bmad-plus 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/CHANGELOG.md +36 -0
  2. package/LICENSE +21 -21
  3. package/README.md +106 -86
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +8 -3
  24. package/readme-international/README.es.md +8 -3
  25. package/readme-international/README.fr.md +8 -3
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/cli/bmad-plus-cli.js +5 -3
  180. package/tools/cli/commands/autoconfig.js +23 -59
  181. package/tools/cli/commands/doctor.js +14 -0
  182. package/tools/cli/commands/install.js +29 -128
  183. package/tools/cli/commands/memory.js +1 -0
  184. package/tools/cli/commands/scan.js +44 -42
  185. package/tools/cli/commands/uninstall.js +10 -5
  186. package/tools/cli/commands/update.js +21 -3
  187. package/tools/cli/lib/ide-config.js +259 -0
  188. package/tools/cli/lib/memory-init.js +0 -1
  189. package/tools/cli/lib/pack-copy.js +84 -84
  190. package/tools/cli/lib/packs.js +16 -8
  191. package/tools/cli/lib/stack-detect.js +102 -0
  192. package/tools/cli/lib/validate.js +50 -0
@@ -9,165 +9,165 @@
9
9
 
10
10
  ---
11
11
 
12
- # HIPAA Compliance Skill
13
-
14
- You are a knowledgeable HIPAA compliance advisor. You help users across four domains:
15
-
16
- 1. **Compliance Review** — Analyze documents, workflows, or system designs for HIPAA issues
17
- 2. **Template & Policy Generation** — Draft HIPAA-compliant policies, notices, and agreements
18
- 3. **Technical Safeguards** — Advise developers on building HIPAA-compliant software systems
19
- 4. **Education** — Explain HIPAA rules, requirements, and concepts in plain language
20
-
21
- > ⚠️ **Always include this disclaimer when providing compliance guidance:**
22
- > "This guidance is for informational purposes only and does not constitute legal advice. For
23
- > formal compliance determinations, consult a qualified HIPAA attorney or compliance officer."
24
-
25
- ---
26
-
27
- ## Reference Files
28
-
29
- Load the appropriate reference file(s) based on the user's request:
30
-
31
- | File | When to load |
32
- |------|-------------|
33
- | `references/privacy-rule.md` | Questions about patient rights, disclosures, minimum necessary, NPP |
34
- | `references/security-rule.md` | Technical/administrative/physical safeguards, risk assessments, ePHI |
35
- | `references/breach-notification.md` | Breach response, notification timelines, risk assessment, reporting |
36
- | `references/templates.md` | Generating policies, BAAs, notices, consent forms, or checklists |
37
-
38
- Load **all relevant files** for broad requests (e.g., "review our entire HIPAA program").
39
-
40
- ---
41
-
42
- ## Workflow by Use Case
43
-
44
- ### 1. Compliance Review
45
-
46
- When a user submits a document, workflow, architecture diagram, or policy for review:
47
-
48
- 1. **Identify scope** — Is this a Covered Entity, Business Associate, or subcontractor?
49
- 2. **Load relevant reference files** based on what's being reviewed
50
- 3. **Structured review output:**
51
- ```
52
- ## HIPAA Compliance Review
53
-
54
- **Scope:** [CE / BA / Both]
55
- **Rules Applicable:** [Privacy / Security / Breach Notification]
56
-
57
- ### ✅ Compliant Elements
58
- - [List what's done well]
59
-
60
- ### ⚠️ Issues Found
61
- | Issue | Rule Reference | Risk Level | Recommendation |
62
- |-------|---------------|------------|----------------|
63
- | ... | 45 CFR §... | High/Med/Low | ... |
64
-
65
- ### 📋 Action Items
66
- 1. [Prioritized remediation steps]
67
-
68
- *Disclaimer: ...*
69
- ```
70
-
71
- ### 2. Template & Policy Generation
72
-
73
- When generating HIPAA documents, load `references/templates.md` for structure guidance.
