陌讯skills聚合平台

healthcare-compliance

📁 quantumsolver/e-health-kit 📅 8 days ago
3
总安装量
2
周安装量
#57386
全站排名
安装命令
npx skills add https://github.com/quantumsolver/e-health-kit --skill healthcare-compliance

Agent 安装分布

mcpjam 2
claude-code 2
replit 2
junie 2
windsurf 2
zencoder 2

Skill 文档

Healthcare Compliance

This skill provides engineering guardrails for healthcare and e-health projects. It is not legal advice; use it to shape technical decisions and checklists.

How to Use This Skill

Use this skill whenever:

  • The system stores or processes Protected Health Information (PHI).
  • You touch patient data, clinical notes, lab results, prescriptions, imaging, or billing linked to a person.
  • You design integrations with hospital systems (HL7, FHIR, LIS or RIS, PACS).

Combine it with:

  • backend-specialist for API and access control decisions.
  • database-architect for schema, retention, and indexing choices.
  • security-auditor for security scans and secret management.

1. Regulatory Scope (High-Level)

Focus on common technical expectations across regulations:

  • HIPAA (US) – Privacy Rule, Security Rule, audit and breach notification.
  • GDPR or local privacy laws – data minimisation, consent, right to access or delete.
  • HL7 v2.x – messaging standard used by many legacy hospital systems.
  • FHIR (R4 or R5) – modern resource-based REST API standard for clinical data.

Principle: design for least privilege, auditability, and interoperability.

2. PHI Data Classification

Before coding, identify which fields and tables contain PHI:

  • Direct identifiers: name, national ID, phone, email, full address.
  • Quasi-identifiers: date of birth, postal code, gender, rare diagnosis combinations.
  • Clinical content: encounters, diagnoses, prescriptions, lab results, vitals, imaging reports.
  • Billing data tied to a person: invoices, insurance details, claim status.

Rules:

  • Do not store PHI in free-text logs, analytics events, or error traces.
  • Avoid PHI in URLs or document identifiers such as query strings or path parameters.
  • Encrypt backups and exports containing PHI.

3. Access Control and Roles

Design role-based access control aligned with clinical workflows:

  • Receptionist: schedule, basic demographics, no access to detailed clinical notes.
  • Nurse: triage data, vitals, limited orders, partial record view.
  • Physician: full clinical record, orders, notes, e-prescriptions.
  • Lab or Imaging: orders, results entry, no financial data.
  • Billing: invoices, payments, insurance, minimal clinical details.

Engineering guidelines:

  • Enforce RBAC server-side, not just in the UI.
  • Apply row-level access for sensitive records, for example filter by facility or organisation.
  • Prefer allowlists, describing who may access, over blocklists.
  • Log every access to high-risk objects such as patient, encounter, and medical record.

4. Audit Trails and Logging

For PHI-bearing objects, the system should answer who did what, when, and to which record.

Minimum requirements:

  • Version history for key records, using before or after snapshots or field-level changes.
  • Immutable audit log of security-sensitive actions such as login, impersonation, mass exports.
  • Record of consent changes, privacy preference updates, and sharing revocations.
  • Time-synchronised server clocks (NTP) to make logs reliable.

Logging rules:

  • Do not log full payloads of clinical notes, prescriptions, or lab results.
  • Prefer identifiers plus minimal context such as record id, action, module, user, timestamp.

5. Data Protection and Deployment

Checklist for secure-by-default deployments:

  • Transport: enforce HTTPS or TLS everywhere, including internal APIs.
  • At rest: use database encryption at rest and encrypted volumes or backups.
  • Secrets: store credentials in a secret manager or environment variables, never in Git.
  • Backups: regular encrypted backups with tested restore procedures.
  • Retention: configure retention policies per data category such as clinical, billing, logs.
  • Isolation: separate production and test datasets; never use real PHI in development.

For Frappe or ERPNext deployments, ensure:

  • Site config (site_config.json) does not commit secrets.
  • Background workers and schedulers run under least-privilege OS users.
  • Only whitelisted hosts and IPs may reach the database and Redis instances.

6. HL7 and FHIR Integration Patterns

When integrating with hospital systems:

  • HL7 v2:

    • Typically via TCP or file drops, with messages such as ADT, ORM, ORU.
    • Implement a translation layer that validates and maps segments to internal DocTypes.
    • Keep raw HL7 messages for traceability in a secure, access-controlled store.

  • FHIR:

    • Prefer RESTful APIs with JSON.
    • Map DocTypes to FHIR resources such as Patient, Encounter, Observation, MedicationRequest, Appointment.
    • Maintain explicit mapping documentation at field level for every integration.

Security rules:

  • Authenticate all integration clients using mutual TLS, OAuth2, or signed tokens.
  • Throttle and monitor inbound and outbound traffic for abuse and leaks.

7. Pre-Release Compliance Checklist

Before launching or changing an e-health feature, verify:

  • Data classification completed; PHI locations documented.
  • RBAC implemented and enforced in backend for all health DocTypes.
  • Audit logging enabled for access and modifications of PHI.
  • Transport and at-rest encryption configured and tested.
  • Backup, restore, and retention policies documented and tested.
  • Integrations using HL7 or FHIR authenticated, authorised, and rate-limited.
  • No PHI in logs, analytics, or URLs.
  • Legal or compliance stakeholders have reviewed changes where required.

Use this checklist as a gate before considering an e-health feature done.

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。