Skip to content

feat(framework): HIPAA Security Rule plugin at Reference depth (closes #13)#89

Merged
ethanolivertroy merged 15 commits into
GRCEngClub:mainfrom
AnandSundar:feat/framework-us-hipaa-security-reference
Apr 29, 2026
Merged

feat(framework): HIPAA Security Rule plugin at Reference depth (closes #13)#89
ethanolivertroy merged 15 commits into
GRCEngClub:mainfrom
AnandSundar:feat/framework-us-hipaa-security-reference

Conversation

@AnandSundar

@AnandSundar AnandSundar commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Implements GitHub Issue #13: Create a fully-compliant HIPAA Security Rule framework plugin at Reference depth tier.

What Was Implemented

Plugin Structure

  • ****: Plugin manifest with SCF framework ID US-HIPAA-Security
  • ****: 500+ lines of comprehensive HIPAA Security Rule context
  • ****: Gap assessment command routing to /grc-engineer:gap-assessment --framework=US-HIPAA-Security
  • ****: Evidence request list with 40+ items across 5 safeguard categories

Key Features

SKILL.md Coverage:

  • All 5 safeguard categories (Administrative §164.308, Physical §164.310, Technical §164.312, Organizational §164.314, Policies §164.316)
  • Required vs. Addressable specifications explanation with 8 examples
  • Emphasis on §164.308(a)(1)(ii)(A) risk analysis as the linchpin
  • BAA requirements and common failure modes
  • SCF crosswalk context for US-HIPAA-Security
  • Assessment approach guidance

Evidence Checklist:

  • 40+ evidence items grouped by safeguard category
  • Each item flagged as Required or Addressable
  • CFR citations at implementation spec level (e.g., §164.308(a)(1)(ii)(A))
  • Media controls split into disposal (d)(2)(i) and re-use (d)(2)(ii)
  • Automated AWS evidence collection scripts
  • Supports --category, --format, and --audience flags

Marketplace Registration

  • Registered us-hipaa-security under Americas group in marketplace.json

Validation

All validation checklist items pass:

  • ✅ Branch: feat/framework-us-hipaa-security-reference
  • ✅ Directory structure correct
  • ✅ plugin.json valid JSON with framework_metadata
  • ✅ skills directory named us-hipaa-security/ (matches namespace)
  • ✅ SKILL.md covers all 5 safeguard categories
  • ✅ Required vs. Addressable explanation included
  • ✅ Risk analysis emphasis present
  • /us-hipaa-security:assess routes to gap-assessment
  • /us-hipaa-security:evidence-checklist generates grouped checklist
  • ✅ CFR citations at implementation spec level
  • ✅ Required/Addressable flagged for all checklist items
  • ✅ marketplace.json updated
  • ✅ No verbatim regulatory text (all paraphrased)
  • ✅ Conventional commits used

Commits

95481d0 chore(marketplace): register us-hipaa-security under Americas group in marketplace.json
5146805 feat(framework): scaffold us-hipaa-security plugin directory structure

References

Summary by CodeRabbit

  • New Features

    • Added US HIPAA Security framework plugin with gap assessment capabilities and evidence checklist generation for compliance evaluation
    • Added Swiss FADP compliance framework plugin with updated regulatory information
  • Documentation

    • Introduced comprehensive HIPAA Security Rule assessment documentation covering safeguard categories, evidence requirements, and remediation guidance
    • Updated FADP documentation to reflect 2023 changes in protected entity scope

AnandSundar and others added 11 commits April 26, 2026 17:42
- Adds plugins/frameworks/ch-fadp/ with plugin.json, SKILL.md, assess.md, README.md
- Registers under EMEA group in marketplace.json
- Routes /ch-fadp:assess to gap-assessment (SCF ID: CH-FADP)
- Documents key GDPR divergence: risk-based breach notification,
  individual criminal enforcement, voluntary DSO, Swiss transfer
  mechanisms, nFADP sensitive data categories
- Stub TODOs left for Reference/Full level-up contributors

