hipaa-compliance-auditor
A clinical-grade PII/PHI detection and de-identification tool for healthcare text data.
41
27%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./scientific-skills/Academic Writing/hipaa-compliance-auditor/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear and distinctive niche (healthcare PII/PHI de-identification) but is too terse to be fully effective for skill selection. It lacks explicit trigger guidance ('Use when...') and misses common user-facing keywords like 'HIPAA', 'anonymize', 'redact', or 'patient data'. Adding concrete actions and explicit usage triggers would significantly improve its utility.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user needs to anonymize, redact, or de-identify patient data, medical records, or any text containing protected health information.'
Include natural trigger terms users would say, such as 'HIPAA compliance', 'anonymize', 'redact', 'patient names', 'medical records', 'SSN', 'MRN', 'protected health information'.
List specific concrete actions beyond 'detection and de-identification', e.g., 'Detects and redacts patient names, dates of birth, medical record numbers, SSNs, and other PHI from clinical notes, discharge summaries, and medical reports.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (healthcare text data) and core actions (PII/PHI detection and de-identification), but does not list multiple specific concrete actions like redacting names, masking dates, replacing MRNs, etc. | 2 / 3 |
Completeness | Describes what the skill does (PII/PHI detection and de-identification) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2, and since the 'when' is entirely absent, this scores a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'PII', 'PHI', 'de-identification', and 'healthcare', but misses common user variations such as 'HIPAA', 'anonymize', 'redact', 'patient data', 'medical records', 'sensitive information', or 'protected health information'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'clinical-grade', 'PII/PHI', 'de-identification', and 'healthcare text data' creates a clear niche that is unlikely to conflict with other skills. This is a very specific domain with distinct triggers. | 3 / 3 |
Total | 8 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill suffers from severe bloat and poor organization. It contains useful core content (Python API example, parameter table, HIPAA identifier list, audit log format) buried under layers of generic boilerplate sections that add no value. The circular self-references ('See ## Features above'), duplicate workflow sections, and extensive template/checklist sections make it difficult to extract the actionable information needed to actually use the tool.
Suggestions
Remove all boilerplate sections (Risk Assessment, Security Checklist, Lifecycle Status, Evaluation Criteria, Response Template, Output Requirements, Input Validation) that don't contain tool-specific information Claude needs.
Consolidate the two workflow sections into a single clear sequence with explicit validation: run de-identification → verify output contains no PII → check audit log → flag low-confidence detections for manual review.
Remove circular references ('See ## Features above', 'See ## Usage above') and reorganize into a linear flow: Quick Start → Parameters → Output Format → References.
Move the HIPAA identifier categories list, technical architecture details, and audit log schema into separate reference files, keeping only the essential usage examples in the main skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose and repetitive. Multiple sections reference each other circularly ('See ## Features above', 'See ## Usage above', 'See ## Workflow above'). Contains extensive boilerplate sections (Risk Assessment, Security Checklist, Lifecycle Status, Evaluation Criteria) that add little value. The 'When to Use' section repeats the description verbatim. Many sections explain things Claude already knows (error handling philosophy, input validation concepts, response templates). | 1 / 3 |
Actionability | Provides some concrete commands (CLI usage, Python API example) and a parameter table, but much of the content is generic boilerplate rather than specific executable guidance. The Python API example is useful and copy-paste ready, but the workflow steps are vague ('Confirm the user objective', 'Validate that the request matches the documented scope'). The audit log JSON example is a good concrete artifact. | 2 / 3 |
Workflow Clarity | There are two competing workflow sections with different content, creating confusion. Neither has explicit validation checkpoints tied to the actual de-identification process. The Technical Architecture section lists pipeline stages but doesn't provide actionable validation steps. For a tool handling HIPAA-sensitive data (a destructive/high-risk operation), there are no concrete verification steps to confirm PII was actually removed, which should cap this at 1. | 1 / 3 |
Progressive Disclosure | The document is a monolithic wall of text with 20+ sections, many of which are boilerplate. Content is poorly organized with circular references ('See ## Features above'). The references section points to external files but the main document itself is bloated with content that should either be removed or split out (Risk Assessment, Security Checklist, Evaluation Criteria, Lifecycle Status are all inline noise). | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- aipoch/medical-research-skills
- Commit
8277276
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.