zhongwei/gh-k-dense-ai-claude-scientific-writer-claude-scientific-writer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:30:18 +08:00
commit 74bee324ab
335 changed files with 147377 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

395
skills/clinical-reports/assets/hipaa_compliance_checklist.md Normal file
View File

@@ -0,0 +1,395 @@
# HIPAA Compliance Checklist for Clinical Reports
## 18 HIPAA Identifiers - De-identification Checklist
Verify that ALL of the following identifiers have been removed or altered:
- [ ] **1. Names** - Patient name, family members, healthcare providers (unless necessary and consented)
- [ ] **2. Geographic subdivisions smaller than state**
- No street addresses
- No cities (unless >20,000 population and part of ZIP can be kept if >20,000)
- No counties
- First 3 digits of ZIP code acceptable only if geographic unit >20,000 people
- All other portions of ZIP codes removed
- [ ] **3. Dates** (except year)
- No exact dates of birth (year only acceptable; year of birth for those >89 must be aggregated)
- No admission dates
- No discharge dates
- No dates of service
- No dates of death
- Use relative time periods (e.g., "3 months prior") or years only
- [ ] **4. Telephone numbers**
- No phone numbers of any kind
- Including patient, family, provider contact numbers
- [ ] **5. Fax numbers**
- No fax numbers
- [ ] **6. Email addresses**
- No email addresses for patient or related individuals
- [ ] **7. Social Security numbers**
- No SSN or partial SSN
- [ ] **8. Medical record numbers**
- No MRN, hospital ID, or clinic numbers
- Use coded study ID or case number if needed
- [ ] **9. Health plan beneficiary numbers**
- No insurance ID numbers
- No policy numbers
- [ ] **10. Account numbers**
- No billing account numbers
- No financial account information
- [ ] **11. Certificate/license numbers**
- No driver's license numbers
- No professional license numbers (unless for author credentials)
- [ ] **12. Vehicle identifiers and serial numbers**
- No license plate numbers
- No VIN numbers
- [ ] **13. Device identifiers and serial numbers**
- No pacemaker serial numbers
- No implant device serial numbers
- Generic device description acceptable (e.g., "implantable cardioverter-defibrillator")
- [ ] **14. Web URLs**
- No personal websites
- No URLs identifying individuals
- [ ] **15. IP addresses**
- No IP addresses
- [ ] **16. Biometric identifiers**
- No fingerprints
- No voiceprints
- No retinal scans
- No other biometric data
- [ ] **17. Full-face photographs and comparable images**
- No full-face photographs without consent
- Crop or blur faces if showing
- Remove identifying features (jewelry, tattoos, birthmarks if not clinically relevant)
- Black bars over eyes NOT sufficient
- Ensure no reflection or background identification
- [ ] **18. Any other unique identifying characteristic or code**
- No unique characteristics that could identify individual
- No rare disease combinations that could identify
- Consider if combination of remaining data points could identify individual
---
## Additional De-identification Considerations
### Ages and Dates
- [ ] Patients aged ≤89: Exact age or age range acceptable
- [ ] Patients aged >89: Must be aggregated to "90 or older" or ">89 years"
- [ ] Dates: Use only years OR use relative time periods
- Example: "3 months prior to presentation" instead of "on January 15, 2023"
- Example: "admitted in 2023" instead of "admitted on March 10, 2023"
### Geographic Information
- [ ] State or country is acceptable
- [ ] Removed specific cities (unless population >20,000 and no other identifying information)
- [ ] Removed hospital/clinic names
- [ ] Use general descriptors: "a community hospital in the Midwest" or "a tertiary care center"
### Rare Conditions and Combinations
- [ ] Consider if very rare disease alone could identify patient
- [ ] Consider if combination of:
- Age + diagnosis + geographic area + timeframe could identify patient
- [ ] May need to be vague about certain unique details
- [ ] Balance between providing clinical information and protecting privacy
### Images and Figures
- [ ] All patient identifiers removed from image headers/metadata
- [ ] DICOM data stripped
- [ ] Dates removed from images
- [ ] Medical record numbers removed
- [ ] Faces cropped, blurred, or obscured
- [ ] Identifying marks removed or obscured:
- Tattoos
- Jewelry
- Birthmarks or unique scars (if not clinically relevant)
- [ ] Scale bars and annotations do not contain identifying information
- [ ] Background environment de-identified (room numbers, nameplates, etc.)