Ref: GRCEngClub#12 (framework coverage tracker)
Ref: GRCEngClub#9 (scaffold-framework — built manually pending tooling)
Ref: GRCEngClub#11 (FRAMEWORK-PLUGIN-GUIDE.md depth tiers)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Remove 404 SCF API link from commands/assess.md (hackidle.github.io)
- Remove 404 SCF API link from README.md (hackidle.github.io)
- Fix relative path to FRAMEWORK-PLUGIN-GUIDE.md in SKILL.md
  (4 levels → 5 levels up to reach repo root docs)

The CH-FADP crosswalk may not yet be published in the SCF API,
so the broken API links are removed. The main SCF website link
is retained as a working reference.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add ```text language identifier to fenced code blocks in assess.md
  (resolves markdownlint MD040)
- Fix typo: "DSo consultation" → "DSO consultation" in SKILL.md
- Fix typo in GDPR column: "know without undue delay" →
  "Notify supervisory authority without undue delay (GDPR Art. 33)"
- Update scf_framework_id from "CH-FADP" to "emea-che-fadp-2025"
  to match SCF API convention and enable gap-assessment lookup
- Update assess.md to pass correct framework ID to gap-assessment
- Update SKILL.md to reference correct framework ID

The EMEA convention uses emea-{country_alpha3}-{framework}-{year}
format. Switzerland FADP in SCF API is "emea-che-fadp-2025"
(CHE = ISO 3166-1 alpha-3 for Switzerland).

Fixes issue where gap-assessment would return empty results.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Update README.md SCF framework ID from CH-FADP to emea-che-fadp-2025
  to match plugin.json and ensure consistency across all files

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add explanatory note in SKILL.md about why SCF framework ID
  uses 2025 (SCF's internal cycle) vs 2023 (law's effective date)
- Prevents future contributor confusion about the year mismatch

The SCF's year suffix reflects their intake/release cycle, not the
underlying law's effective date. The ID must match the SCF crosswalk
exactly for gap-assessment lookups to work.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add "Data about the intimate sphere (including sexual preferences
  and life)" to special categories per nFADP Art. 5(1)(c)
- Fixes false negative where gap assessment would not flag
  sexual orientation/life data as requiring heightened protection

The intimate sphere (Intimsphäre) is explicitly listed in
nFADP alongside health, genetic, and racial/ethnic data as
a special category requiring heightened protection.
@AnandSundar AnandSundar requested a review from a team as a code owner April 27, 2026 22:54
@coderabbitai

coderabbitai Bot commented Apr 27, 2026

Copy link
Copy Markdown

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2011eaab-5def-4ffa-864b-62e195348678

📥 Commits

Reviewing files that changed from the base of the PR and between 9b5ae6f and 4047836.

📒 Files selected for processing (3)
  • plugins/frameworks/ch-fadp/.claude-plugin/plugin.json
  • plugins/frameworks/ch-fadp/README.md
  • plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md

📝 Walkthrough

Walkthrough

The PR adds two new framework plugins—us-hipaa-security and ch-fadp—to a Claude GRC engineering system marketplace. Each includes a plugin manifest, commands, skills, and regulatory guidance documentation. Changes to marketplace.json register both plugins; ch-fadp receives targeted updates to reflect 2023 revisions to protected-entity scope.

Changes

Cohort / File(s) Summary
Marketplace Registration
.claude-plugin/marketplace.json
Added two new plugin entries for us-hipaa-security and ch-fadp frameworks, each pointing to source directories under ./plugins/frameworks/ with version 0.1.0.
US HIPAA Security Plugin
plugins/frameworks/us-hipaa-security/.claude-plugin/plugin.json, plugins/frameworks/us-hipaa-security/commands/assess.md, plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md, plugins/frameworks/us-hipaa-security/skills/us-hipaa-security/SKILL.md
New plugin for HIPAA Security Rule (45 CFR Part 164 Subpart C) assessment. Registers assess and evidence-checklist commands with corresponding us-hipaa-security skill. Provides comprehensive guidance on gap assessment, evidence collection, safeguard categories, OCR enforcement, BAA requirements, and risk analysis procedures.
Swiss FADP Plugin Updates
plugins/frameworks/ch-fadp/.claude-plugin/plugin.json, plugins/frameworks/ch-fadp/README.md, plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md
Updated plugin manifest to add assess command and ch-fadp-expert skill registration. Refined documentation tables to reflect 2023 narrowing: "Protected entities" now specify natural persons only (excluding legal entities).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

