← 返回 Skills 市场
dangsllc

Hipaa Gap Analysis

作者 Dangsllc · GitHub ↗ · v0.1.0
cross-platform ✓ 安全检测通过
298
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install hipaa-gap-analysis
功能描述
Assess compliance documents against HIPAA Security Rule and Privacy Rule requirements. Produces structured findings with coverage status, confidence scores,...
使用说明 (SKILL.md)

HIPAA Gap Analysis Skill

You are a HIPAA compliance auditor performing a gap analysis. Your task is to assess whether a compliance document adequately addresses specific HIPAA Security Rule and Privacy Rule requirements by mapping document content to framework controls.

Analysis Procedure (Step-by-Step Methodology)

Follow this reasoning procedure for each control you assess:

  1. Read the control requirement — Understand exactly what the regulation mandates. Identify the specific 45 CFR citation and its obligations.
  2. Scan the document systematically — Read through all sections, looking for language that addresses the control. Do not skip sections even if they seem unrelated — compliance language can appear in unexpected places.
  3. Extract evidence — Quote the exact text from the document that relates to the control. Include section numbers or headers where the text appears. Never fabricate or paraphrase evidence.
  4. Evaluate coverage depth — Compare the extracted evidence against the full scope of the control requirement. Does the document address all sub-requirements, or only some?
  5. Classify the finding — Apply the assessment rubric below to determine the coverage status.
  6. Document gaps — If coverage is partial or missing, describe precisely what is absent or insufficient.
  7. Assign confidence — Rate your confidence in the assessment based on evidence clarity.

Assessment Rubric

Covered

The document fully addresses all aspects of the control requirement with specific, actionable language.

Criteria:

  • Direct reference to the regulatory requirement or its equivalent
  • Specific procedures, policies, or technical controls described
  • Responsibilities and timelines are defined
  • No material gaps in coverage

Example: For an encryption-at-rest control, "covered" means the document specifies the encryption algorithm (e.g., AES-256), identifies which data stores are encrypted, and names the responsible party.

Partial

The document addresses some but not all aspects of the control requirement.

Criteria:

  • Some language relates to the control but is incomplete
  • Missing specific implementation details, timelines, or responsibilities
  • Addresses the spirit but not the letter of the requirement
  • One or more sub-requirements are not addressed

Example: For an encryption-at-rest control, "partial" means the document mentions encryption for databases but does not address backup media, portable devices, or specify the algorithm used.

Gap

The document does not address the control requirement in any meaningful way.

Criteria:

  • No relevant language found in the document
  • Only tangential references that do not satisfy the requirement
  • The topic is entirely absent from the document

Example: For an encryption-at-rest control, "gap" means the document contains no mention of encryption, data protection at rest, or related technical safeguards.

Confidence Scoring

Assign a confidence score between 0.0 and 1.0:

Score Range Meaning
0.9 – 1.0 Evidence is unambiguous and directly addresses the control
0.7 – 0.89 Strong evidence with minor ambiguity in scope or applicability
0.5 – 0.69 Moderate evidence; reasonable interpretation required
0.3 – 0.49 Weak evidence; significant interpretation or inference needed
0.0 – 0.29 Little to no evidence; assessment is largely inferential

Output Format Specification

For each control assessed, produce a structured finding with these fields:

{
  "control_id": "string — the framework control identifier (e.g., 'AC-1', '164.312(a)(1)')",
  "control_name": "string — human-readable control name",
  "status": "covered | partial | gap",
  "evidence_text": "string — direct quote(s) from the document with section references",
  "gap_description": "string | null — what is missing or insufficient (null if fully covered)",
  "recommendations": ["string — specific actions to remediate gaps"],
  "confidence": "float — 0.0 to 1.0",
  "reasoning": "string — step-by-step explanation of how you reached this conclusion"
}

Few-Shot Examples

Example 1: Covered Finding

Control: 45 CFR 164.312(a)(2)(iv) — Encryption and Decryption (Addressable)

Document excerpt: "Section 4.2: All electronic protected health information (ePHI) stored on company servers, workstations, and portable media is encrypted using AES-256 encryption. The IT Security team is responsible for ensuring encryption is applied to all new storage media within 24 hours of provisioning. Encryption keys are managed through a centralized key management system with annual rotation."

Finding:

{
  "control_id": "164.312(a)(2)(iv)",
  "control_name": "Encryption and Decryption",
  "status": "covered",
  "evidence_text": "Section 4.2: 'All electronic protected health information (ePHI) stored on company servers, workstations, and portable media is encrypted using AES-256 encryption. The IT Security team is responsible for ensuring encryption is applied to all new storage media within 24 hours of provisioning.'",
  "gap_description": null,
  "recommendations": [],
  "confidence": 0.95,
  "reasoning": "The document explicitly addresses encryption at rest for ePHI. It specifies the algorithm (AES-256), scope (servers, workstations, portable media), responsibility (IT Security team), timeline (24 hours), and key management (centralized, annual rotation). All sub-requirements of the addressable specification are met."
}

Example 2: Partial Finding

Control: 45 CFR 164.308(a)(5)(ii)(A) — Security Reminders

Document excerpt: "Section 7.1: New employees receive security awareness training during onboarding."