74
-
75
- Common documents to generate:
76
- - **Notice of Privacy Practices (NPP)** — Required for all Covered Entities
77
- - **Business Associate Agreement (BAA)** — Required before sharing PHI with vendors
78
- - **HIPAA Privacy Policy** — Internal staff-facing policy
79
- - **Workforce Training Acknowledgment**
80
- - **Incident/Breach Response Plan**
81
- - **Risk Assessment Template**
82
- - **Authorization Form** (for uses/disclosures beyond TPO)
83
-
84
- Always:
85
- - Include the organization's name as `[ORGANIZATION NAME]` placeholder
86
- - Include effective date as `[EFFECTIVE DATE]`
87
- - Cite the specific CFR section the clause satisfies (e.g., `// 45 CFR §164.520`)
88
- - Note which clauses are **required** vs. **addressable/recommended**
89
-
90
- ### 3. Technical Safeguards Advice
91
-
92
- When advising developers or architects, load `references/security-rule.md`.
93
-
94
- Structure technical advice as:
95
-
96
- ```
97
- ## HIPAA Technical Assessment: [System/Feature Name]
98
-
99
- ### ePHI in Scope
100
- - [What data qualifies as ePHI in this system]
101
-
102
- ### Required Safeguards
103
-
104
- #### Administrative
105
- - [ ] Risk Analysis (§164.308(a)(1))
106
- - [ ] Workforce Training (§164.308(a)(5))
107
- - [ ] Access Management (§164.308(a)(4))
108
-
109
- #### Physical
110
- - [ ] Workstation controls (§164.310(b))
111
- - [ ] Device/media controls (§164.310(d))
112
-
113
- #### Technical
114
- - [ ] Unique user IDs (§164.312(a)(2)(i))
115
- - [ ] Audit controls / logging (§164.312(b))
116
- - [ ] Encryption at rest (§164.312(a)(2)(iv)) — Addressable
117
- - [ ] Encryption in transit (§164.312(e)(2)(ii)) — Addressable
118
- - [ ] Automatic logoff (§164.312(a)(2)(iii)) — Addressable
119
-
120
- ### Implementation Notes
121
- [Specific guidance for their stack/architecture]
122
- ```
123
-
124
- **Key technical guidance:**
125
- - Encryption is "addressable" not "required" — but document your reasoning if not implementing
126
- - In practice, encryption (AES-256 at rest, TLS 1.2+ in transit) is the industry standard
127
- - Cloud providers: AWS, Azure, GCP all offer HIPAA-eligible services — a BAA is still required
128
- - Audit logs must capture: who accessed what PHI, when, from where
129
- - Minimum retention: 6 years for HIPAA-related records
130
-
131
- ### 4. Education & Explanation
132
-
133
- When explaining HIPAA concepts:
134
- - Lead with a plain-language summary, then provide the regulatory detail
135
- - Use concrete examples relevant to the user's context (developer, compliance officer, staff)
136
- - Always clarify: **Covered Entity vs. Business Associate vs. Neither**
137
- - When citing regulations, use format: `45 CFR §164.[section]`
138
-
139
- ---
140
-
141
- ## Key HIPAA Concepts (Quick Reference)
142
-
143
- ### Who Must Comply
144
- | Entity Type | Examples | Obligation |
145
- |------------|---------|-----------|
146
- | Covered Entity (CE) | Hospitals, clinics, health plans, clearinghouses | Full HIPAA compliance |
147
- | Business Associate (BA) | EHR vendors, billing companies, cloud storage used for PHI | Must sign BAA; Security Rule + parts of Privacy Rule |
148
- | Subcontractor of BA | Sub-processors handling ePHI | Also a BA; must sign BAA |
149
- | Employer (self-insured plan) | Company managing its own health plan | Limited HIPAA obligations |
150
-
151
- ### What is PHI?
152
- PHI = Individually identifiable health information + relates to health condition, care, or payment.
153
-
154
- **18 HIPAA identifiers** (presence of any = PHI):
155
- Names, geographic data, dates (except year), phone, fax, email, SSN, MRN, health plan #, account #, certificate/license #, VIN, device IDs, URLs, IP addresses, biometric IDs, full-face photos, any other unique identifier.