### Voice and Video
- [ ] No audio recordings with patient voice (unless consent obtained)
- [ ] No video showing identifiable features (unless consent obtained)
- [ ] If video necessary, face must be obscured
---
## Informed Consent Checklist (for Case Reports/Publications)
### Consent Requirements
- [ ] Informed consent obtained BEFORE publication submission
- [ ] Consent obtained from patient directly (if capable)
- [ ] If patient deceased or incapacitated, consent from legal representative or next of kin
- [ ] For pediatric cases, parental/guardian consent obtained
### Consent Form Elements
The informed consent form must include:
- [ ] Purpose of publication (education, medical knowledge)
- [ ] What will be published (case details, images, outcomes)
- [ ] Journal or publication venue (if known)
- [ ] Open access vs. subscription (public availability)
- [ ] De-identification efforts explained
- [ ] Potential for re-identification acknowledged
- [ ] No effect on clinical care
- [ ] Right to withdraw consent (timing limitations)
- [ ] Contact information for questions
- [ ] Patient signature and date
- [ ] Witness signature (if required)
### Consent Documentation
- [ ] Signed consent form on file
- [ ] Copy provided to patient
- [ ] Consent available for editor review
- [ ] Statement in manuscript confirming consent obtained
**Example statement for manuscript:**
"Written informed consent was obtained from the patient for publication of this case report and any accompanying images. A copy of the written consent is available for review by the Editor-in-Chief of this journal on request."
---
## Safe Harbor vs. Expert Determination
### Safe Harbor Method
- [ ] All 18 identifiers removed
- [ ] No actual knowledge that remaining information could identify individual
- [ ] Most straightforward method
- [ ] Recommended for most clinical reports
### Expert Determination Method
- [ ] Qualified statistician/expert determined very small re-identification risk
- [ ] Methodology documented
- [ ] Analysis methods specified
- [ ] Conclusion documented
- [ ] May allow retention of some data elements
- [ ] Requires statistical expertise
**Method used:** [ ] Safe Harbor [ ] Expert Determination
---
## Minimum Necessary Standard
### Use and Disclosure
- [ ] Only minimum PHI necessary for purpose is used
- [ ] Purpose of disclosure clearly defined
- [ ] Limited to relevant information only
- [ ] Consider de-identified data or limited data set as alternatives
### Exceptions to Minimum Necessary
Minimum necessary does NOT apply to:
- Treatment purposes (providers may need full information)
- Patient-authorized disclosures
- Disclosures required by law
- Disclosures to HHS for compliance investigation
---
## Authorization for Use/Disclosure of PHI
### When Authorization Required
Authorization needed for:
- [ ] Research (unless IRB waiver granted)
- [ ] Marketing purposes
- [ ] Sale of PHI
- [ ] Psychotherapy notes
- [ ] Uses beyond treatment, payment, operations (TPO)
### Authorization Elements
If authorization required, it must include:
- [ ] Specific description of PHI to be used/disclosed
- [ ] Person(s) authorized to make disclosure
- [ ] Person(s) to receive information
- [ ] Purpose of disclosure
- [ ] Expiration date or event
- [ ] Right to revoke and how
- [ ] Right to refuse to sign
- [ ] Potential for re-disclosure by recipient
- [ ] Patient signature and date
---
## Limited Data Set
### Limited Data Set Option
A limited data set removes 16 of 18 identifiers but may retain:
- [ ] Dates (admission, discharge, service, birth, death)
- [ ] Geographic information (city, state, ZIP code)
