hipaa-compliance-auditor
A clinical-grade PII/PHI detection and de-identification tool for healthcare text data.
30
23%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./scientific-skills/Academic Writing/hipaa-compliance-auditor/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (healthcare PII/PHI de-identification) but is too terse to be effective for skill selection. It lacks a 'Use when...' clause, misses common user trigger terms like 'HIPAA', 'redact', 'anonymize', and 'patient data', and does not enumerate specific concrete actions beyond the high-level 'detection and de-identification'.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user needs to redact, anonymize, or de-identify patient data, medical records, or any text containing PII/PHI for HIPAA compliance.'
Include natural trigger terms users would say: 'redact', 'anonymize', 'HIPAA', 'patient data', 'medical records', 'sensitive health information', 'PHI removal'.
List specific concrete actions such as 'Detects and redacts names, dates, medical record numbers, SSNs, and other identifiers from clinical notes and healthcare documents.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (healthcare text data) and core actions (PII/PHI detection and de-identification), but does not list multiple specific concrete actions like redacting names, masking dates, replacing identifiers, etc. | 2 / 3 |
Completeness | Describes what the skill does (PII/PHI detection and de-identification) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, missing 'Use when' caps completeness at 2, and the 'what' is also only moderately detailed, warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'PII', 'PHI', 'de-identification', and 'healthcare', but misses common user variations such as 'HIPAA', 'redact', 'anonymize', 'patient data', 'medical records', or 'sensitive information'. | 2 / 3 |
Distinctiveness Conflict Risk | The healthcare/clinical focus and PII/PHI terminology provide some distinctiveness, but without more specific triggers it could overlap with general data privacy, text processing, or broader PII detection skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill suffers from severe verbosity and boilerplate padding, with large sections of generic template content that is not specific to HIPAA de-identification. The circular internal references ('See ## Features above') suggest auto-generated content that wasn't properly edited. While it contains some useful concrete elements (CLI examples, Python API snippet, parameter table, output format), these are buried in repetitive and generic sections that dilute the actionable content.
Suggestions
Remove all generic boilerplate sections (Risk Assessment, Security Checklist, Lifecycle Status, Evaluation Criteria, Response Template, Output Requirements, Input Validation) and focus on HIPAA-specific guidance — cut the document by at least 60%.
Consolidate the three competing workflow descriptions into a single, clear numbered sequence with explicit validation checkpoints, especially a mandatory manual review step before any PHI-containing output is considered compliant.
Remove circular self-references ('See ## Features above', 'See ## Usage above') and reorganize into a logical flow: Quick Start → Usage (CLI + API) → Configuration → Output Format → Limitations.
Move detailed reference content (18 HIPAA categories, full parameter table, audit log schema) into separate reference files and link to them from a concise overview section.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose and repetitive. Multiple sections reference each other circularly ('See ## Features above', 'See ## Usage above', 'See ## Workflow above'). Contains extensive boilerplate sections (Risk Assessment, Security Checklist, Lifecycle Status, Evaluation Criteria, Response Template) that add little value. Explains concepts Claude already knows and includes generic template content not specific to HIPAA de-identification. | 1 / 3 |
Actionability | Provides some concrete commands and a Python API example with executable code, but much of the guidance is generic boilerplate rather than specific to PII/PHI detection. The actual implementation details are thin — no real code showing how patterns work, how to configure custom patterns, or how the NLP pipeline operates. The Python API example is useful but may not be executable without seeing the actual script. | 2 / 3 |
Workflow Clarity | Multiple competing workflow sections exist ('Example Usage' run plan, 'Workflow' section, 'Technical Architecture') with no clear primary sequence. The generic 'Workflow' section (steps 1-5) is abstract and not specific to HIPAA de-identification. For a tool handling PHI — a destructive/sensitive operation — there are no explicit validation checkpoints like verifying all PII was caught before releasing output. The critical manual review warning exists but isn't integrated into the workflow steps. | 1 / 3 |
Progressive Disclosure | The document is a monolithic wall of text with 20+ sections, many of which are generic boilerplate. References to external files (references/hipaa_safe_harbor_guide.pdf, references/pii_patterns.json, etc.) exist but no bundle files are provided to verify them. Circular self-references ('See ## Features above') add confusion rather than structure. Content that should be in separate files (full parameter tables, all 18 HIPAA categories, audit log schema, risk assessment) is inline. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- aipoch/medical-research-skills
- Commit
73f6514
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.