Suggested reviewers

  • ethanolivertroy

Poem

🐰 Two frameworks bloom in Claude's domain,
HIPAA safeguards, Swiss FADP's reign,
Assess and checklist, skills fully grown,
Compliance guidance, skillfully sown!
Hopping with joy—the plugins are sewn! 🌿✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The PR introduces an additional plugin (ch-fadp) that is not mentioned in the PR title or objectives for issue #13, representing out-of-scope work bundled into a single changeset. Extract the ch-fadp plugin changes (plugin.json, README.md, commands/assess.md, skills/ch-fadp-expert/SKILL.md) into a separate PR to maintain focus on issue #13 and enable independent review of the Swiss nFADP framework plugin.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title clearly summarizes the main change: adding a HIPAA Security Rule plugin at Reference depth. It is specific, concise, and directly reflects the changeset.
Linked Issues check ✅ Passed All acceptance criteria from issue #13 are met: valid plugin.json with framework_metadata, SKILL.md with comprehensive framework coverage, /assess routing to gap-assessment with correct SCF ID, /evidence-checklist command for Reference depth, marketplace registration under Americas group, and no verbatim copyrighted text.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Review rate limit: 1/3 review remaining, refill in 36 minutes and 6 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/frameworks/ch-fadp/.claude-plugin/plugin.json`:
- Around line 10-20: The manifest plugin.json is missing declarations for the
plugin's exposed commands and skills, so add entries for the existing command
and skill files (e.g., reference "plugins/frameworks/ch-fadp/commands/assess.md"
and "plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md") following the
pattern used in plugins/frameworks/soc2/ or plugins/frameworks/pci-dss/ (add a
"commands" array with an object for assess and a "skills" array with an object
for ch-fadp-expert, include display name, path, and any metadata keys used by
the other framework manifests); ensure the scf framework metadata remains
unchanged and the new fields match schema used by the other framework plugins so
the command and skill surfaces are exposed at runtime.

In `@plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md`:
- Line 134: Update the protected-subject scope in the CH nFADP docs: change the
table row currently reading "Natural and legal entities (both protected under
nFADP)" to "Natural persons only" in
plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md (the Protected
entities table row) and make the identical correction in
plugins/frameworks/ch-fadp/README.md (the corresponding Protected entities line
around the README table), ensuring both files consistently reflect that nFADP
protects natural persons only per the revised law.

In `@plugins/frameworks/us-hipaa-security/commands/assess.md`:
- Line 45: The command route currently uses the unrecognized flag form
"/grc-engineer:gap-assessment --framework=US-HIPAA-Security"; change it to use
the documented positional <frameworks> argument expected by the gap-assessment
handler — e.g. route to "/grc-engineer:gap-assessment HIPAA" (use the HIPAA
alias instead of US-HIPAA-Security) so the gap-assessment command resolver
accepts the identifier; remove the "--framework=..." flag and pass the framework
as the positional argument to match gap-assessment's expected signature.
- Around line 182-187: Update the "Penalty Tiers" block in assess.md to reflect
the 2026 adjusted amounts: replace the old tier ranges with "Tier 1:
$145–$73,011; Tier 2: $1,461–$73,011; Tier 3: $14,602–$73,011; Tier 4:
$73,011–$2,190,294 per violation (with a $2,190,294 annual cap)". Add an "As of
January 28, 2026" qualifier immediately after the heading and include a source
reference to "45 CFR 102.3 / Federal Register annual inflation adjustment (Jan
28, 2026)" to the same section so readers can verify the numbers; modify the
existing "Penalty Tiers" bullet list accordingly in the assess.md content.

