Skill Reviewed
skills/compliance/hipaa-review/SKILL.md
Summary
The hipaa-review skill covers HIPAA Security Rule safeguards and has a breach notification readiness section, but it does not require an OCR-ready evidence package for recognized security practices under Public Law 116-321 / HITECH Section 13412. HHS OCR guidance says OCR considers whether recognized security practices were in place for the prior 12 months in certain Security Rule enforcement, audit, and remedy determinations.
Official source: https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
Coverage Gap
The current skill does not require reviewers to validate:
- Whether recognized security practices are mapped to NIST, 405(d), or another recognized practice set.
- Whether evidence covers the prior 12 months rather than a recently designed control set.
- Whether evidence includes operational artifacts, not only policy documents.
- Whether practices tie back to ePHI confidentiality, integrity, and availability risks identified in the HIPAA risk analysis.
- Whether gaps, exceptions, compensating measures, owners, and remediation dates are documented.
- Whether the evidence package can be produced during an OCR investigation, compliance review, or audit.
Risk
Without this gate, an assessment can accurately review Security Rule controls but miss evidence that can materially affect OCR enforcement/audit handling. It can also overstate readiness when a covered entity or business associate has policy language but cannot demonstrate 12 months of operation.
Suggested Fix
Add a recognized security practices evidence overlay near the Security Management Process section, add HIPAA-RSP-* findings, and update the report template to show 12-month evidence-package status.
Proposed PR
I will submit a focused PR that adds:
- A
Recognized Security Practices Evidence Overlay (HITECH Section 13412) section.
HIPAA-RSP-01 through HIPAA-RSP-05.- Output fields for recognized security practices evidence status.
- An HHS OCR recognized security practices reference.
Expected Bounty Tier
Reviewer-tier for this structured review, plus improver-tier if the linked PR is accepted.
Skill Reviewed
skills/compliance/hipaa-review/SKILL.mdSummary
The
hipaa-reviewskill covers HIPAA Security Rule safeguards and has a breach notification readiness section, but it does not require an OCR-ready evidence package for recognized security practices under Public Law 116-321 / HITECH Section 13412. HHS OCR guidance says OCR considers whether recognized security practices were in place for the prior 12 months in certain Security Rule enforcement, audit, and remedy determinations.Official source: https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
Coverage Gap
The current skill does not require reviewers to validate:
Risk
Without this gate, an assessment can accurately review Security Rule controls but miss evidence that can materially affect OCR enforcement/audit handling. It can also overstate readiness when a covered entity or business associate has policy language but cannot demonstrate 12 months of operation.
Suggested Fix
Add a recognized security practices evidence overlay near the Security Management Process section, add
HIPAA-RSP-*findings, and update the report template to show 12-month evidence-package status.Proposed PR
I will submit a focused PR that adds:
Recognized Security Practices Evidence Overlay (HITECH Section 13412)section.HIPAA-RSP-01throughHIPAA-RSP-05.Expected Bounty Tier
Reviewer-tier for this structured review, plus improver-tier if the linked PR is accepted.