hipaa-compliance

Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical: Treat HIPAA as an overlay on top of the broader healthcare privacy skill: User request: Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant. Response pattern: User request: Can we send support transcripts and patient messages into our analytics stack? Response pattern: - healthcare-phi-compliance remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention. - healthcare-reviewer remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass. - security-review still applies for general auth, input-handling, secrets, API, and deployment hardening. - The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs - Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI - Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure - Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter - Start with healthcare-phi-compliance for the concrete implementation rules.