In `@plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md`:
- Around line 200-221: Add a fenced-code language tag (e.g., change ``` to
```text) for the code block containing the directory tree that starts with
"evidence/" so the Markdown linter MD040 is satisfied; locate the fenced block
showing the hipaa-security directory tree and prepend the language identifier
(text) to the opening fence.
- Line 73: Update the CFR citation for the table row containing "Data backup and
storage documentation" by changing its mapped citation from §164.310(d)(2)(iii)
to §164.310(d)(2)(iv); locate the row that reads "| **Data backup and storage
documentation** | §164.310(d)(2)(iii) | Addressable | Backup storage location,
access controls | Backup media must be securely stored |" and replace the
third-column citation token with "§164.310(d)(2)(iv)".
- Around line 174-180: The PowerShell snippet uses Bash substitution `$(date
+%Y%m%d)` which will fail; update the Export-Csv path to use PowerShell Get-Date
formatting instead (e.g., replace the filename fragment with an expression using
Get-Date -Format yyyyMMdd) and ensure the full path string is double-quoted so
PowerShell expands the expression; change the line that calls Export-Csv (after
Get-ADUser/Where-Object/Select-Object) to use the new date expression for the
file name.

In `@plugins/frameworks/us-hipaa-security/skills/us-hipaa-security/SKILL.md`:
- Around line 305-307: The fenced code block containing the command
`/grc-engineer:gap-assessment --framework=US-HIPAA-Security` in SKILL.md lacks a
language label for markdownlint; update that fence to include the "text"
language tag (i.e., change the opening triple backticks to "```text") so the
block becomes a labeled text code block and linting passes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a0db2159-ef4a-4e01-9456-9b86513d97be

📥 Commits

Reviewing files that changed from the base of the PR and between 2ed028d and 95481d0.

📒 Files selected for processing (9)
  • .claude-plugin/marketplace.json
  • plugins/frameworks/ch-fadp/.claude-plugin/plugin.json
  • plugins/frameworks/ch-fadp/README.md
  • plugins/frameworks/ch-fadp/commands/assess.md
  • plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md
  • plugins/frameworks/us-hipaa-security/.claude-plugin/plugin.json
  • plugins/frameworks/us-hipaa-security/commands/assess.md
  • plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md
  • plugins/frameworks/us-hipaa-security/skills/us-hipaa-security/SKILL.md

Comment thread plugins/frameworks/ch-fadp/.claude-plugin/plugin.json Outdated
Comment thread plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md Outdated
Comment thread plugins/frameworks/us-hipaa-security/commands/assess.md Outdated
Comment thread plugins/frameworks/us-hipaa-security/commands/assess.md Outdated
Comment thread plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md Outdated
Comment thread plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md
Comment thread plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md Outdated
Comment thread plugins/frameworks/us-hipaa-security/skills/us-hipaa-security/SKILL.md Outdated
@greptile-apps

greptile-apps Bot commented Apr 27, 2026

Copy link
Copy Markdown

Greptile Summary

This PR introduces the HIPAA Security Rule plugin at Reference depth and adds expert skill content for Swiss nFADP. The ch-fadp corrections (narrowing protected entities to natural persons only) are accurate. The HIPAA plugin structure and content are comprehensive, but several P1 issues flagged in the previous review round remain unresolved in the current diff: the assess.md and evidence-checklist.md still route gap assessment using the bare HIPAA alias instead of the canonical US-HIPAA-Security SCF ID; evidence-checklist.md retains the invalid sys.dm_audit_log SQL DMV, duplicate §164.310(d)(2)(i) entries, and the wrong CFR citation for data backup; SKILL.md still carries pre-inflation-adjustment penalty tiers that contradict assess.md.

Confidence Score: 4/5

Defer merge until the P1 issues from the prior review round are resolved in the code.

