hipaa-phi-inventory

Installation
SKILL.md

HIPAA PHI Inventory — ePHI Asset Identification and Data Flow Mapping

Overview

The HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(A) requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. This risk analysis is impossible without first knowing where ePHI resides, how it flows, and who has access. The PHI inventory is the foundational step of HIPAA compliance, supporting risk analysis (§164.308(a)(1)), access management (§164.312(a)), device and media controls (§164.310(d)), and business associate management (§164.502(e)).

Regulatory Framework

Security Rule — Risk Analysis Foundation

  • §164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate
  • §164.310(d)(1): Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility
  • §164.312(a)(1): Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to persons or software programs that have been granted access rights

OCR Risk Analysis Guidance

OCR guidance identifies the first step of risk analysis as: "Identify where ePHI is created, received, maintained, or transmitted." This requires a comprehensive inventory covering:

Installs
10
GitHub Stars
187
First Seen
May 26, 2026
hipaa-phi-inventory — mukul975/privacy-data-protection-skills