Claude
Skills
Sign in
Back

Healthcare Compliance

Included with Lifetime
$97 forever

HIPAA compliance, healthcare regulations, privacy and security standards for medical organizations and providers

domainhealthcarecomplianceHIPAAprivacysecurityregulations

What this skill does


# Healthcare Compliance

Expert healthcare regulatory compliance system designed for medical practices, healthcare organizations, health IT companies, and healthcare professionals navigating complex privacy, security, and operational regulations. This skill provides HIPAA compliance guidance, privacy and security assessments, breach response protocols, policy development, training frameworks, and regulatory requirement interpretation.

The Healthcare Compliance skill excels at translating complex regulations into actionable compliance programs, conducting risk assessments, developing policies and procedures, creating staff training materials, managing business associate agreements, and establishing incident response plans. It's valuable for compliance officers, practice administrators, healthcare IT teams, and providers ensuring regulatory adherence.

**Critical Legal Disclaimer:** This skill provides educational information and compliance frameworks based on federal regulations (primarily HIPAA). It does NOT constitute legal advice. Healthcare compliance is complex, high-stakes, and subject to interpretation. State laws may impose additional requirements. Always consult qualified healthcare attorneys and compliance professionals for legal guidance, especially regarding breach notifications, enforcement actions, and regulatory interpretations.

## Core Workflows

### Workflow 1: HIPAA Compliance Assessment & Implementation

**Purpose:** Evaluate current compliance posture and implement comprehensive HIPAA privacy and security programs.

**HIPAA Overview:**

The Health Insurance Portability and Accountability Act (HIPAA) has three main rules:

**1. Privacy Rule**
- Protects all "individually identifiable health information" (Protected Health Information - PHI)
- Establishes patient rights over their health information
- Sets boundaries on uses and disclosures
- Applies to: Covered entities (healthcare providers, health plans, clearinghouses) and business associates

**2. Security Rule**
- Establishes national standards for protecting electronic PHI (ePHI)
- Requires administrative, physical, and technical safeguards
- Flexible implementation based on size and complexity
- Risk assessment is foundational requirement

**3. Breach Notification Rule**
- Requires notification of breaches of unsecured PHI
- Notification to individuals, HHS, and media (if 500+ affected)
- Specific timelines and content requirements
- Penalties for non-compliance

**Compliance Assessment Framework:**

**Step 1: Determine Covered Entity Status**
- Are you a healthcare provider who transmits health information electronically?
- Are you a health plan?
- Are you a healthcare clearinghouse?
- Are you a business associate of a covered entity?
- **If YES to any:** HIPAA applies to you

**Step 2: Identify PHI and ePHI**

**What is PHI?**
- Any health information that can identify an individual
- Includes: Medical records, billing records, conversations about care, health insurance information
- 18 identifiers make information PHI:
  1. Names
  2. Addresses (more specific than state)
  3. Dates (except year) related to individual
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device identifiers/serial numbers
  14. URLs
  15. IP addresses
  16. Biometric identifiers
  17. Full-face photos
  18. Any other unique identifier

**Where is PHI in your organization?**
- Electronic health records (EHR/EMR)
- Practice management systems
- Billing systems
- Email communications
- Patient portals
- Paper charts and files
- Fax machines
- Mobile devices (phones, tablets, laptops)
- Backup systems and archives
- Third-party services (vendors, cloud providers)

**Step 3: Privacy Rule Compliance**

**Notice of Privacy Practices (NPP):**
- Required written notice to patients describing how you use/disclose PHI
- Must be provided at first contact
- Acknowledgment of receipt required (best effort)
- Post prominently, make available on website
- Review and update every 3 years or when material change

**Minimum Necessary Standard:**
- Use/disclose only minimum PHI necessary to accomplish purpose
- Does not apply to: Treatment, patient-authorized disclosures, disclosures to HHS for compliance review
- Implement policies defining "minimum necessary" for routine disclosures

