Skip to main content
CoreFolioHIPAA
How-to

ePHI inventory template: the foundation of every risk analysis

How to create an accurate ePHI inventory for your HIPAA risk analysis. What to include, where ePHI hides, and why missing systems is the most common OCR finding.

By CoreFolio

9-minute read

The most common finding in Office for Civil Rights (OCR) risk analysis investigations is not that the analysis was poorly written. It is that the scope was incomplete. The practice analyzed their EHR but missed their email. They inventoried workstations but missed personal devices. They documented primary systems but missed the cloud backup or the legacy server nobody has touched in three years.

An accurate electronic protected health information (ePHI) inventory is the foundation of an accurate risk analysis. You cannot assess risks to systems you do not know you have. 45 CFR § 164.308(a)(1)(ii)(A) requires a thorough assessment — and thoroughness begins with complete scope.

This article provides the structure for a comprehensive ePHI inventory. Use it to prepare your risk analysis or to audit an existing one for completeness.

What an ePHI inventory is

An ePHI inventory is a documented enumeration of:

  • Every location where ePHI is stored or accessed
  • Every system that creates, receives, maintains, or transmits ePHI
  • Every device that stores or accesses ePHI
  • Every transmission path ePHI travels
  • Every vendor with ePHI access (business associates)

The inventory answers the question: "Where does our ePHI live, move, and who can touch it?"

Why inventories fail

OCR investigations find ePHI inventory failures in two patterns:

Known but omitted: The practice knew about the system but did not include it in the analysis. Examples: "We didn't think email counted" or "The backup drive seemed obvious so we skipped it."

Unknown and undiscovered: The practice genuinely did not know about the system. Examples: shadow cloud storage, personal devices with auto-backup, test environments with production data.

Both are findings. The regulation requires accurate and thorough assessment. "I didn't know" is not a defense; it is an admission that the thoroughness standard was not met.

The inventory structure

A complete ePHI inventory has five categories. Omit any category and you risk missing systems.

Category 1: Information systems

The software applications that process ePHI.

Core clinical systems

  • Electronic Health Record (EHR) / Electronic Medical Record (EMR)
  • Practice management software
  • Patient portal
  • E-prescribing system
  • Clinical decision support tools

Imaging and diagnostics

  • PACS (Picture Archiving and Communication System)
  • Digital radiography software
  • Laboratory information systems
  • Diagnostic device software (ECG, spirometry, etc.)

Business systems

  • Billing and claims software
  • Scheduling systems
  • Payroll (if it includes health information)
  • Accounting (if it includes patient payments)

Communication systems

  • Email platform (business email)
  • Secure messaging systems
  • Patient communication platforms (text reminders, portals)
  • Telehealth platforms
  • Fax servers or digital fax services

Template format:

System NameVendorVersion/ModelHostingePHI TypesBAA Status
[FILL][FILL][FILL][On-prem/Cloud/Hybrid][FILL][Yes/No/NA]

Category 2: Infrastructure

The hardware and network that support information systems.

Servers and storage

  • EHR/practice management servers
  • File servers
  • Backup servers
  • Network Attached Storage (NAS)
  • Cloud storage accounts (Dropbox, Google Drive, OneDrive, Box)

Network equipment

  • Routers and switches
  • Firewalls
  • Wireless access points
  • VPN concentrators
  • Internet connection

Security infrastructure

  • Antivirus/endpoint protection servers
  • Intrusion detection/prevention systems
  • Security information and event management (SIEM)

Template format:

AssetLocationPurposeePHI AccessEncryption
[FILL][FILL][FILL][Yes/No][Yes/No/Partial]

Category 3: Endpoints

The devices that access information systems.

Workstations

  • Desktop computers (reception, clinical, billing)
  • Laptops (clinical, administrative)
  • Tablets (iPads, Android tablets used for patient care)

Mobile devices

  • Smartphones (practice-issued and personal bring your own device (BYOD))
  • Portable diagnostic devices with storage
  • USB drives and portable hard drives
  • Digital cameras (clinical photography)

Peripherals

  • Printers and copiers (with hard drives)
  • Scanners
  • Signature pads
  • Card readers

Template format:

DeviceAssigned ToLocationePHI AccessSecurity Controls
[FILL][FILL][FILL][FILL][Encryption, mobile device management (MDM), etc.]