The ch-fadp corrections are clean and accurate. The HIPAA plugin structure is solid. However, multiple P1 findings raised in the previous review are still present in the current diff: invalid SQL DMV (sys.dm_audit_log), wrong SCF framework ID alias in routing calls, duplicate CFR entries, an off-by-one CFR citation, and stale penalty tier amounts. These would cause practitioners to receive incorrect evidence-collection scripts and mis-routed gap assessments.

plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md and plugins/frameworks/us-hipaa-security/commands/assess.md need the unresolved P1 fixes before merge.

Important Files Changed

Filename Overview
.claude-plugin/marketplace.json Adds us-hipaa-security entry under Americas group; placement and fields match existing conventions.
plugins/frameworks/ch-fadp/.claude-plugin/plugin.json Adds missing commands and skills arrays and fixes missing trailing newline; no issues found.
plugins/frameworks/ch-fadp/README.md Corrects protected-entities scope to natural persons only under 2023 nFADP; factually accurate change.
plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md Aligns GDPR vs nFADP comparison row to reflect nFADP narrowing to natural persons only; correct change.
plugins/frameworks/us-hipaa-security/.claude-plugin/plugin.json Well-formed plugin manifest; SCF ID US-HIPAA-Security is correct here even though commands reference bare HIPAA alias (flagged separately).
plugins/frameworks/us-hipaa-security/commands/assess.md Routes gap assessment to HIPAA alias instead of canonical US-HIPAA-Security SCF ID (unresolved P1 from prior review); §164.312 example row appears in the §164.308 table (new P2).
plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md Multiple unresolved P1 issues from prior review: incorrect sys.dm_audit_log DMV, duplicate §164.310(d)(2)(i) entries, wrong CFR citation for data backup, §164.310(c) misclassified as Addressable, and bare HIPAA alias in footer link.
plugins/frameworks/us-hipaa-security/skills/us-hipaa-security/SKILL.md Comprehensive HIPAA expert context; unresolved P1 from prior review: penalty tier amounts use pre-inflation-adjustment statutory figures that contradict assess.md; §164.310(c) also listed as addressable spec example.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User invokes /us-hipaa-security:assess] --> B{Scope flag provided?}
    B -- Yes --> C[Filter to single safeguard category\nadministrative / physical / technical\norganizational / policies]
    B -- No --> D[All five categories]
    C --> E[Route to /grc-engineer:gap-assessment\nwith SCF ID]
    D --> E
    E --> F[SCF crosswalk lookup\nUS-HIPAA-Security]
    F --> G[Generate findings table\ngrouped by safeguard category]

    A2[User invokes /us-hipaa-security:evidence-checklist] --> H{Category flag?}
    H -- Yes --> I[Single category table]
    H -- No --> J[All category tables]
    I --> K{Format flag?}
    J --> K
    K -- table --> L[Markdown table output]
    K -- csv --> M[CSV output]
    K -- markdown --> N[Detailed list output]
    L --> O{Audience flag?}
    M --> O
    N --> O
    O -- auditor --> P[Full CFR references\nfor OCR / external auditor]
    O -- internal --> Q[Simplified readiness\nchecklist]
Loading

Reviews (5): Last reviewed commit: "Merge main into feat/framework-us-hipaa-..." | Re-trigger Greptile

| **Access control and validation procedures** | §164.310(a)(2)(iii) | Addressable | Visitor log, badge issuance procedures | Visitors must be escorted and access logged |
| **Maintenance records for physical safeguards** | §164.310(a)(2)(iv) | Addressable | Maintenance logs for security systems | Document maintenance of locks, alarms, badge readers |
| **Workstation use policy specifying acceptable ePHI handling** | §164.310(b) | Required | Workstation use policy, signed acknowledgments | Covers acceptable use, locking screens, no eating/drinking near computers |
| **Physical workstation security controls** | §164.310(c) | Addressable | Screen locks, cable locks, privacy screens, positioning | May include workstation placement away from public areas |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 §164.310(c) classified as Addressable — it is Required

