PlaygroundCatalog › HIPAA Safeguards
HS

HIPAA Safeguards

🔵 Stable🕐 updated 2026-06-24 🔷 SkillSpec L3 ⚙ ships an executable helper pm-compliance

Map HIPAA Security Rule safeguards and run a risk analysis for systems handling PHI. Use when asked to become HIPAA-compliant, assess HIPAA safeguards, prepare for handling PHI/ePHI, or scope a BAA. Produces a HIPAA assessment — the administrative/physical/technical safeguards with required-vs-addressable status, a risk analysis, BAA scope, and a prioritised remediation plan.

📚 Based on HIPAA Security Rule (45 CFR §164.308–312)

▶ Run it free — no key needed 📝 Grade your existing draft View SKILL.md ↗

What to give it

Your role — covered entity, or business associate (a vendor handling PHI for one). Both owe Security Rule safeguards.
The ePHI flow — where PHI is created, received, stored, transmitted, and who can access it.
Current safeguards — what's in place for access control, encryption, audit logging, backups, training.
Business associates — third parties touching PHI (each needs a BAA).

✅ The bar it holds itself to

Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.

A documented security risk analysis exists (or is the top remediation item) — it's required and foundational
Each safeguard is marked required vs. addressable, and addressable-not-done items have a written justification + alternative
Encryption of ePHI in transit and at rest is assessed explicitly
Every business associate has (or is flagged as needing) a BAA
Audit logging / access review for PHI access is covered

⚠️ What it refuses to do

Do not treat "addressable" as "optional" — you must implement it or document why an equivalent is reasonable; silence is a violation
Do not skip the risk analysis — it's explicitly required and the most-cited gap in OCR enforcement
Do not handle PHI through a vendor without a BAA — that alone is a breach
Do not present this as legal certification — flag that compliance counsel / a security assessor must validate, especially the risk analysis
Do not conflate HIPAA with SOC 2 or GDPR — overlapping controls, different legal requirements; map each separately

Install

npx pm-claude-skills add --agent claude   # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp

Related skills

🔌 Embed this skill

Drop this on your blog, docs, or site — it renders a "Run this skill" card:

<div data-pm-skill="hipaa-safeguards"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>

💬 Discussion

HIPAA Safeguards is one of 599 open-source professional AI agent skills — all SkillSpec L3. Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog