Design compliant PHI and PII protection patterns for healthcare applications.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "healthcare-phi-compliance" skill from askskill: 1. Download https://raw.githubusercontent.com/affaan-m/ECC/main/skills/healthcare-phi-compliance/SKILL.md 2. Save it as ~/.claude/skills/healthcare-phi-compliance/SKILL.md 3. Reload skills and tell me it's ready
Design a PHI/PII data classification scheme for a healthcare appointment and EHR system. List data types, sensitivity levels, storage requirements, transmission requirements, and access restrictions by role.
A structured classification table describing protection requirements and access boundaries for medical and identity data.
Review this healthcare app API design for PHI/PII leakage risks. Focus on logs, error messages, caches, third-party monitoring, debug output, and export features, then provide remediation steps.
A risk checklist identifying high-risk leak points, impact scope, priority, and recommended fixes.
Create a PHI/PII compliance control checklist for a healthcare SaaS platform covering least-privilege access, audit trails, encryption at rest, encryption in transit, key management, and data retention and deletion policies.
A compliance checklist organized by control domain for security reviews, implementation, and pre-launch checks.
Patterns for protecting patient data, clinician data, and financial data in healthcare applications. Applicable to HIPAA (US), DISHA (India), GDPR (EU), and general healthcare data protection.
Healthcare data protection operates on three layers: classification (what is sensitive), access control (who can see it), and audit (who did see it).
PHI (Protected Health Information) — any data that can identify a patient AND relates to their health: patient name, date of birth, address, phone, email, national ID numbers (SSN, Aadhaar, NHS number), medical record numbers, diagnoses, medications, lab results, imaging, insurance policy and claim details, appointment and admission records, or any combination of the above.
PII (Non-patient-sensitive data) in healthcare systems: clinician/staff personal details, doctor fee structures and payout amounts, employee salary and bank details, vendor payment information.
ALTER TABLE patients ENABLE ROW LEVEL SECURITY;
-- Scope access by facility
CREATE POLICY "staff_read_own_facility"
ON patients FOR SELECT TO authenticated
USING (facility_id IN (
SELECT facility_id FROM staff_assignments
WHERE user_id = auth.uid() AND role IN ('doctor','nurse','lab_tech','admin')
));
-- Audit log: insert-only (tamper-proof)
CREATE POLICY "audit_insert_only" ON audit_log FOR INSERT
TO authenticated WITH CHECK (user_id = auth.uid());
CREATE POLICY "audit_no_modify" ON audit_log FOR UPDATE USING (false);
CREATE POLICY "audit_no_delete" ON audit_log FOR DELETE USING (false);
Every PHI access or modification must be logged:
interface AuditEntry {
timestamp: string;
user_id: string;
patient_id: string;
action: 'create' | 'read' | 'update' | 'delete' | 'print' | 'export';
resource_type: string;
resource_id: string;
changes?: { before: object; after: object };
ip_address: string;
session_id: string;
}
Error messages: Never include patient-identifying data in error messages thrown to the client. Log details server-side only.
Console output: Never log full patient objects. Use opaque internal record IDs (UUIDs) — not medical record numbers, national IDs, or names.
URL parameters: Never put patient-identifying data in query strings or path segments that could appear in logs or browser history. Use opaque UUIDs only.
Browser storage: Never store PHI in localStorage or sessionStorage. Keep PHI in memory only, fetch on demand.
Service role keys: Never use the service_role key in client-side code. Always use the anon/publishable key and let RLS enforce access.
Logs and monitoring: Never log full patient records. Use opaque record IDs only (not medical record numbers). Sanitize stack traces before sending to error tracking services.
Mark PHI/PII columns at the schema level:
COMMENT ON COLUMN patients.name IS 'PHI: patient_name';
COMMENT ON COLUMN patients.dob IS 'PHI: date_of_birth';
COMMENT ON COLUMN patients.aadhaar IS 'PHI: national_id';
COMMENT ON COLUMN doctor_payouts.amount IS 'PII: financial';
Before every deployment:
…
Handle returns, refunds, fraud checks, and warranty claim decisions efficiently.
Use Bun for runtime, bundling, testing, packages, and Node migration decisions.
Use the correct Ethereum Keccak-256 hashing in Node.js and TypeScript.
Apply Nuxt 4 patterns for SSR safety, performance, and data fetching.
Generate images, videos, and audio with one unified AI media workflow.
Design Quarkus 3 backend patterns for messaging, APIs, data, and async workflows.
Handle HIPAA privacy, security, PHI, and breach compliance tasks correctly.
Design safer EMR/EHR workflows, prescribing modules, and accessible clinical data-entry interfaces.
Automate patient-safety checks for healthcare deployments and block unsafe releases.
Scan schema metadata to classify PHI and assess HIPAA-ready migrations.
Detect, redact, and audit PHI in medical text before AI processing.
Detect, redact, and audit PHI in medical text before AI use.