### Requirements for Limited Data Set
- [ ] Data Use Agreement (DUA) required
- [ ] DUA specifies permitted uses
- [ ] Only for research, public health, or healthcare operations
- [ ] Recipient agrees not to re-identify
- [ ] Recipient agrees to safeguard data
---
## Security Safeguards Checklist
### Administrative Safeguards
- [ ] Security management process in place
- [ ] Workforce security measures
- [ ] Access management (role-based)
- [ ] Security training for workforce
- [ ] Incident response procedures
### Physical Safeguards
- [ ] Facility access controls
- [ ] Workstation use policies
- [ ] Workstation security measures
- [ ] Device and media controls
- [ ] Secure disposal procedures
### Technical Safeguards
- [ ] Access controls (unique user IDs, passwords)
- [ ] Audit controls and logging
- [ ] Integrity controls
- [ ] Transmission security (encryption)
- [ ] Automatic logoff after inactivity
---
## Breach Notification Checklist
### If Unauthorized Disclosure Occurs
- [ ] Determine if breach occurred (unauthorized access/use/disclosure)
- [ ] Assess risk of harm to individual
- [ ] If breach affects <500 individuals:
- Notify individual within 60 days
- Report to HHS annually
- [ ] If breach affects ≥500 individuals:
- Notify individuals within 60 days
- Notify HHS within 60 days
- Notify media if affects ≥500 in a state/jurisdiction
- [ ] Document breach and response
- [ ] Implement corrective action
### Breach Notification Content
Notification must include:
- [ ] Description of breach
- [ ] Types of information involved
- [ ] Steps individuals should take
- [ ] What organization is doing
- [ ] Contact for questions
---
## Research-Specific Compliance
### IRB/Privacy Board Considerations
- [ ] IRB approval obtained (if research)
- [ ] HIPAA authorization obtained OR waiver granted
- [ ] Waiver justification documented:
- Minimal risk to privacy
- Research cannot practically be conducted without waiver
- Research cannot practically be conducted without PHI
- Plan to protect identifiers
- Plan to destroy identifiers when appropriate
### Clinical Trial Reporting
- [ ] Subject identified by ID number only
- [ ] No names in regulatory submissions
- [ ] Initials only if required by regulatory authority
- [ ] Dates limited to year or relative time
- [ ] Protocol includes privacy protections
---
## Special Populations
### Pediatric Cases
- [ ] Parent/guardian consent obtained
- [ ] Child assent obtained (if age-appropriate)
- [ ] Extra care with identifiable photos
- [ ] School information removed
### Deceased Patients
- [ ] HIPAA protections apply for 50 years post-death
- [ ] Next of kin consent for publication
- [ ] Autopsy information de-identified
### Mental Health and Substance Abuse
- [ ] Extra protections under 42 CFR Part 2
- [ ] Explicit consent for disclosure
- [ ] Cannot re-disclose without consent
---
## Final Compliance Verification
**Reviewed by:** ____________________
**Date:** ____________________
**Signature:** ____________________
**Compliance Status:** [ ] Compliant [ ] Needs revision [ ] Not compliant
**Issues identified:**
1. [Issue]
2. [Issue]
**Corrective actions:**
1. [Action]
2. [Action]
**Re-review required:** [ ] Yes [ ] No
**Re-review date:** ____________________
---
## Documentation to Maintain
Keep on file:
- [ ] Signed patient consent (if applicable)
- [ ] IRB approval (if research)
- [ ] HIPAA waiver (if applicable)
- [ ] De-identification verification
- [ ] Data use agreement (if limited data set)
- [ ] Authorization forms (if applicable)
- [ ] Training records for personnel handling PHI
- [ ] Audit logs
**Retention period:** Minimum 6 years per HIPAA requirement