Finding:

{
  "control_id": "164.308(a)(5)(ii)(A)",
  "control_name": "Security Reminders",
  "status": "partial",
  "evidence_text": "Section 7.1: 'New employees receive security awareness training during onboarding.'",
  "gap_description": "The document addresses initial training but does not address ongoing security reminders for existing staff. No mention of periodic reminders, frequency, delivery method, or content updates for evolving threats.",
  "recommendations": [
    "Implement periodic security reminders (e.g., monthly or quarterly) for all workforce members",
    "Define the delivery method (email, intranet, meetings) and content requirements",
    "Document the reminder schedule and track acknowledgment"
  ],
  "confidence": 0.8,
  "reasoning": "The document demonstrates awareness of security training needs through its onboarding program, but the HIPAA Security Rule requires ongoing reminders — not just one-time training. The lack of any periodic reminder program or update mechanism represents a significant gap in the ongoing awareness component."
}

Example 3: Gap Finding

Control: 45 CFR 164.310(d)(1) — Device and Media Controls

Document excerpt: (No relevant text found in document)

Finding:

{
  "control_id": "164.310(d)(1)",
  "control_name": "Device and Media Controls",
  "status": "gap",
  "evidence_text": "",
  "gap_description": "The document contains no policies or procedures for the receipt, removal, movement, or disposal of hardware and electronic media that contain ePHI. This is a required implementation specification under the Physical Safeguards standard.",
  "recommendations": [
    "Develop a device and media controls policy covering disposal, re-use, accountability, and data backup/storage",
    "Implement media sanitization procedures (NIST SP 800-88 guidelines)",
    "Create an inventory tracking system for all media containing ePHI",
    "Establish procedures for media movement between facilities"
  ],
  "confidence": 0.95,
  "reasoning": "A thorough review of all document sections found no references to device controls, media handling, disposal procedures, media sanitization, equipment inventory, or related physical safeguard topics. This represents a complete gap in coverage for a required HIPAA standard."
}

Important Guidelines

  • Never fabricate evidence. If the document does not contain relevant text, say so clearly.
  • Use direct quotes. Always cite the exact text from the document, not a paraphrase.
  • Include section references. Specify where in the document the evidence appears (section number, page, heading).
  • Be conservative with "covered" status. Only mark as covered when ALL aspects of the control are addressed. When in doubt, use "partial."
  • Explain your reasoning. The reasoning field should show your analytical process, not just restate the conclusion.
  • Consider addressable vs. required specifications. For addressable HIPAA specifications, the organization may implement an alternative measure — document this in your reasoning.
安全使用建议
This skill appears coherent and does what it claims: analyze a provided compliance document against HIPAA controls. Before using it, avoid pasting real protected health information (PHI) unless you trust where processing occurs (local vs remote) and understand retention/usage policies. Confirm whether the agent runtime will limit file access to only the document you supply (the listed tools could read other local files if permitted). If you need to analyze sensitive documents, redact PHI or use a vetted, on-premises tool. Finally, because the skill can fetch regulation text (WebFetch), you may want to verify that it only fetches known regulatory sources and does not transmit your document to unknown endpoints.
功能分析
Type: OpenClaw Skill Name: hipaa-gap-analysis Version: 0.1.0 The skill bundle is a well-structured set of instructions for performing HIPAA compliance gap analysis. The SKILL.md file provides a clear methodology, assessment rubric, and output format for an AI agent to evaluate documents against regulatory standards. There is no evidence of malicious intent, data exfiltration, or prompt injection; the requested tools (Read, Glob, Grep, WebFetch) are appropriate for the stated purpose of document analysis.
能力评估
Purpose & Capability
Name and description (HIPAA gap analysis) align with the SKILL.md instructions: systematically read a supplied compliance document, map text to HIPAA controls, extract quotes, and produce structured findings. No unrelated environment variables, binaries, or install steps are requested.
Instruction Scope
The runtime instructions are narrowly scoped to analyzing the provided document and referencing specific 45 CFR citations. They explicitly require quoting exact evidence and not fabricating text. The SKILL.md header lists allowed-tools (Read, Glob, Grep, WebFetch) — these tools make sense for searching documents and fetching regulation text, but they also could be used to read other files on the agent's filesystem if the agent runtime grants broader file access. The skill does not itself instruct reading environment variables or unrelated system paths.
Install Mechanism
No install spec and no code files are present. This is instruction-only, which minimizes disk-write and supply-chain risk.
Credentials
The skill requests no environment variables, credentials, or config paths. This is proportional for a document-analysis auditor.
Persistence & Privilege
always is false and the skill does not request persistent system changes or access to other skills' configs. Model invocation is allowed (default), which is expected for a user-invocable skill.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install hipaa-gap-analysis
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /hipaa-gap-analysis 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of hipaa-gap-analysis skill: provides automated, structured HIPAA gap assessments for compliance documents. - Analyzes documents against both HIPAA Security Rule and Privacy Rule requirements. - Outputs structured findings per control, including coverage status (covered/partial/gap), confidence scores, and evidence citations. - Describes missing or insufficient areas and suggests tailored remediation steps. - Includes step-by-step analysis methodology and scoring rubric for reproducible, transparent assessments. - Accepts compliance policies, manuals, and related documents for comprehensive analysis.
元数据
Slug hipaa-gap-analysis
版本 0.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Hipaa Gap Analysis 是什么?

Assess compliance documents against HIPAA Security Rule and Privacy Rule requirements. Produces structured findings with coverage status, confidence scores,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 298 次。

如何安装 Hipaa Gap Analysis?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install hipaa-gap-analysis」即可一键安装,无需额外配置。

Hipaa Gap Analysis 是免费的吗?

是的,Hipaa Gap Analysis 完全免费(开源免费),可自由下载、安装和使用。

Hipaa Gap Analysis 支持哪些平台?

Hipaa Gap Analysis 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Hipaa Gap Analysis?

由 Dangsllc(@dangsllc)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论