hipaa-phi-inventory
HIPAA PHI Inventory — ePHI Asset Identification and Data Flow Mapping
Overview
The HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(A) requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. This risk analysis is impossible without first knowing where ePHI resides, how it flows, and who has access. The PHI inventory is the foundational step of HIPAA compliance, supporting risk analysis (§164.308(a)(1)), access management (§164.312(a)), device and media controls (§164.310(d)), and business associate management (§164.502(e)).
Regulatory Framework
Security Rule — Risk Analysis Foundation
- §164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate
- §164.310(d)(1): Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility
- §164.312(a)(1): Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to persons or software programs that have been granted access rights
OCR Risk Analysis Guidance
OCR guidance identifies the first step of risk analysis as: "Identify where ePHI is created, received, maintained, or transmitted." This requires a comprehensive inventory covering: