hipaa-compliance
Scannednpx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/hipaa-compliance --openclawFiles (1)
SKILL.md
1.4 KB
HIPAA Compliance
Implement HIPAA requirements for healthcare data protection.
HIPAA Rules
security_rule:
administrative:
- Risk analysis
- Security management
- Workforce training
- Contingency planning
physical:
- Facility access
- Workstation security
- Device controls
technical:
- Access control
- Audit controls
- Integrity controls
- Transmission security
Technical Safeguards
requirements:
encryption:
at_rest: AES-256
in_transit: TLS 1.2+
access_control:
- Unique user IDs
- Emergency access procedure
- Automatic logoff
- Encryption/decryption
audit:
- Access logging
- Activity monitoring
- Log retention (6 years)
AWS HIPAA Setup
# Enable CloudTrail for HIPAA auditing
aws cloudtrail create-trail \
--name hipaa-audit-trail \
--s3-bucket-name hipaa-logs \
--is-multi-region-trail \
--enable-log-file-validation
# Use HIPAA-eligible services only
Best Practices
- Business Associate Agreements (BAAs)
- Minimum necessary access
- Breach notification procedures
- Regular risk assessments
Source
git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/frameworks/hipaa-compliance/SKILL.mdView on GitHub Overview
This skill implements HIPAA requirements for healthcare data protection, covering administrative, physical, and technical safeguards, encryption, audit controls, and BAAs. It includes practical steps for AWS HIPAA setup, risk assessments, and ongoing compliance to protect PHI.
How This Skill Works
The framework defines HIPAA rules across administrative, physical, and technical safeguards, then implements technical safeguards like AES-256 at-rest and TLS 1.2+ in-transit, unique user IDs, automatic logoff, and audit logging. It also provides guidance for AWS HIPAA setup (CloudTrail) and enforcing BAAs with vendors, plus ongoing risk assessments and monitoring.
When to Use It
- You handle electronic PHI (ePHI) in cloud or on-prem environments.
- You need to implement HIPAA controls in AWS using HIPAA-eligible services and CloudTrail auditing.
- You must perform regular risk analyses and maintain ongoing risk management.
- You are establishing or renewing Business Associate Agreements with vendors handling PHI.
- You must configure encryption, access controls, and comprehensive audit trails with long-term log retention.
Quick Start
- Step 1: Map HIPAA rules to your environment by aligning administrative, physical, and technical safeguards with current processes.
- Step 2: Enable encryption at rest (AES-256) and in transit (TLS 1.2+), implement unique IDs, automatic logoff, and audit logging.
- Step 3: Set up AWS HIPAA basics (CloudTrail) and establish BAAs with vendors; start regular risk assessments.
Best Practices
- Establish and enforce Business Associate Agreements (BAAs) with all third parties handling PHI.
- Enforce minimum necessary access to PHI with role-based access controls and least privilege.
- Implement breach notification procedures and incident response planning.
- Conduct regular risk assessments and risk analyses to identify and remediate gaps.
- Enforce encryption at rest (AES-256) and in transit (TLS 1.2+), plus robust audit controls and 6-year log retention.
Example Use Cases
- A healthcare startup stores PHI in AWS using HIPAA-eligible services and a multi-region CloudTrail for auditing.
- An ambulatory clinic enforces unique user IDs, automatic logoff, and emergency access procedures to protect PHI.
- A hospital maintains audit logs for six years and conducts continuous activity monitoring to detect anomalies.
- A vendor signs a BA with the covered entity and adheres to BAAs while using only HIPAA-eligible services.
- A data breach triggers breach notification procedures and a documented risk assessment follow-up.
Frequently Asked Questions
Add this skill to your agents