§164.310(c) (Workstation Security) is a standard, not an implementation specification. All HIPAA Security Rule standards are required by definition; only implementation specifications carry the Required/Addressable distinction. Marking this as "Addressable" could lead practitioners to believe they can opt out of workstation physical safeguards entirely by documenting a rationale — which is incorrect. The regulation states "Implement physical safeguards for all workstations…" unconditionally.

Suggested change
| **Physical workstation security controls** | §164.310(c) | Addressable | Screen locks, cable locks, privacy screens, positioning | May include workstation placement away from public areas |
| **Physical workstation security controls** | §164.310(c) | Required | Screen locks, cable locks, privacy screens, positioning | May include workstation placement away from public areas |

Comment thread plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md Outdated
Comment on lines +185 to +187
SELECT * FROM sys.dm_audit_log
WHERE event_time > DATEADD(day, -90, GETDATE())
ORDER BY event_time DESC;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 sys.dm_audit_log does not exist in SQL Server

SQL Server has no sys.dm_audit_log DMV. Running this query verbatim returns Invalid object name 'sys.dm_audit_log'. SQL Server Audit records are read via the sys.fn_get_audit_file() table-valued function (pointing at the .sqlaudit file path configured in the server/database audit spec). Giving practitioners a failing script for evidence collection could cause them to mistakenly conclude no audit log is present, or to abandon the check entirely.

Replace with the correct function (the path should match the audit file destination configured in the environment):

-- Export audit logs from SQL Server databases containing ePHI
-- Adjust the file path to match the configured SQL Server Audit destination
SELECT *
FROM sys.fn_get_audit_file('C:\Audits\*.sqlaudit', DEFAULT, DEFAULT)
WHERE event_time > DATEADD(day, -90, GETDATE())
ORDER BY event_time DESC;

Comment thread plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md
…lugins

- ch-fadp: Add commands and skills arrays to plugin.json for runtime exposure
- ch-fadp: Fix protected entities scope - nFADP protects natural persons only (not legal entities)
- us-hipaa-security: Update gap-assessment route to use positional argument (HIPAA alias)
- us-hipaa-security: Update penalty tiers to 2026 inflation-adjusted amounts
- us-hipaa-security: Add language tags to fenced code blocks (markdownlint MD040)
- us-hipaa-security: Fix CFR citation for data backup documentation (§164.310(d)(2)(iv))
- us-hipaa-security: Fix PowerShell date formatting in evidence collection script

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md (2)

28-28: Optional: Consider capitalizing "Markdown" as proper noun.

Static analysis suggests "Markdown" should be capitalized as it's a proper noun (the name of the formatting language). This is a minor style preference.

📝 Proposed fix
-  - `markdown` - Detailed markdown list
+  - `markdown` - Detailed Markdown list
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md` at line
28, Update the casing of the formatting language reference in the evidence
checklist: replace the lowercase token `markdown` with the proper noun
`Markdown` in the item under the list (the line containing "`markdown` -
Detailed markdown list") so the documentation consistently uses the correct
capitalization.

19-25: Consider documenting CLI category short codes in SKILL.md.

The command uses short category codes (admin, physical, technical, org, policies) that don't appear in the SKILL.md documentation. Users reading the skill documentation may not realize these shortcuts exist, potentially affecting discoverability and usability.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md` around
lines 19 - 25, The SKILL.md docs do not mention the CLI short codes used by the
evidence-checklist command for the --category flag (admin, physical, technical,
org, policies); update SKILL.md to list these short codes and their meanings
(matching the descriptions in evidence-checklist.md) so users can discover and
use them; reference the --category flag and the evidence-checklist command in
the SKILL.md entry and include the default behavior (all categories) to keep
documentation consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md`:
- Around line 102-111: The header "Policies, Procedures & Documentation" in this