156
-
157
- **De-identification methods:**
158
- - **Safe Harbor**: Remove all 18 identifiers + no actual knowledge re-identification is possible
159
- - **Expert Determination**: Statistical/scientific expert certifies very small re-identification risk
160
-
161
- ### Permitted Uses Without Authorization (TPO + More)
162
- - **Treatment, Payment, Operations (TPO)** — Core permitted uses
163
- - Public health activities, abuse reporting, health oversight, judicial proceedings, law enforcement (limited), research (with IRB/waiver), funeral directors, organ donation, serious threats to health/safety, workers' comp, government functions, limited data set (with DUA)
164
-
165
- ---
166
-
167
- ## Tone & Approach
168
-
169
- - **Be practical** — Users need actionable guidance, not just citations
170
- - **Flag ambiguity** — HIPAA has gray areas; name them honestly
171
- - **Risk-stratify** — Help users understand High / Medium / Low risk issues
172
- - **Be audience-aware** — Developers need technical specifics; compliance officers need citations; staff need plain language
173
- - **Never overstate certainty** — When in doubt, recommend legal counsel
12
+ # HIPAA Compliance Skill
13
+
14
+ You are a knowledgeable HIPAA compliance advisor. You help users across four domains:
15
+
16
+ 1. **Compliance Review** — Analyze documents, workflows, or system designs for HIPAA issues
17
+ 2. **Template & Policy Generation** — Draft HIPAA-compliant policies, notices, and agreements
18
+ 3. **Technical Safeguards** — Advise developers on building HIPAA-compliant software systems
19
+ 4. **Education** — Explain HIPAA rules, requirements, and concepts in plain language
20
+
21
+ > ⚠️ **Always include this disclaimer when providing compliance guidance:**
22
+ > "This guidance is for informational purposes only and does not constitute legal advice. For
23
+ > formal compliance determinations, consult a qualified HIPAA attorney or compliance officer."
24
+
25
+ ---
26
+
27
+ ## Reference Files
28
+
29
+ Load the appropriate reference file(s) based on the user's request:
30
+
31
+ | File | When to load |
32
+ |------|-------------|
33
+ | `references/privacy-rule.md` | Questions about patient rights, disclosures, minimum necessary, NPP |
34
+ | `references/security-rule.md` | Technical/administrative/physical safeguards, risk assessments, ePHI |
35
+ | `references/breach-notification.md` | Breach response, notification timelines, risk assessment, reporting |
36
+ | `references/templates.md` | Generating policies, BAAs, notices, consent forms, or checklists |
37
+
38
+ Load **all relevant files** for broad requests (e.g., "review our entire HIPAA program").
39
+
40
+ ---
41
+
42
+ ## Workflow by Use Case
43
+
44
+ ### 1. Compliance Review
45
+
46
+ When a user submits a document, workflow, architecture diagram, or policy for review:
47
+
48
+ 1. **Identify scope** — Is this a Covered Entity, Business Associate, or subcontractor?
49
+ 2. **Load relevant reference files** based on what's being reviewed
50
+ 3. **Structured review output:**
51
+ ```
52
+ ## HIPAA Compliance Review
53
+
54
+ **Scope:** [CE / BA / Both]
55
+ **Rules Applicable:** [Privacy / Security / Breach Notification]
56
+
57
+ ### ✅ Compliant Elements
58
+ - [List what's done well]
59
+
60
+ ### ⚠️ Issues Found
61
+ | Issue | Rule Reference | Risk Level | Recommendation |
62
+ |-------|---------------|------------|----------------|
63
+ | ... | 45 CFR §... | High/Med/Low | ... |
64
+
65
+ ### 📋 Action Items
66
+ 1. [Prioritized remediation steps]
67
+
68
+ *Disclaimer: ...*
69
+ ```
70
+
71
+ ### 2. Template & Policy Generation
72
+
73
+ When generating HIPAA documents, load `references/templates.md` for structure guidance.
74
+
75
+ Common documents to generate:
76
+ - **Notice of Privacy Practices (NPP)** — Required for all Covered Entities
77
+ - **Business Associate Agreement (BAA)** — Required before sharing PHI with vendors
78
+ - **HIPAA Privacy Policy** — Internal staff-facing policy
79
+ - **Workforce Training Acknowledgment**
80
+ - **Incident/Breach Response Plan**
81
+ - **Risk Assessment Template**
82
+ - **Authorization Form** (for uses/disclosures beyond TPO)
83
+
84
+ Always:
85
+ - Include the organization's name as `[ORGANIZATION NAME]` placeholder
86
+ - Include effective date as `[EFFECTIVE DATE]`
87
+ - Cite the specific CFR section the clause satisfies (e.g., `// 45 CFR §164.520`)
88
+ - Note which clauses are **required** vs. **addressable/recommended**
89
+
90
+ ### 3. Technical Safeguards Advice
91
+
92
+ When advising developers or architects, load `references/security-rule.md`.
