tdg-personal/healthcare-phi-compliance
Protected Health Information (PHI) and Personally Identifiable Information (PII) compliance patterns for healthcare applications. Covers data classification, access control, audit trails, encryption, and common leak vectors.
57
57%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (healthcare PHI/PII compliance) and lists relevant topic areas, but it reads more like a table of contents than an actionable skill description. It lacks concrete actions (what does it actually do—generate code, review patterns, create policies?) and entirely omits trigger guidance for when Claude should select this skill.
Suggestions
Add an explicit 'Use when...' clause with trigger terms like 'HIPAA compliance', 'patient data handling', 'PHI leak prevention', 'medical records security', or 'healthcare data protection'.
Replace the topic list with concrete actions the skill performs, e.g., 'Reviews code for PHI exposure risks, generates HIPAA-compliant data handling patterns, implements audit logging for patient data access'.
Include commonly missed trigger terms like 'HIPAA', 'patient data', 'medical records', 'de-identification', and 'BAA' to improve keyword coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (PHI/PII compliance in healthcare) and lists several areas (data classification, access control, audit trails, encryption, leak vectors), but these are categories rather than concrete actions. It doesn't specify what the skill actually does with these topics (e.g., 'generates compliance checks', 'reviews code for PHI leaks'). | 2 / 3 |
Completeness | Describes what the skill covers at a high level but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also weak (topics rather than actions), warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'PHI', 'PII', 'healthcare', 'HIPAA' is notably absent, 'encryption', 'audit trails', and 'access control'. Missing common user-facing terms like 'HIPAA', 'patient data', 'medical records', 'de-identification', or 'data breach'. | 2 / 3 |
Distinctiveness Conflict Risk | The healthcare PHI/PII focus provides some distinctiveness, but terms like 'access control', 'encryption', and 'audit trails' are generic enough to overlap with general security or compliance skills. The healthcare qualifier helps but isn't sufficient to fully distinguish it. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable reference for healthcare data compliance with strong concrete examples (SQL, TypeScript) and a useful deployment checklist. Its main weaknesses are the lack of a sequenced implementation workflow with validation feedback loops, and some verbosity in the classification section that could be tightened. The content would benefit from being restructured as a concise overview pointing to detailed sub-documents.
Suggestions
Add an explicit sequenced workflow for implementing PHI protection in a new feature (e.g., 1. Classify data → 2. Apply RLS → 3. Verify with test queries → 4. Add audit logging → 5. Run deployment checklist), with validation checkpoints at each step.
Trim the data classification section — Claude knows what PHI and PII are. Focus on project-specific classifications and edge cases rather than listing every possible PHI element.
Consider splitting into SKILL.md (overview + quick reference) with references to separate files like LEAK_VECTORS.md, RLS_PATTERNS.md, and DEPLOYMENT_CHECKLIST.md for detailed content.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary elaboration. The data classification section lists out every possible PHI element when a shorter summary would suffice for Claude. The 'When to Use' section is somewhat verbose. However, most content earns its place. | 2 / 3 |
Actionability | Provides fully executable SQL for RLS policies, concrete TypeScript interfaces for audit entries, specific good/bad code examples for error handling and logging, and a clear deployment checklist. All examples are copy-paste ready and specific. | 3 / 3 |
Workflow Clarity | The deployment checklist provides validation steps, and the three-layer model (classification, access control, audit) gives structure. However, there's no explicit sequenced workflow for implementing these patterns — it reads more as a reference than a step-by-step process. For a skill involving destructive/security-critical operations, the lack of a 'validate -> fix -> retry' feedback loop caps this at 2. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear headers and logical sections, but everything is inline in a single file. The data classification details, full RLS examples, and deployment checklist could be split into referenced files. For a skill of this length (~150 lines), some progressive disclosure to separate files would improve navigability. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
Reviewed
Table of Contents