checklist is inconsistent with SKILL.md; update the section heading text to
"Policies, Procedures, and Documentation" to match SKILL.md; search for the
exact string "Policies, Procedures & Documentation" and replace it with
"Policies, Procedures, and Documentation" in this document and any other
framework docs to standardize naming across the repo.

In `@plugins/frameworks/us-hipaa-security/skills/us-hipaa-security/SKILL.md`:
- Around line 113-122: The section header in SKILL.md uses "Policies,
Procedures, and Documentation (45 CFR §164.316)" but evidence-checklist.md uses
the variant "Policies, Procedures & Documentation"; update the header in
evidence-checklist.md to exactly match the SKILL.md wording ("Policies,
Procedures, and Documentation (45 CFR §164.316)") so both files use the same
formal phrasing and punctuation; ensure any internal anchors or references that
rely on the old header text are updated accordingly.

---

Nitpick comments:
In `@plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md`:
- Line 28: Update the casing of the formatting language reference in the
evidence checklist: replace the lowercase token `markdown` with the proper noun
`Markdown` in the item under the list (the line containing "`markdown` -
Detailed markdown list") so the documentation consistently uses the correct
capitalization.
- Around line 19-25: The SKILL.md docs do not mention the CLI short codes used
by the evidence-checklist command for the --category flag (admin, physical,
technical, org, policies); update SKILL.md to list these short codes and their
meanings (matching the descriptions in evidence-checklist.md) so users can
discover and use them; reference the --category flag and the evidence-checklist
command in the SKILL.md entry and include the default behavior (all categories)
to keep documentation consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e67187ab-3eba-420d-939c-333726ed2745

📥 Commits

Reviewing files that changed from the base of the PR and between 95481d0 and 5d3b340.

📒 Files selected for processing (6)
  • plugins/frameworks/ch-fadp/.claude-plugin/plugin.json
  • plugins/frameworks/ch-fadp/README.md
  • plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md
  • plugins/frameworks/us-hipaa-security/commands/assess.md
  • plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md
  • plugins/frameworks/us-hipaa-security/skills/us-hipaa-security/SKILL.md
✅ Files skipped from review due to trivial changes (2)
  • plugins/frameworks/ch-fadp/.claude-plugin/plugin.json
  • plugins/frameworks/ch-fadp/README.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • plugins/frameworks/us-hipaa-security/commands/assess.md

Comment thread plugins/frameworks/us-hipaa-security/commands/evidence-checklist.md Outdated
Comment on lines +113 to +122
#### 5. Policies, Procedures, and Documentation (45 CFR §164.316)

**What It Governs**: Reasonable and appropriate policies, procedures, and documentation to comply with the Security Rule.

**Key Standards/Implementation Specifications**:

- **Policies and Procedures** (§164.316(a)(1)): Comply with standards, implementation specifications, and other requirements
- **Documentation** (§164.316(b)(1)-(2)): Maintain policies and procedures for 6 years from date of creation or last effective date, whichever is later

**Typical Evidence**: Written security policies, policy review/approval records, documentation retention evidence

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Cross-file category naming inconsistency.

This section header uses "Policies, Procedures, and Documentation" (with "and" and Oxford comma), but the corresponding section in evidence-checklist.md at line 102 uses "Policies, Procedures & Documentation" (with ampersand, no Oxford comma).

The format used here is more appropriate for formal technical documentation. Consider updating evidence-checklist.md to match this style for consistency.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@plugins/frameworks/us-hipaa-security/skills/us-hipaa-security/SKILL.md`
around lines 113 - 122, The section header in SKILL.md uses "Policies,
Procedures, and Documentation (45 CFR §164.316)" but evidence-checklist.md uses
the variant "Policies, Procedures & Documentation"; update the header in
