HIPAA Gap Analysis

v1.0.0

Assess HIPAA compliance across all five rule areas, identify 32 control gaps, and generate a prioritized remediation plan with compliance scoring and audit r...

⭐ 0· 208·0 current·0 all-time

byToolWeb@krishnakumarmahadevan-cmd

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for krishnakumarmahadevan-cmd/toolweb-hipaa-gap-analysis.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "HIPAA Gap Analysis" (krishnakumarmahadevan-cmd/toolweb-hipaa-gap-analysis) from ClawHub.
Skill page: https://clawhub.ai/krishnakumarmahadevan-cmd/toolweb-hipaa-gap-analysis
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install toolweb-hipaa-gap-analysis

ClawHub CLI

Package manager switcher

npx clawhub@latest install toolweb-hipaa-gap-analysis

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name and description (HIPAA gap analysis across five rule areas, 32 controls, remediation plan) align with the SKILL.md which defines structured inputs and a scored/output format. The skill requests only organization assessment fields (organization profile, control presence flags) — these are coherent with the stated purpose. No unrelated binaries, env vars, or install steps are requested.

ℹ

Instruction Scope

SKILL.md is an instruction-only spec that asks the agent to produce a gap report from structured inputs. It does not instruct the agent to read local files, environment variables, or call external endpoints. However, it requires submission of sensitive organizational data (PHI volume/types, control state) and marks every field as required; the document does not describe how input data is handled, whether outputs or inputs are logged, or whether any external transmission occurs — a privacy/data-handling omission worth noting.

✓

Install Mechanism

No install spec or code files are present (instruction-only), so nothing will be downloaded or written to disk by the skill itself. This is the lowest-risk install profile.

ℹ

Credentials

The skill requests no credentials, config paths, or environment variables (proportionate). That said, it expects potentially sensitive organizational/PHI-related inputs; the README does not justify or limit what PHI may be included and gives no guidance to avoid entering patient-identifiable data.

✓

Persistence & Privilege

always:false and no install or persistent configuration changes are requested. The skill does not request permanent presence or modify other skills' configs. Autonomous invocation is allowed (platform default) but not augmented by extra privileges.

Assessment

This skill appears coherent for doing a HIPAA gap analysis, but before using it: (1) Do not paste identifiable patient data — provide only organization-level, de-identified or high-level information (e.g., 'Medium PHI volume', not sample records). (2) Ask the provider where inputs and outputs are stored, how long they are retained, and who can access them. (3) Confirm whether the environment running the agent is HIPAA-compliant (BAA, encrypted storage, access controls) if you plan to include real PHI. (4) Prefer sanitizing inputs and have a qualified privacy/security professional review any remediation plan before implementation. (5) If you need an audit-grade assessment, consider using an internal/paid external assessor with documented handling policies rather than pasting sensitive details into a general-purpose skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c5wbgcprmn8w537321y6zp183771g

208downloads

0stars

1versions

Updated 2h ago

v1.0.0

MIT-0

HIPAA Gap Analysis

Assess your organization's HIPAA compliance posture across all five rule areas — Administrative Safeguards, Physical Safeguards, Technical Safeguards, Privacy Rule, and Breach Notification Rule. Covers all 32 control areas required for covered entities and business associates. Produces a gap report with compliance score, identified deficiencies, and a prioritized remediation roadmap.

Usage

{
  "tool": "hipaa_gap_analysis",
  "input": {
    "organization_name": "Sunrise Health Clinic",
    "organization_type": "Covered Entity",
    "entity_size": "Small",
    "services_provided": ["Primary Care", "Telehealth", "Lab Services"],
    "phi_volume": "Medium",
    "phi_types": ["Medical Records", "Billing Information", "Lab Results"],
    "workforce_size": 45,
    "locations_count": 3,
    "cloud_services": true,
    "third_party_vendors": true,
    "mobile_devices": true,
    "security_officer_assigned": true,
    "workforce_training": false,
    "access_management": true,
    "contingency_plan": false,
    "incident_response": false,
    "risk_assessment_conducted": true,
    "business_associate_agreements": true,
    "facility_access_controls": true,
    "workstation_use_controls": false,
    "device_media_controls": false,
    "access_control_systems": true,
    "audit_controls": false,
    "integrity_controls": false,
    "transmission_security": true,
    "privacy_officer_assigned": true,
    "notice_of_privacy_practices": true,
    "patient_rights_procedures": true,
    "minimum_necessary_procedures": false,
    "complaints_process": true,
    "breach_notification_procedures": false,
    "breach_risk_assessment": false
  }
}

Parameters

All fields are required.

