Back to Details

health-hipaa-review

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

HIPAA Code Audit

HIPAA代码审计

Overview

概述

Use this skill to inspect healthcare software and produce an audit report of code and delivery areas where HIPAA-aligned handling of PHI, ePHI, or adjacent sensitive PII appears incomplete, risky, or unsupported by evidence.
使用此技能检查医疗保健软件,生成代码和交付领域的审计报告,指出其中PHI、ePHI或相关敏感PII的HIPAA合规处理看起来不完整、存在风险或缺乏证据支持的地方。

Operating Rules

操作规则

  • Never change code, configs, infrastructure, or documentation.
  • Do not present the output as legal advice, certification, or a formal compliance determination.
  • Bias toward code-observable evidence and clearly separate:
    • confirmed evidence from the code or config
    • likely inferences from nearby implementation
    • non-code dependencies that require policy, vendor, ops, or legal validation
  • If a safeguard is addressable under HIPAA, treat missing implementation or missing documented alternative as a finding candidate, not an automatic pass.
  • When PII appears without clear PHI, still report the privacy risk and note that HIPAA scope may depend on context.
  • 永远不要修改代码、配置、基础设施或文档。
  • 不要将输出作为法律建议、认证或正式合规判定呈现。
  • 优先基于代码可观察的证据,并明确区分:
    • 来自代码或配置的已确认证据
    • 从周边实现推导的合理推断
    • 需要政策、供应商、运维或法律验证的非代码依赖项
  • 如果某防护措施属于HIPAA要求的可落地项,将缺失实现或缺失书面替代方案视为候选发现项,而非自动达标。
  • 当出现没有明确属于PHI的PII时,仍需报告隐私风险,并说明HIPAA适用范围可能取决于上下文。

Workflow

工作流程

  1. Confirm whether the system creates, receives, maintains, or transmits PHI, ePHI, or related sensitive PII.
  2. Map sensitive-data entry, storage, logging, transmission, export, analytics, and deletion paths across code and configuration.
  3. Review those touchpoints against 
    references/control-areas.md
    .
  4. Assign severity and confidence for each issue, and mark where evidence is missing.
  5. Produce a report only. Do not draft patches or implement remediations.
  1. 确认系统是否创建、接收、维护或传输PHI、ePHI或相关敏感PII。
  2. 梳理代码和配置中敏感数据的录入、存储、日志记录、传输、导出、分析和删除全路径。
  3. 对照
    references/control-areas.md
    检查这些接触点。
  4. 为每个问题分配严重程度和置信度,并标记证据缺失的位置。
  5. 仅生成报告。不要编写补丁或实施修复方案。

What To Inspect

检查范围

  • models, schemas, serializers, DTOs, caches, queues, exports, and storage clients
  • authentication, authorization, tenancy boundaries, and service identities
  • logging, tracing, analytics, observability, error handling, and support tooling
  • outbound integrations, webhooks, email or SMS paths, AI or LLM calls, and third-party SDKs
  • secrets, environment variables, encryption hooks, background jobs, and deployment defaults
  • tests, fixtures, seed data, migrations, and local development helpers
  • 模型、 schema、序列化器、DTO、缓存、队列、导出工具和存储客户端
  • 身份验证、授权、租户边界和服务身份
  • 日志、链路追踪、分析、可观测性、错误处理和支持工具
  • 出站集成、webhook、邮件或短信通路、AI或LLM调用以及第三方SDK
  • 密钥、环境变量、加密钩子、后台任务和部署默认配置
  • 测试、fixture、种子数据、迁移脚本和本地开发辅助工具

Constraints

约束条件

  • Focus on engineering evidence, not broad legal interpretation.
  • Highlight where assumptions depend on deployment context or organizational controls.
  • Separate confirmed code issues from architectural or operational unknowns.
  • 聚焦工程证据,而非宽泛的法律解读。
  • 明确标出依赖部署上下文或组织管控的假设。
  • 区分已确认的代码问题与架构或运维层面的未知项。

Resources

资源

  • references/control-areas.md
    : baseline HIPAA, PHI, and PII audit criteria with sample findings and source links grounded in HHS and NIST guidance
  • examples/example-report.md
    : example audit report showing expected output shape, finding format, and coverage matrix
  • references/control-areas.md
    :基础的HIPAA、PHI和PII审计标准,附带基于HHS和NIST指引的示例发现项和来源链接
  • examples/example-report.md
    :审计报告示例,展示预期的输出结构、发现项格式和覆盖矩阵

Invocation Modes

调用模式

Standalone (default)

独立模式(默认)

When invoked directly by a user or without the phrase "scoped review," operate normally: confirm scope interactively, map sensitive-data paths, review against control areas, and produce the full report described in the Output Contract below.
当由用户直接调用或未附带「scoped review」短语时,按正常模式运行:交互式确认范围、梳理敏感数据路径、对照控制域检查,并生成下文输出约定中描述的完整报告。

Scoped

范围限定模式

When invoked with the phrase "scoped review" and a pre-determined list of file paths, operate in scoped mode:
  • Input: a list of file paths to review. Scope is pre-determined — do not ask for confirmation.
  • Behavior: skip interactive scope confirmation. Skip executive summary, coverage matrix, and open questions generation. Review only the provided files against the control areas.
  • Output: return a findings-only list. Each finding uses this format:
    ### [H-{n}] {title}
- Severity: critical | high | medium | low
- Category: {control area from control-areas.md}
- File: {path}:{line}
- Detail: {what was observed and what evidence supports the finding}
- Guideline: {HIPAA section, HHS guidance, or NIST reference}
    If no findings are discovered, return a single line: "No HIPAA findings for the provided files."
当调用时附带「scoped review」短语和预定义的文件路径列表时,按范围限定模式运行:
  • 输入:待审查的文件路径列表。范围已预先确定,无需请求确认。
  • 行为:跳过交互式范围确认。跳过执行摘要、覆盖矩阵和开放问题生成环节。仅对照控制域审查提供的文件。
  • 输出:仅返回发现项列表。每个发现项使用如下格式:
    ### [H-{n}] {title}
- Severity: critical | high | medium | low
- Category: {control area from control-areas.md}
- File: {path}:{line}
- Detail: {what was observed and what evidence supports the finding}
- Guideline: {HIPAA section, HHS guidance, or NIST reference}
    如果未发现任何问题,返回单行内容:"No HIPAA findings for the provided files."

Output Contract

输出约定

When operating in standalone mode, return an audit report with:
  • executive summary
  • in-scope components and sensitive-data assumptions
  • findings table with: ID, severity, category, affected area, evidence, risk, suggested remediation direction, and confidence
  • coverage matrix by control area: met, partial, not met, or not enough evidence
  • open questions and non-code dependencies
  • source basis used for the review
独立模式下运行时,返回的审计报告需包含:
  • 执行摘要
  • 纳入范围的组件和敏感数据假设
  • 发现项表格,包含:ID、严重程度、类别、受影响区域、证据、风险、建议修复方向和置信度
  • 按控制域划分的覆盖矩阵:达标、部分达标、未达标、证据不足
  • 开放问题和非代码依赖项
  • 本次审查使用的参考依据