Skill Being Reviewed
Skill name: hipaa-review
Skill path: skills/compliance/hipaa-review/
False Positive Analysis
Benign current-rule HIPAA finding that can be over-reported if proposed requirements are mixed into enforceable CFR scoring:
Technical Safeguards:
164.312(a)(2)(iv) Encryption and decryption: Addressable
Encryption at rest: documented risk decision and compensating controls
MFA: deployed for remote access and admins, rollout in progress for all ePHI-touching users
Vulnerability scanning: annual external scan, no six-month cadence yet
Penetration testing: performed every 18 months
Why this can be misleading:
HHS/OCR issued a HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) in December 2024/January 2025 that would require stronger controls such as encryption of ePHI at rest and in transit, MFA, vulnerability scanning at least every six months, annual penetration testing, network segmentation, and removal of the required/addressable distinction with limited exceptions. HHS's fact sheet also states that while rulemaking is underway, the current Security Rule remains in effect.
The skill currently has no NPRM/current-rule boundary. It correctly treats addressable specifications as not optional under the current rule, but it does not give reviewers a way to record proposed-rule readiness without scoring proposed requirements as current enforceable CFR failures.
Coverage Gaps
Missed variant 1: proposed MFA/encryption/scanning requirements are not tracked as proposed
Finding: MFA is not required for every user accessing ePHI
Mapped as: current HIPAA Security Rule failure
Missing: proposed-rule readiness status and current-rule citation boundary
The current Security Rule requires access controls and addressable encryption mechanisms, while the NPRM proposes more specific requirements. Review output should separate:
- current enforceable CFR requirement;
- current OCR enforcement expectation or strong recommendation;
- proposed NPRM requirement;
- readiness gap for expected future rule; and
- not applicable / exception evidence.
Missed variant 2: compliance scoring can conflate current and future controls
Overall HIPAA compliance: Non-compliant
Reasons:
- no universal MFA
- no six-month vulnerability scanning
- no annual penetration test
Those may be important readiness gaps, but the report should not use proposed cadence/control requirements as the sole basis for a current-law non-compliance rating unless there is a current Security Rule citation and evidence rationale.
Missed variant 3: business associate readiness evidence is not versioned
BAA review:
annual technical safeguard certification: missing
24-hour contingency-plan activation notice: missing
The NPRM proposes additional business-associate verification and notification requirements. The skill should capture them in an NPRM readiness section with source/date and final-rule status, rather than treating missing NPRM terms as current BAA defects.
Edge Cases
- An organization may voluntarily adopt NPRM-aligned controls before finalization. The report should mark that as readiness maturity, not confuse it with current CFR pass/fail.
- OCR can still consider encryption, MFA, patching, and scanning under current risk analysis/risk management expectations. The output should allow current-rule findings when the evidence supports them, but the citation boundary must be explicit.
- If a final rule is later published, the skill should require a source-date check so the proposed-rule readiness section can be retired or converted to current requirements.
- Some regulated entities may rely on limited exceptions or compensating controls. The review should require documented exception rationale and affected-system scope.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| HHS HIPAA Security Rule NPRM fact sheet |
Yes |
Lists proposed controls and states the current Security Rule remains in effect during rulemaking. |
| Current HIPAA Security Rule text |
Partial |
Defines current CFR requirements but does not cover proposed future controls. |
| Current skill output |
No |
Has no regulatory-status/source-date boundary for NPRM requirements. |
Overall Assessment
Strengths:
- Strong CFR citation discipline and required/addressable distinction.
- Good scope model across covered entities, business associates, hybrid entities, ePHI inventory, and safeguard categories.
- Useful enforcement-oriented guidance around risk analysis, encryption, contingency planning, and documentation.
Needs improvement:
- Add regulatory-status tracking for the HIPAA Security Rule NPRM.
- Separate current enforceable findings from proposed-rule readiness gaps.
- Add source-date and final-rule-status fields so future rule changes do not silently alter scoring.
- Add proposed-rule readiness fields for MFA, encryption, vulnerability scanning, penetration testing, network segmentation, asset inventory/network maps, BA certification, and contingency-plan activation notice.
Priority recommendations:
- Add a preflight section:
current_rule_source, nprm_source, nprm_status, assessment_date, and final_rule_checked.
- Split output into
Current Security Rule Compliance Findings and NPRM/Future-Rule Readiness Gaps.
- Require every finding to include
citation_type: current CFR, OCR guidance/enforcement expectation, proposed NPRM requirement, or voluntary readiness recommendation.
- Prevent proposed requirements from driving current compliance percentages unless a current-rule citation and rationale are also supplied.
References
Bounty Info
Skill Being Reviewed
Skill name:
hipaa-reviewSkill path:
skills/compliance/hipaa-review/False Positive Analysis
Benign current-rule HIPAA finding that can be over-reported if proposed requirements are mixed into enforceable CFR scoring:
Why this can be misleading:
HHS/OCR issued a HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) in December 2024/January 2025 that would require stronger controls such as encryption of ePHI at rest and in transit, MFA, vulnerability scanning at least every six months, annual penetration testing, network segmentation, and removal of the required/addressable distinction with limited exceptions. HHS's fact sheet also states that while rulemaking is underway, the current Security Rule remains in effect.
The skill currently has no NPRM/current-rule boundary. It correctly treats addressable specifications as not optional under the current rule, but it does not give reviewers a way to record proposed-rule readiness without scoring proposed requirements as current enforceable CFR failures.
Coverage Gaps
Missed variant 1: proposed MFA/encryption/scanning requirements are not tracked as proposed
The current Security Rule requires access controls and addressable encryption mechanisms, while the NPRM proposes more specific requirements. Review output should separate:
Missed variant 2: compliance scoring can conflate current and future controls
Those may be important readiness gaps, but the report should not use proposed cadence/control requirements as the sole basis for a current-law non-compliance rating unless there is a current Security Rule citation and evidence rationale.
Missed variant 3: business associate readiness evidence is not versioned
The NPRM proposes additional business-associate verification and notification requirements. The skill should capture them in an NPRM readiness section with source/date and final-rule status, rather than treating missing NPRM terms as current BAA defects.
Edge Cases
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths:
Needs improvement:
Priority recommendations:
current_rule_source,nprm_source,nprm_status,assessment_date, andfinal_rule_checked.Current Security Rule Compliance FindingsandNPRM/Future-Rule Readiness Gaps.citation_type: current CFR, OCR guidance/enforcement expectation, proposed NPRM requirement, or voluntary readiness recommendation.References
Bounty Info