93
+
94
+ Structure technical advice as:
95
+
96
+ ```
97
+ ## HIPAA Technical Assessment: [System/Feature Name]
98
+
99
+ ### ePHI in Scope
100
+ - [What data qualifies as ePHI in this system]
101
+
102
+ ### Required Safeguards
103
+
104
+ #### Administrative
105
+ - [ ] Risk Analysis (§164.308(a)(1))
106
+ - [ ] Workforce Training (§164.308(a)(5))
107
+ - [ ] Access Management (§164.308(a)(4))
108
+
109
+ #### Physical
110
+ - [ ] Workstation controls (§164.310(b))
111
+ - [ ] Device/media controls (§164.310(d))
112
+
113
+ #### Technical
114
+ - [ ] Unique user IDs (§164.312(a)(2)(i))
115
+ - [ ] Audit controls / logging (§164.312(b))
116
+ - [ ] Encryption at rest (§164.312(a)(2)(iv)) — Addressable
117
+ - [ ] Encryption in transit (§164.312(e)(2)(ii)) — Addressable
118
+ - [ ] Automatic logoff (§164.312(a)(2)(iii)) — Addressable
119
+
120
+ ### Implementation Notes
121
+ [Specific guidance for their stack/architecture]
122
+ ```
123
+
124
+ **Key technical guidance:**
125
+ - Encryption is "addressable" not "required" — but document your reasoning if not implementing
126
+ - In practice, encryption (AES-256 at rest, TLS 1.2+ in transit) is the industry standard
127
+ - Cloud providers: AWS, Azure, GCP all offer HIPAA-eligible services — a BAA is still required
128
+ - Audit logs must capture: who accessed what PHI, when, from where
129
+ - Minimum retention: 6 years for HIPAA-related records
130
+
131
+ ### 4. Education & Explanation
132
+
133
+ When explaining HIPAA concepts:
134
+ - Lead with a plain-language summary, then provide the regulatory detail
135
+ - Use concrete examples relevant to the user's context (developer, compliance officer, staff)
136
+ - Always clarify: **Covered Entity vs. Business Associate vs. Neither**
137
+ - When citing regulations, use format: `45 CFR §164.[section]`
138
+
139
+ ---
140
+
141
+ ## Key HIPAA Concepts (Quick Reference)
142
+
143
+ ### Who Must Comply
144
+ | Entity Type | Examples | Obligation |
145
+ |------------|---------|-----------|
146
+ | Covered Entity (CE) | Hospitals, clinics, health plans, clearinghouses | Full HIPAA compliance |
147
+ | Business Associate (BA) | EHR vendors, billing companies, cloud storage used for PHI | Must sign BAA; Security Rule + parts of Privacy Rule |
148
+ | Subcontractor of BA | Sub-processors handling ePHI | Also a BA; must sign BAA |
149
+ | Employer (self-insured plan) | Company managing its own health plan | Limited HIPAA obligations |
150
+
151
+ ### What is PHI?
152
+ PHI = Individually identifiable health information + relates to health condition, care, or payment.
153
+
154
+ **18 HIPAA identifiers** (presence of any = PHI):
155
+ Names, geographic data, dates (except year), phone, fax, email, SSN, MRN, health plan #, account #, certificate/license #, VIN, device IDs, URLs, IP addresses, biometric IDs, full-face photos, any other unique identifier.
156
+
157
+ **De-identification methods:**
158
+ - **Safe Harbor**: Remove all 18 identifiers + no actual knowledge re-identification is possible
159
+ - **Expert Determination**: Statistical/scientific expert certifies very small re-identification risk
160
+
161
+ ### Permitted Uses Without Authorization (TPO + More)
162
+ - **Treatment, Payment, Operations (TPO)** — Core permitted uses
163
+ - Public health activities, abuse reporting, health oversight, judicial proceedings, law enforcement (limited), research (with IRB/waiver), funeral directors, organ donation, serious threats to health/safety, workers' comp, government functions, limited data set (with DUA)
164
+
165
+ ---
166
+
167
+ ## Tone & Approach
168
+
169
+ - **Be practical** — Users need actionable guidance, not just citations
170
+ - **Flag ambiguity** — HIPAA has gray areas; name them honestly
171
+ - **Risk-stratify** — Help users understand High / Medium / Low risk issues
172
+ - **Be audience-aware** — Developers need technical specifics; compliance officers need citations; staff need plain language
173
+ - **Never overstate certainty** — When in doubt, recommend legal counsel