---
name: clinical-data
description: >
  Domain rules for clinical / health-data code. Use whenever working with patient
  records, PHI, clinical observations, or anything under HIPAA/GDPR-health scope.
  <REPLACE WITH YOUR REAL TRIGGER CONDITIONS>
---

# Clinical Data Domain  <DOMAIN STUB — fill in for your org>

> Domain skill stub. Health data carries the strictest handling obligations.
> Replace examples with your real controls and cite the controlling regulation
> (HIPAA, GDPR Art. 9, regional equivalents). Keep specifics in references/.

## PHI handling
- Treat all patient data as PHI: encrypted in transit and at rest, access
  authorized and audited, minimum-necessary access only. See `pii-handling`.
- Never log PHI. De-identify per <your standard, e.g. HIPAA Safe Harbor> before
  any secondary use.

## Provenance & integrity
- Clinical records are append-only; corrections are addenda, never overwrites.
- Every read/write of PHI is audited (see `regulatory-logging`).

## Interop
- Use the standard data model / coding system: <e.g. FHIR R4, SNOMED CT, LOINC>.
- Validate against the profile before persisting; reject non-conforming payloads.

## Consent
- Enforce consent scope on access; a missing/expired consent blocks the operation.

<Add your real standards, de-identification method, and consent model in references/.>