Name: tdg-personal/healthcare-phi-compliance
Rating: 46.400000000000006 (1 reviews)
Author: tdg-personal

tdg-personal/healthcare-phi-compliance

Protected Health Information (PHI) and Personally Identifiable Information (PII) compliance patterns for healthcare applications. Covers data classification, access control, audit trails, encryption, and common leak vectors.

Quality

57%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid, actionable reference for healthcare data compliance with strong concrete examples (SQL, TypeScript) and a useful deployment checklist. Its main weaknesses are the lack of a sequenced implementation workflow with validation feedback loops, and some verbosity in the classification section that could be tightened. The content would benefit from being restructured as a concise overview pointing to detailed sub-documents.

Suggestions

Add an explicit sequenced workflow for implementing PHI protection in a new feature (e.g., 1. Classify data → 2. Apply RLS → 3. Verify with test queries → 4. Add audit logging → 5. Run deployment checklist), with validation checkpoints at each step.

Trim the data classification section — Claude knows what PHI and PII are. Focus on project-specific classifications and edge cases rather than listing every possible PHI element.

Consider splitting into SKILL.md (overview + quick reference) with references to separate files like LEAK_VECTORS.md, RLS_PATTERNS.md, and DEPLOYMENT_CHECKLIST.md for detailed content.

Dimension	Reasoning	Score
Conciseness	Generally efficient but includes some unnecessary elaboration. The data classification section lists out every possible PHI element when a shorter summary would suffice for Claude. The 'When to Use' section is somewhat verbose. However, most content earns its place.	2 / 3
Actionability	Provides fully executable SQL for RLS policies, concrete TypeScript interfaces for audit entries, specific good/bad code examples for error handling and logging, and a clear deployment checklist. All examples are copy-paste ready and specific.	3 / 3
Workflow Clarity	The deployment checklist provides validation steps, and the three-layer model (classification, access control, audit) gives structure. However, there's no explicit sequenced workflow for implementing these patterns — it reads more as a reference than a step-by-step process. For a skill involving destructive/security-critical operations, the lack of a 'validate -> fix -> retry' feedback loop caps this at 2.	2 / 3
Progressive Disclosure	Content is well-organized with clear headers and logical sections, but everything is inline in a single file. The data classification details, full RLS examples, and deployment checklist could be split into referenced files. For a skill of this length (~150 lines), some progressive disclosure to separate files would improve navigability.	2 / 3
	Total	9 / 12 Passed

Description

32%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description identifies a clear domain (healthcare PHI/PII compliance) and lists relevant topic areas, but it reads more like a table of contents than an actionable skill description. It lacks concrete actions (what does it actually do—generate code, review patterns, create policies?) and entirely omits trigger guidance for when Claude should select this skill.

Suggestions

Add an explicit 'Use when...' clause with trigger terms like 'HIPAA compliance', 'patient data handling', 'PHI leak prevention', 'medical records security', or 'healthcare data protection'.

Replace the topic list with concrete actions the skill performs, e.g., 'Reviews code for PHI exposure risks, generates HIPAA-compliant data handling patterns, implements audit logging for patient data access'.

Include commonly missed trigger terms like 'HIPAA', 'patient data', 'medical records', 'de-identification', and 'BAA' to improve keyword coverage.

Dimension	Reasoning	Score
Specificity	Names the domain (PHI/PII compliance in healthcare) and lists several areas (data classification, access control, audit trails, encryption, leak vectors), but these are categories rather than concrete actions. It doesn't specify what the skill actually does with these topics (e.g., 'generates compliance checks', 'reviews code for PHI leaks').	2 / 3
Completeness	Describes what the skill covers at a high level but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also weak (topics rather than actions), warranting a 1.	1 / 3
Trigger Term Quality	Includes relevant terms like 'PHI', 'PII', 'healthcare', 'HIPAA' is notably absent, 'encryption', 'audit trails', and 'access control'. Missing common user-facing terms like 'HIPAA', 'patient data', 'medical records', 'de-identification', or 'data breach'.	2 / 3
Distinctiveness Conflict Risk	The healthcare PHI/PII focus provides some distinctiveness, but terms like 'access control', 'encryption', and 'audit trails' are generic enough to overlap with general security or compliance skills. The healthcare qualifier helps but isn't sufficient to fully distinguish it.	2 / 3
	Total	7 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Reviewed

2 months ago

Table of Contents

Discovery Implementation Validation