[REVIEW] hipaa-review: add Privacy Rule and Part 2 scope routing gates

[yanziwei]

Skill Review ($25 Bounty)

Skill

skills/compliance/hipaa-review/SKILL.md

What needs improvement

hipaa-review is intentionally scoped to the HIPAA Security Rule (45 CFR Part 164, Subpart C), but the workflow only flags Privacy Rule / non-Security-Rule citations near the end of the skill. That makes it easy for an assessment request about 2024 reproductive health care Privacy Rule attestations, 42 CFR Part 2 / SUD records, or general PHI disclosure permissions to be evaluated as if a Security Rule review fully addressed it.

Why this matters

HHS/OCR has recent Privacy/Part 2 obligations that often appear in HIPAA readiness requests but are not Security Rule safeguards:

• OCR's reproductive health care Privacy Rule final rule requires signed attestations for certain PHI requests potentially related to reproductive health care.
• HHS's Part 2 materials say the 2024 Part 2 final rule became effective April 16, 2024, with compliance required February 16, 2026, and applies to SUD records and certain lawful holders.

A Security Rule-only skill should route these topics out of scope early, preserve the Security Rule assessment, and report the unresolved Privacy Rule / Part 2 follow-up rather than silently treating them as covered.

Suggested fix

Add early scope-routing checks to Step 1 and the output template:

• identify whether the request includes Security Rule ePHI safeguard review, Privacy Rule use/disclosure questions, Breach Notification readiness, or Part 2/SUD records;
• flag reproductive health care attestation requests and Part 2/SUD confidentiality requests as out-of-scope referrals for this skill;
• continue with Security Rule review only for ePHI safeguard controls;
• add a report field/table for out-of-scope Privacy Rule / Part 2 follow-ups and the relevant reviewer handoff.

References

• HHS OCR reproductive health care Privacy Rule final rule fact sheet: https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html
• HHS 42 CFR Part 2 final rule fact sheet: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html
• HHS Part 2 overview: https://www.hhs.gov/hipaa/part-2/index.html

[yanziwei]

Submitted PR: #1694

Implemented focused HIPAA scope-routing gates for Privacy Rule, reproductive health care attestation, and 42 CFR Part 2/SUD topics. Validation performed: git diff --check, marker grep, scoped diff review, and Markdown fence balance check.

[heroking777]

Strategic Proposal for HIPAA Review Scope Routing

File: skills/compliance/hipaa-review/SKILL.md

Root Cause: The current HIPAA review skill is narrowly scoped to the Security Rule, failing to properly route and flag Privacy Rule and Part 2 citations early in the assessment process. This oversight can lead to incomplete or misdirected evaluations, especially for reproductive health care and SUD records.

Solution Summary:

1. Early Scope-Routing Checks: Introduce initial checks at Step 1 to identify whether the request pertains to Privacy Rule use/disclosure questions, Breach Notification readiness, or Part 2/SUD records.
2. Out-of-Scope Referrals: Flag reproductive health care attestation requests and Part 2/SUD confidentiality requests as out-of-scope for this skill, directing them to appropriate reviewers.
3. Security Rule Review Focus: Continue with the Security Rule review only for ePHI safeguard controls.
4. Report Field for Follow-Ups: Add a dedicated report field or table to capture unresolved Privacy Rule/Part 2 follow-ups and handoff details.

Benefits:

• Ensures comprehensive coverage of all relevant HIPAA regulations.
• Prevents misclassification of requests, maintaining accurate compliance assessments.
• Streamlines the review process by clearly delineating responsibilities for different regulatory areas.

By implementing these minimal changes, we can significantly enhance the skill's effectiveness in handling complex HIPAA readiness requests while preserving its core functionality. This approach maintains simplicity and minimizes potential disruptions to existing workflows.