# HIPAA Compliance Prompts

> Ready-to-use prompts for checking HIPAA applicability, reviewing PHI exposure, and creating HIPAA-aligned remediation plans using FlexBase standards.

## How to Use

Tell your AI agent what compliance task you need. The MCP server should load the HIPAA guide together with the relevant FlexBase API, query, handler, DTO, and UI conventions.

**Example prompts you can give your AI agent:**

```
Review the Bookings module for HIPAA applicability using FlexBase standards
```

```
Review the CreateBooking feature for HIPAA compliance and list the missing controls
```

```
Create a HIPAA remediation plan for the Guests module using existing FlexBase patterns
```

```
Review all notification templates in the Payments module for HIPAA disclosure risks
```

```
Review the Blazor UI for the Patient module for PHI overexposure
```

***

## What the Agent Should Check

For HIPAA-relevant modules or features, the review should cover:

* PHI touchpoints in DTOs, handlers, queries, subscribers, UI, notifications, files, and integrations
* minimum-necessary access
* authorization and role separation
* audit trail and traceability
* safe external disclosures
* logging and telemetry leakage
* idempotency and duplicate disclosure risks
* secure handling of files, exports, and notifications

***

## Task Catalog

### 1. HIPAA Applicability Review

**Goal:** Determine whether a module or feature is HIPAA relevant and identify PHI-bearing paths.

**Prompt:**

```
Review the [ModuleName] module for HIPAA applicability using FlexBase standards.

Identify:
- whether the module handles PHI directly, indirectly, or not at all
- all PHI touchpoints across DTOs, handlers, queries, subscribers, notifications, exports, UI pages, and integrations
- whether the current design follows minimum-necessary access

Output:
- applicability verdict
- PHI field classification
- top compliance risks
- required FlexBase changes by artifact type
```

### 2. Single Feature HIPAA Review

**Goal:** Inspect one feature end-to-end for HIPAA exposure and missing safeguards.

**Prompt:**

```
Review the [ModuleName] / [FeatureName] feature for HIPAA compliance using FlexBase patterns.

Inspect:
- request/response DTOs
- query projections
- handler logic
- subscriber side effects
- UI pages/dialogs
- external communications

Produce:
- HIPAA relevance summary
- missing controls
- minimum-necessary violations
- audit trail gaps
- recommended remediation tasks
```

### 3. Create HIPAA Remediation Plan

**Goal:** Generate implementation tasks to harden a module or feature.

**Prompt:**

```
Create a FlexBase implementation plan to make [ModuleName] / [FeatureName] HIPAA compliant.

Include concrete changes for:
- domain/data model
- DTOs
- handlers
- queries
- subscribers
- UI pages/dialogs
- notifications / exports / integrations
- logging / monitoring / operational controls

Follow existing FlexBase standards and avoid inventing non-standard patterns.
```

### 4. DTO Minimum-Necessary Review

**Goal:** Find DTOs that expose more PHI than necessary.

**Prompt:**

```
Review all DTOs used by [ModuleName] for HIPAA minimum-necessary compliance.

Find:
- fields that expose more PHI than needed
- list DTOs that should be split from detail DTOs
- patient/operator/admin DTOs that should be separated
- fields that should be masked or excluded

Return a DTO remediation plan with exact recommended DTO changes.
```

### 5. Query Leakage Review

**Goal:** Ensure queries do not over-return PHI and are properly scoped.

**Prompt:**

```
Review all queries in [ModuleName] for HIPAA and minimum-necessary access.

Check:
- projection discipline
- filter discipline
- tenant/user/role scoping
- list endpoints returning excessive columns
- exports/detail queries needing stronger controls

Return findings ordered by risk and propose FlexBase-compliant query changes.
```

### 6. Handler and Subscriber Review

**Goal:** Review mutations and async flows for authorization, audit, and disclosure safety.

**Prompt:**

```
Review handlers and subscribers for [ModuleName] / [FeatureName] for HIPAA-aligned controls.

Check for:
- authorization enforcement
- audit logging / traceability
- unsafe logging of PHI
- duplicate downstream disclosures
- minimum-necessary outbound payloads
- concurrency and idempotency risks

Return a remediation plan grouped into handlers, subscribers, and operational controls.
```

### 7. Notifications and Integrations Review

**Goal:** Reduce disclosure risk in external communications.

**Prompt:**

```
Review all notifications and external integrations used by [ModuleName] for HIPAA disclosure risk.

Check:
- email templates
- SMS / WhatsApp content
- webhook payloads
- CRM synchronization fields
- exports and downloadable documents

Identify which payload fields should be removed, masked, generalized, or moved behind authenticated retrieval.
```

### 8. Blazor UI PHI Exposure Review

**Goal:** Review screens, dialogs, lists, and messages for PHI overexposure.

**Prompt:**

```
Review the Blazor pages, dialogs, grids, and dashboards for [ModuleName] for HIPAA exposure risks.

Check:
- list pages showing too much PHI
- dialogs loading more data than needed
- badges/toasts/messages leaking sensitive information
- detail pages lacking role separation
- print/export views exposing PHI broadly

Return recommended UI hardening changes using existing FlexBase FluentUI Blazor patterns.
```

### 9. Module-Level HIPAA Checklist

**Goal:** Produce a reusable readiness checklist for a whole module.

**Prompt:**

```
Create a HIPAA readiness checklist for the [ModuleName] module using FlexBase implementation standards.

Group the checklist into:
- PHI identification
- DTO/query minimization
- authorization
- audit trail
- integration controls
- notifications
- file/document access
- logging/monitoring
- verification tests
```

### 10. Release Gate for HIPAA-Relevant Features

**Goal:** Create a pass/fail release gate before shipping a module or feature.

**Prompt:**

```
Generate a pre-release HIPAA compliance gate for [ModuleName] / [FeatureName].

The output should be a release checklist with pass/fail items for:
- API
- UI
- events/subscribers
- integrations
- notifications
- logging and monitoring
- access control
- audit evidence
```

***

## Recommended Output Shape

For best results, ask the agent to respond using this structure:

```
1. Applicability
2. PHI touchpoints
3. Findings ordered by severity
4. Required FlexBase changes by artifact type
5. Verification checklist
```

***

## Related

* [FlexBase API Guide Prompts](/flexbase-mcp-ai-prompts/flexbase-api-guide-prompts.md)
* [Implementation Completion Prompts](/flexbase-mcp-ai-prompts/implementation-completion-prompts.md)
* [Blazor Fluent UI Guide Prompts](/flexbase-mcp-ai-prompts/blazor-fluent-ui-guide-prompts.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.flexbase.in/flexbase-mcp-ai-prompts/hipaa-compliance-prompts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.