**Patient Rights:**
- **Right to access:** Provide copy of PHI within 30 days (may extend 30 days once)
- **Right to amend:** Allow patient to request corrections
- **Right to accounting of disclosures:** Track and report certain disclosures
- **Right to restrict uses/disclosures:** Must honor restrictions if agree
- **Right to confidential communications:** Alternative contact methods if requested
- **Right to copy of NPP:** Provide upon request

**Permitted Uses and Disclosures:**
- **Treatment, Payment, Operations (TPO):** Allowed without authorization
- **Patient authorization:** Written permission required for most other uses
- **Required by law:** Certain disclosures mandated (public health, abuse reporting, law enforcement in specific situations)

**Step 4: Security Rule Compliance**

**Administrative Safeguards:**

1. **Security Management Process:**
   - **Risk Assessment (required):** Identify threats/vulnerabilities to ePHI
   - **Risk Management (required):** Implement measures to reduce risks
   - **Sanction Policy (required):** Discipline for security violations
   - **Information System Activity Review (required):** Monitor logs and access

2. **Assigned Security Responsibility (required):**
   - Designate a Security Official responsible for compliance

3. **Workforce Security:**
   - Authorization/supervision procedures
   - Workforce clearance procedures
   - Termination procedures (remove access immediately)

4. **Information Access Management:**
   - Access authorization (role-based access control)
   - Access establishment and modification

5. **Security Awareness and Training (required):**
   - Security reminders
   - Protection from malicious software
   - Log-in monitoring
   - Password management

6. **Security Incident Procedures (required):**
   - Identify and respond to security incidents
   - Document incidents

7. **Contingency Plan (required):**
   - Data backup plan
   - Disaster recovery plan
   - Emergency mode operation plan

8. **Evaluation (required):**
   - Periodic security evaluation

9. **Business Associate Contracts (required):**
   - Written agreements with vendors handling ePHI
   - Must include specific required provisions

**Physical Safeguards:**

1. **Facility Access Controls:**
   - Contingency operations (allow access during emergencies)
   - Facility security plan (protect from unauthorized access)
   - Access control and validation procedures
   - Maintenance records (repairs/modifications to security systems)

2. **Workstation Use (required):**
   - Policies on how/where workstations can be used

3. **Workstation Security (required):**
   - Physical safeguards for workstations

4. **Device and Media Controls (required):**
   - Disposal (wipe devices before disposal/reuse)
   - Media re-use (remove ePHI before reusing media)
   - Accountability (track hardware/media movements)
   - Data backup and storage

**Technical Safeguards:**

1. **Access Control (required):**
   - Unique user identification (required): Each user has unique ID
   - Emergency access procedure (required): Access during emergencies
   - Automatic logoff (addressable): Time-out after inactivity
   - Encryption and decryption (addressable): Encrypt ePHI when appropriate

2. **Audit Controls (required):**
   - Log and monitor activity on systems with ePHI

3. **Integrity (required):**
   - Protect ePHI from improper alteration/destruction
   - Mechanism to authenticate ePHI (addressable)

4. **Person or Entity Authentication (r
Files: 1
Size: 28.5 KB
Complexity: 36/100
Category: domain
Source: https://github.com/jmsktm/claude-settings/tree/main/skills/healthcare-compliance

Related in domain

Hospitality Coordinator

Included

Hotel and restaurant operations, guest services, event planning, and hospitality management excellence

domain

Insurance Analyst

Included

Insurance policy analysis, claims evaluation, coverage assessment, and risk management for individuals and businesses

domain

Construction Estimator

Included

Construction cost estimation, project budgeting, material takeoffs, and bid preparation for contractors and builders

domain

HR Assistant

Included

Human resources management, employee relations, recruitment support, and HR compliance assistance

domain

Education Tutor

Included

Personalized tutoring, study strategies, lesson planning, and educational support across subjects and learning styles

domain

E-commerce Manager

Included

Online store management, product optimization, conversion analysis, and digital retail strategy

domain
Sign up & unlock — $97