Vibe Index
🎯

hipaa-compliance

🎯Skill

from erichowens/some_claude_skills

VibeIndex|
What it does

hipaa-compliance skill from erichowens/some_claude_skills

πŸ“¦

Part of

erichowens/some_claude_skills(148 items)

hipaa-compliance

Installation

Add MarketplaceAdd marketplace to Claude Code
/plugin marketplace add erichowens/some_claude_skills
Install PluginInstall plugin from marketplace
/plugin install adhd-design-expert@some-claude-skills
Install PluginInstall plugin from marketplace
/plugin install some-claude-skills@some-claude-skills
git cloneClone repository
git clone https://github.com/erichowens/some_claude_skills.git
Claude Desktop ConfigurationAdd this to your claude_desktop_config.json
{ "mcpServers": { "prompt-learning": { "command": "npx", "args...
πŸ“– Extracted from docs: erichowens/some_claude_skills
Need more details? View full documentation on GitHub β†’
15Installs
21
-
Last UpdatedJan 23, 2026
View on GitHubBack to Skills

Skill Details

SKILL.md

Ensure HIPAA compliance when handling PHI (Protected Health Information). Use when writing code that accesses user health data, check-ins, journal entries, or any sensitive information. Activates for audit logging, data access, security events, and compliance questions.

Overview

# HIPAA Compliance for Recovery Coach

This skill helps you maintain HIPAA compliance when developing features that handle Protected Health Information (PHI).

What is PHI in This Application?

| Data Type | PHI Status | Handling |

|-----------|------------|----------|

| Check-in mood/cravings | PHI | Audit all access |

| Journal entries | PHI | Audit all access |

| Chat conversations | PHI | Audit all access |

| User profile (name, email) | PHI | Audit modifications |

| Sobriety date | PHI | Audit access |

| Emergency contacts | PHI | Audit access |

| Usage analytics (aggregated) | NOT PHI | No audit needed |

| Page views (no content) | NOT PHI | No audit needed |

Audit Logging Requirements

When to Log

Always log these operations:

  • Viewing any PHI (check-ins, journal, messages)
  • Creating/updating/deleting PHI
  • Exporting user data
  • Admin access to user information
  • Failed authentication attempts
  • Security events (rate limiting, unauthorized access)

How to Log

Use the audit logging utilities in src/lib/hipaa/audit.ts:

```typescript

import {

logPHIAccess,

logPHIModification,

logSecurityEvent,

logAdminAction

} from '@/lib/hipaa/audit';

// Viewing PHI

await logPHIAccess(

userId,

'checkin', // targetType

checkinId, // targetId

AuditAction.PHI_VIEW

);

// Modifying PHI

await logPHIModification(

userId,

'journal',

journalId,

AuditAction.PHI_UPDATE,

{ field: 'content' } // Never include actual content!

);

// Security event

await logSecurityEvent(

userId,

AuditAction.RATE_LIMIT,

{ path: '/api/chat', attempts: 60 }

);

// Admin action

await logAdminAction(

adminId,

AuditAction.ADMIN_USER_VIEW,

'user',

targetUserId

);

```

Data Sanitization

Never Log These Fields

The audit system automatically sanitizes, but be explicit:

```typescript

// BAD - Contains PHI

await logPHIAccess(userId, 'journal', id, action, {

content: journalEntry.content // NEVER DO THIS

});

// GOOD - Only metadata

await logPHIAccess(userId, 'journal', id, action, {

wordCount: journalEntry.content.length,

hasAttachments: false

});

```

Sanitized Fields (Auto-Redacted)

  • password, token, secret, key
  • authorization, cookie, session
  • credential, content, message, notes

Session Security Requirements

From src/lib/auth.ts:

  • Session timeout: 15 minutes of inactivity (HIPAA requirement)
  • Max session: 8 hours absolute maximum
  • Failed login lockout: 5 attempts = 30 minute ban
  • Password requirements: 12+ chars, mixed case, numbers, special chars

Code Patterns

API Route with Audit Logging

```typescript

import { getSession, requireAuth } from '@/lib/auth';

import { logPHIAccess } from '@/lib/hipaa/audit';

export async function GET(request: Request) {

const session = await getSession();

if (!session) {

return Response.json({ error: 'Unauthorized' }, { status: 401 });

}

// Fetch the data

const data = await fetchUserData(session.userId);

// Log the access

await logPHIAccess(

session.userId,

'userdata',

session.userId,

AuditAction.PHI_VIEW

);

return Response.json(data);

}

```

Component with PHI Access

```typescript

'use client';

import { useEffect } from 'react';

export function JournalViewer({ entryId }: { entryId: string }) {

useEffect(() => {

// Log view on mount (server-side preferred, but client backup)

fetch('/api/audit/log', {

method: 'POST',

body: JSON.stringify({

action: 'PHI_VIEW',

targetType: 'journal',

targetId: entryId

})

});

}, [entryId]);

// ... render

}

```

Compliance Checklist

Before shipping any feature that touches PHI:

  • [ ] All PHI access is audit logged
  • [ ] No PHI content in logs (only IDs and metadata)
  • [ ] Data access requires authentication
  • [ ] Admin access has separate audit trail
  • [ ] Failed access attempts are logged
  • [ ] Data export includes audit entry
  • [ ] Sensitive fields are encrypted at rest
  • [ ] Session timeout is enforced

Audit Log Retention

  • Minimum: 6 years (HIPAA requirement)
  • Format: Raw logs for 1 year, compressed thereafter
  • Location: audit_log table in database
  • Export: Encrypted exports for compliance audits

Emergency Access (Break Glass)

For emergency situations, use break-glass access:

```typescript

import { requestBreakGlassAccess } from '@/lib/hipaa/break-glass';

// This creates enhanced audit trail

const access = await requestBreakGlassAccess(

adminId,

targetUserId,

'Emergency support required - user reported crisis'

);

```

Break glass access:

  • Requires written justification
  • Creates permanent audit record
  • Triggers alert to compliance officer
  • Must be reviewed within 24 hours

Resources

  • HIPAA Security Rule: 45 C.F.R. Β§ 164.312
  • Audit controls standard: 45 C.F.R. Β§ 164.312(b)
  • Incident response plan: docs/INCIDENT-RESPONSE-PLAN.md
  • Security documentation: docs/SECURITY-HARDENING.md

More from this repository10

🎯
cv-creator🎯Skill

cv-creator skill from erichowens/some_claude_skills

🎯
metal-shader-expert🎯Skill

metal-shader-expert skill from erichowens/some_claude_skills

🎯
ai-video-production-master🎯Skill

ai-video-production-master skill from erichowens/some_claude_skills

🎯
video-processing-editing🎯Skill

video-processing-editing skill from erichowens/some_claude_skills

🎯
pwa-expert🎯Skill

pwa-expert skill from erichowens/some_claude_skills

🎯
sound-engineer🎯Skill

sound-engineer skill from erichowens/some_claude_skills

🎯
mdx-sanitizer🎯Skill

Sanitizes MDX content by escaping angle brackets, generics, and JSX-conflicting patterns to prevent build failures and parsing errors.

🎯
indie-monetization-strategist🎯Skill

indie-monetization-strategist skill from erichowens/some_claude_skills

🎯
mobile-ux-optimizer🎯Skill

Optimizes mobile user interfaces by implementing touch-friendly, responsive design patterns with proper viewport handling and performance considerations.

🎯
job-application-optimizer🎯Skill

job-application-optimizer skill from erichowens/some_claude_skills