Organization Profile

Field	Type	Description
`organization_name`	string	Name of the organization being assessed
`organization_type`	string	e.g., `Covered Entity`, `Business Associate`, `Hybrid Entity`
`entity_size`	string	`Small`, `Medium`, `Large`
`services_provided`	array of strings	List of healthcare services offered
`phi_volume`	string	Volume of PHI handled: `Low`, `Medium`, `High`
`phi_types`	array of strings	Types of PHI: e.g., `Medical Records`, `Billing Information`, `Lab Results`, `Mental Health Records`
`workforce_size`	integer	Total number of employees/contractors
`locations_count`	integer	Number of physical locations
`cloud_services`	boolean	Whether cloud services are used to store/process PHI
`third_party_vendors`	boolean	Whether third-party vendors have access to PHI
`mobile_devices`	boolean	Whether mobile devices are used to access PHI

Administrative Safeguards

Field	Type	Description
`security_officer_assigned`	boolean	Designated Security Officer in place
`workforce_training`	boolean	Regular HIPAA workforce training conducted
`access_management`	boolean	Formal access management procedures exist
`contingency_plan`	boolean	Data backup and disaster recovery plan exists
`incident_response`	boolean	Security incident response procedures in place
`risk_assessment_conducted`	boolean	Formal risk assessment has been conducted
`business_associate_agreements`	boolean	BAAs executed with all relevant vendors

Physical Safeguards

Field	Type	Description
`facility_access_controls`	boolean	Physical access controls for facilities with PHI
`workstation_use_controls`	boolean	Workstation use and security policies in place
`device_media_controls`	boolean	Controls for hardware/media containing PHI

Technical Safeguards

Field	Type	Description
`access_control_systems`	boolean	Technical access controls (unique user IDs, auto-logoff, etc.)
`audit_controls`	boolean	Audit logs for PHI access and activity
`integrity_controls`	boolean	Controls to ensure PHI is not improperly altered or destroyed
`transmission_security`	boolean	Encryption/security for PHI in transit

Privacy Rule

Field	Type	Description
`privacy_officer_assigned`	boolean	Designated Privacy Officer in place
`notice_of_privacy_practices`	boolean	NPP distributed and acknowledged
`patient_rights_procedures`	boolean	Procedures for patient access, amendment, and accounting
`minimum_necessary_procedures`	boolean	Minimum necessary standard applied to PHI use/disclosure
`complaints_process`	boolean	Process for receiving and handling privacy complaints

Breach Notification Rule

Field	Type	Description
`breach_notification_procedures`	boolean	Breach notification procedures documented
`breach_risk_assessment`	boolean	Process for conducting breach risk assessment in place

What You Get

Overall HIPAA compliance score — percentage and maturity rating
Rule-by-rule gap breakdown — Administrative, Physical, Technical, Privacy, Breach Notification
Control deficiency list — exactly which of the 32 controls are gaps
Risk-prioritized remediation plan — Immediate (0–30 days), Short-term (30–90 days), Long-term (90+ days)
Regulatory exposure summary — potential penalty tiers based on identified gaps (Tier 1–4)
Audit readiness rating — how prepared the organization is for an OCR audit

Example Output

{
  "organization": "Sunrise Health Clinic",
  "overall_score": 62,
  "compliance_rating": "Partial Compliance",
  "audit_readiness": "Moderate Risk",
  "rule_scores": {
    "administrative_safeguards": { "score": 71, "gaps": 2 },
    "physical_safeguards": { "score": 33, "gaps": 2 },
    "technical_safeguards": { "score": 50, "gaps": 2 },
    "privacy_rule": { "score": 80, "gaps": 1 },
    "breach_notification": { "score": 0, "gaps": 2 }
  },
  "critical_gaps": [
    "No breach notification procedures — OCR Tier 3/4 penalty exposure",
    "No breach risk assessment process — required for all incidents",
    "Workstation use controls absent — PHI exposure risk at endpoints",
    "No audit controls — inability to detect or prove unauthorized access"
  ],
  "immediate_actions": [
    "Document and implement breach notification procedures (7 days)",
    "Deploy workstation lock/encryption policy (14 days)",
    "Enable audit logging on all systems accessing PHI (7 days)"
  ],
  "penalty_exposure": "Tier 3 — Willful Neglect (up to $50,000 per violation)"
}

API Reference

Base URL: https://portal.toolweb.in/apis/compliance/hipaa-gap-analysis

Endpoint	Method	Description
`/hipaa-analysis`	POST	Run full HIPAA gap assessment

Authentication: Pass your API key as X-API-Key header or mcp_api_key argument via MCP.

Pricing

Plan	Daily Limit	Monthly Limit	Price
Free	5 / day	50 / month	$0
Developer	20 / day	500 / month	$39
Professional	200 / day	5,000 / month	$99
Enterprise	100,000 / day	1,000,000 / month	$299

About

ToolWeb.in — 200+ security APIs, CISSP & CISM certified, built for enterprise compliance practitioners.

Platforms: Pay-per-run · API Gateway · MCP Server · OpenClaw · RapidAPI · YouTube

Comments

Loading comments...