HIPAA Compliance Prompts

Ready-to-use prompts for checking HIPAA applicability, reviewing PHI exposure, and creating HIPAA-aligned remediation plans using FlexBase standards.

How to Use

Tell your AI agent what compliance task you need. The MCP server should load the HIPAA guide together with the relevant FlexBase API, query, handler, DTO, and UI conventions.

Example prompts you can give your AI agent:

Review the Bookings module for HIPAA applicability using FlexBase standards

Review the CreateBooking feature for HIPAA compliance and list the missing controls

Create a HIPAA remediation plan for the Guests module using existing FlexBase patterns

Review all notification templates in the Payments module for HIPAA disclosure risks

Review the Blazor UI for the Patient module for PHI overexposure

What the Agent Should Check

For HIPAA-relevant modules or features, the review should cover:

PHI touchpoints in DTOs, handlers, queries, subscribers, UI, notifications, files, and integrations
minimum-necessary access
authorization and role separation
audit trail and traceability
safe external disclosures
logging and telemetry leakage
idempotency and duplicate disclosure risks
secure handling of files, exports, and notifications

Task Catalog

1. HIPAA Applicability Review

Goal: Determine whether a module or feature is HIPAA relevant and identify PHI-bearing paths.

Prompt:

Review the [ModuleName] module for HIPAA applicability using FlexBase standards.

Identify:
- whether the module handles PHI directly, indirectly, or not at all
- all PHI touchpoints across DTOs, handlers, queries, subscribers, notifications, exports, UI pages, and integrations
- whether the current design follows minimum-necessary access

Output:
- applicability verdict
- PHI field classification
- top compliance risks
- required FlexBase changes by artifact type

2. Single Feature HIPAA Review

Goal: Inspect one feature end-to-end for HIPAA exposure and missing safeguards.

Prompt:

Review the [ModuleName] / [FeatureName] feature for HIPAA compliance using FlexBase patterns.

Inspect:
- request/response DTOs
- query projections
- handler logic
- subscriber side effects
- UI pages/dialogs
- external communications

Produce:
- HIPAA relevance summary
- missing controls
- minimum-necessary violations
- audit trail gaps
- recommended remediation tasks

3. Create HIPAA Remediation Plan

Goal: Generate implementation tasks to harden a module or feature.

Prompt:

Create a FlexBase implementation plan to make [ModuleName] / [FeatureName] HIPAA compliant.

Include concrete changes for:
- domain/data model
- DTOs
- handlers
- queries
- subscribers
- UI pages/dialogs
- notifications / exports / integrations
- logging / monitoring / operational controls

Follow existing FlexBase standards and avoid inventing non-standard patterns.

4. DTO Minimum-Necessary Review

Goal: Find DTOs that expose more PHI than necessary.

Prompt:

Review all DTOs used by [ModuleName] for HIPAA minimum-necessary compliance.

Find:
- fields that expose more PHI than needed
- list DTOs that should be split from detail DTOs
- patient/operator/admin DTOs that should be separated
- fields that should be masked or excluded

Return a DTO remediation plan with exact recommended DTO changes.

5. Query Leakage Review

Goal: Ensure queries do not over-return PHI and are properly scoped.

Prompt:

Review all queries in [ModuleName] for HIPAA and minimum-necessary access.

Check:
- projection discipline
- filter discipline
- tenant/user/role scoping
- list endpoints returning excessive columns
- exports/detail queries needing stronger controls

Return findings ordered by risk and propose FlexBase-compliant query changes.

6. Handler and Subscriber Review

Goal: Review mutations and async flows for authorization, audit, and disclosure safety.

Prompt:

Review handlers and subscribers for [ModuleName] / [FeatureName] for HIPAA-aligned controls.

Check for:
- authorization enforcement
- audit logging / traceability
- unsafe logging of PHI
- duplicate downstream disclosures
- minimum-necessary outbound payloads
- concurrency and idempotency risks

Return a remediation plan grouped into handlers, subscribers, and operational controls.

7. Notifications and Integrations Review

Goal: Reduce disclosure risk in external communications.

Prompt:

Review all notifications and external integrations used by [ModuleName] for HIPAA disclosure risk.

Check:
- email templates
- SMS / WhatsApp content
- webhook payloads
- CRM synchronization fields
- exports and downloadable documents

Identify which payload fields should be removed, masked, generalized, or moved behind authenticated retrieval.

8. Blazor UI PHI Exposure Review

Goal: Review screens, dialogs, lists, and messages for PHI overexposure.

Prompt:

Review the Blazor pages, dialogs, grids, and dashboards for [ModuleName] for HIPAA exposure risks.

Check:
- list pages showing too much PHI
- dialogs loading more data than needed
- badges/toasts/messages leaking sensitive information
- detail pages lacking role separation
- print/export views exposing PHI broadly

Return recommended UI hardening changes using existing FlexBase FluentUI Blazor patterns.

9. Module-Level HIPAA Checklist

Goal: Produce a reusable readiness checklist for a whole module.

Prompt:

Create a HIPAA readiness checklist for the [ModuleName] module using FlexBase implementation standards.

Group the checklist into:
- PHI identification
- DTO/query minimization
- authorization
- audit trail
- integration controls
- notifications
- file/document access
- logging/monitoring
- verification tests

10. Release Gate for HIPAA-Relevant Features

Goal: Create a pass/fail release gate before shipping a module or feature.

Prompt:

Generate a pre-release HIPAA compliance gate for [ModuleName] / [FeatureName].

The output should be a release checklist with pass/fail items for:
- API
- UI
- events/subscribers
- integrations
- notifications
- logging and monitoring
- access control
- audit evidence

Recommended Output Shape

For best results, ask the agent to respond using this structure:

1. Applicability
2. PHI touchpoints
3. Findings ordered by severity
4. Required FlexBase changes by artifact type
5. Verification checklist

Last updated 2 months ago

How to Use

What the Agent Should Check

Task Catalog

1. HIPAA Applicability Review

2. Single Feature HIPAA Review

3. Create HIPAA Remediation Plan

4. DTO Minimum-Necessary Review

5. Query Leakage Review

6. Handler and Subscriber Review

7. Notifications and Integrations Review

8. Blazor UI PHI Exposure Review

9. Module-Level HIPAA Checklist

10. Release Gate for HIPAA-Relevant Features

Recommended Output Shape

Related