Add HIPAA Privacy and Part 2 scope routing fixtures

[DENGXUELIN]

Summary

• Adds an early HIPAA Rule Scope Routing checkpoint to keep Security Rule safeguards separate from Privacy Rule, Breach Notification, Part 2/SUD, and non-HIPAA obligations.
• Adds report output fields and an out-of-scope follow-up table for privacy/legal handoff.
• Adds vulnerable and benign fixtures for mixed HIPAA requests that either overstate Security Rule coverage or route Privacy/Part 2 topics before scoring.

Bounty

Addresses #1692 as an Improver contribution.

Notes

• The reproductive health care attestation row is intentionally framed as a current legal-status check because HHS notes a June 18, 2025 court order affecting the 2024 reproductive health Privacy Rule.
• The Part 2 row is routed out of scope for this Security Rule skill and notes HHS's 2024 final rule effective/compliance timeline for reviewer handoff.

Validation

• git diff --cached --check
• Markdown fence-balance check over staged .md files
• Added-line ASCII check
• Required marker check for HIPAA-SCOPE-01 through HIPAA-SCOPE-08
• Sensitive/public-contact pattern scan
• git diff --check origin/main...HEAD
• git merge-tree --write-tree origin/main HEAD