evidence-checklist.md to exactly match the SKILL.md wording ("Policies,
Procedures, and Documentation (45 CFR §164.316)") so both files use the same
formal phrasing and punctuation; ensure any internal anchors or references that
rely on the old header text are updated accordingly.

AnandSundar and others added 2 commits April 27, 2026 17:07
- Fix 'Policies, Procedures & Documentation' → 'Policies, Procedures, and Documentation' to match SKILL.md
- Fix 'markdown' → 'Markdown' capitalization in format options
- Fix 'Policies & Documentation' → 'Policies and Documentation' in category descriptions
- Add evidence-checklist command documentation to SKILL.md with category short codes
…-checklist

The "Related Commands" section pointed at `--framework=US-HIPAA-Security`,
but gap-assessment accepts positional aliases only (see scf-client.js:240-242).
Switches to the canonical `HIPAA` alias to match assess.md:45 and resolve
correctly at runtime.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Comment on lines +46 to +51
**Penalty Tiers (per violation category per year)**:

- **Tier 1**: Lack of knowledge (reasonable diligence would not have known) - Minimum $100 per violation, max $25,000
- **Tier 2**: Reasonable cause (not willful neglect) - Minimum $1,000 per violation, max $100,000
- **Tier 3**: Willful neglect corrected within 30 days - Minimum $10,000 per violation, max $250,000
- **Tier 4**: Willful neglect not corrected - Minimum $50,000 per violation, max $1.9 million

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Penalty tiers contradict inflation-adjusted amounts in assess.md

SKILL.md uses the pre-adjustment statutory floor/cap amounts (Tier 1 $100–$25k, Tier 4 $50k–$1.9M), while assess.md correctly cites the January 28, 2026 inflation-adjusted figures (Tier 1 $145–$73,011, Tier 4 $73,011–$2,190,294). A practitioner who consults the skill for penalty guidance will get stale numbers that differ significantly from the assess.md output, potentially leading them to understate OCR exposure. Align both files to the same adjusted schedule.


## How It Works

This command routes to `/grc-engineer:gap-assessment HIPAA` and leverages the SCF crosswalk to map HIPAA Security Rule implementation specifications to standardized compliance controls.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Wrong SCF framework ID — HIPAA should be US-HIPAA-Security

plugin.json declares "scf_framework_id": "US-HIPAA-Security", and the ch-fadp sibling plugin correctly passes its full SCF ID ("emea-che-fadp-2025") to gap-assessment. Passing the bare alias HIPAA here may fail to resolve in the SCF crosswalk index, silently producing no findings or routing to the wrong framework. The same alias appears in SKILL.md line 306 and in evidence-checklist.md line 242 — all three should use the canonical ID.

Resolves conflicts on plugins/frameworks/ch-fadp/* introduced by GRCEngClub#87 merge:
- Keep main's two new sensitive-data bullets (race/ethnicity, social assistance)
- Apply branch's "Protected entities: natural persons only" correction —
  authoritative per kmu.admin.ch: the 2023 nFADP revision narrowed scope
  and legal persons are no longer covered (one of the 8 major changes).
- Keep branch's "commands"/"skills" arrays in ch-fadp/plugin.json
  (CodeRabbit feedback from GRCEngClub#87 follow-up).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ethanolivertroy ethanolivertroy merged commit b87bc99 into GRCEngClub:main Apr 29, 2026
1 of 3 checks passed
ethanolivertroy added a commit that referenced this pull request Apr 29, 2026
Two broken external URLs were failing the lychee link-check on every PR:

1. mattpocock/skills/grill-me — Matt reorganized into category subdirectories; new path is skills/productivity/grill-me. 3 references updated (CHANGELOG.md, plugins/teach-me/README.md, plugins/teach-me/commands/quiz.md).
2. www.edoeb.admin.ch/edoeb/en/home.html — 301-redirects to /en, but lychee's user agent gets a bot-detection 500 from the FDPIC origin. Switched both ch-fadp references to the canonical /en URL.

PRs #87, #89, and #90 all hit these failures.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

framework: HIPAA Security Rule plugin (Reference depth)

2 participants