safeguards, prepare for handling PHI\/ePHI, or scope a BAA. Produces a HIPAA assessment — the administrative\/physical\/technical safeguards with required-vs-addressable status, a risk analysis, BAA scope, and a prioritised remediation plan."
}
HIPAA Safeguards Skill
HIPAA's Security Rule is a list of safeguards for electronic protected health information (ePHI), split into administrative, physical, and technical — some required, some addressable (you must do them or document why an equivalent is reasonable). This skill maps your controls to that list, runs the risk analysis HIPAA mandates, and flags where you're exposed — so handling PHI is defensible, not hopeful.
Required Inputs
Ask for these only if they aren't already provided:
- Your role — covered entity, or business associate (a vendor handling PHI for one). Both owe Security Rule safeguards.
- The ePHI flow — where PHI is created, received, stored, transmitted, and who can access it.
- Current safeguards — what's in place for access control, encryption, audit logging, backups, training.
- Business associates — third parties touching PHI (each needs a BAA).
Output Format
HIPAA Assessment: [entity] ([covered entity / business associate])
1. ePHI inventory & flow — where PHI lives and moves; the systems in scope.
2. Safeguards — a table per category; status met / partial / gap, and required vs. addressable:
| Category | Safeguard | Req/Addr | Status | Notes |
|---|---|---|---|---|
| Technical | Encryption of ePHI at rest & in transit | Addressable | partial | TLS yes; disk encryption pending |
| Administrative | Security risk analysis | Required | gap | Not yet performed |
| Physical | Facility access controls | Required | met |
3. Risk analysis — the required (§164.308(a)(1)) assessment: threats to ePHI, likelihood × impact, and the residual risk after controls. This is the control auditors check first and the one most often missing.
4. BAA scope — which business associates need a Business Associate Agreement, and what each must guarantee.
5. Remediation — prioritised gaps (required-and-gap first), owners, dates. For addressable items not implemented, the documented justification + alternative.
Programmatic Helper
scripts/hipaa_checklist.py (stdlib only) scores safeguard coverage and surfaces unmet required
safeguards (the ones with no "addressable" escape hatch):
# safeguards.json: [{"category":"Technical","safeguard":"...","required":true,"status":"met|partial|gap"}, ...]
python3 scripts/hipaa_checklist.py safeguards.json
python3 scripts/hipaa_checklist.py safeguards.json --json
Quality Checks
- A documented security risk analysis exists (or is the top remediation item) — it's required and foundational
- Each safeguard is marked required vs. addressable, and addressable-not-done items have a written justification + alternative
- Encryption of ePHI in transit and at rest is assessed explicitly
- Every business associate has (or is flagged as needing) a BAA
- Audit logging / access review for PHI access is covered
Anti-Patterns
- Do not treat "addressable" as "optional" — you must implement it or document why an equivalent is reasonable; silence is a violation
- Do not skip the risk analysis — it's explicitly required and the most-cited gap in OCR enforcement
- Do not handle PHI through a vendor without a BAA — that alone is a breach
- Do not present this as legal certification — flag that compliance counsel / a security assessor must validate, especially the risk analysis
- Do not conflate HIPAA with SOC 2 or GDPR — overlapping controls, different legal requirements; map each separately
Based On
HIPAA Security Rule (45 CFR §164.308–312) — administrative, physical, and technical safeguards + required risk analysis.
版本历史
- a38bc30 当前 2026-07-05 11:36