Category 4: Physical locations

Where ePHI is physically present or accessed.

Primary location

  • Main office address
  • Departments/areas within (reception, clinical, records, IT)

Satellite locations

  • Branch offices
  • Clinics
  • Mobile units

Remote endpoints

  • Home offices of remote workers
  • Locations where providers access ePHI after hours
  • Patient homes (for telehealth or home health)

Third-party locations

  • Data centers (if self-hosted)
  • Cloud provider regions (if known)
  • Business associate facilities with ePHI access

Template format:

LocationAddressePHI TypesAccess ControlsNotes
[FILL][FILL][FILL][FILL][FILL]

Category 5: Transmission paths

How ePHI moves between systems and locations.

Internal transmission

  • Network paths (wired and wireless)
  • Internal email
  • File sharing (network drives, internal cloud)
  • Application interfaces (HL7, API connections)

External transmission

  • Internet email
  • Patient portal uploads/downloads
  • Telehealth sessions
  • Lab interfaces
  • Clearinghouse connections
  • Cloud backup transmission

Physical transmission

  • USB drives moving between systems
  • Printed materials transported
  • Backup media shipped offsite
  • Devices sent for repair/replacement

Template format:

PathSourceDestinationMethodEncryption
[FILL][FILL][FILL][FILL][Yes/No]

The business associate inventory

Vendors with ePHI access are part of your inventory. For each business associate, document:

Vendor NameServiceePHI Access TypeBAA ExecutedSecurity Verification
[FILL][FILL][Administrative/Physical/Technical][Yes/No][FILL]

Common missed business associates:

  • IT service providers (often have administrative access)
  • Cloud backup vendors
  • Email hosting providers
  • Website/patient portal vendors
  • Shredding services (for drives/media, not just paper)
  • Copier/printer leasing companies (hard drive access)
  • Telehealth platforms
  • Patient communication services (text reminders)

Shadow IT discovery

The hardest part of inventory is finding what you do not know about. Common shadow systems:

Personal cloud storage Staff may use personal Dropbox, Google Drive, or iCloud to store or share work files. Look for:

  • Files sent to personal email addresses
  • References to cloud services in email signatures
  • Staff accessing work files from personal devices

Unapproved software

  • Personal email used for patient communication
  • Consumer messaging apps (WhatsApp, Signal) for staff coordination
  • Personal task managers with patient information
  • Unapproved telehealth tools

Shadow devices

  • Personal laptops used for work
  • Personal tablets in clinical areas
  • Smartphones photographing whiteboards with patient schedules
  • USB drives for file transfer

Discovery methods:

  • Survey staff about tools they use
  • Review expense reports for software subscriptions
  • Check network logs for cloud service access
  • Audit email for personal service references
  • Review credit card statements for software purchases

ePHI types to inventory

For each system, identify what types of ePHI it processes:

Clinical information

  • Medical history and diagnoses
  • Treatment plans and progress notes
  • Medication lists
  • Allergies and adverse reactions
  • Lab results and diagnostic reports
  • Clinical images and photographs

Demographic and administrative

  • Patient name, address, contact information
  • Date of birth, Social Security number
  • Insurance information
  • Appointment dates and times
  • Account numbers and billing records

Communications

  • Email content
  • Portal messages
  • Phone notes and voicemail
  • Telehealth session recordings (if any)

Derived information

  • Audit logs containing patient identifiers
  • Backup metadata
  • Analytics data

Inventory maintenance

An inventory is current or it is wrong. Systems change; the inventory must be updated.

Trigger events requiring inventory updates:

  • New system implementation
  • System decommissioning
  • Vendor changes
  • New location opening
  • Staff changes affecting device assignment
  • Security incidents revealing shadow systems

Annual verification: Even without changes, verify the inventory annually:

  • Confirm systems still exist
  • Verify configurations unchanged
  • Validate access lists
  • Check for new shadow systems

Using the inventory in risk analysis

The ePHI inventory feeds directly into NIST 800-30 risk assessment:

Step 1: Scope definition The inventory defines what is in scope for the risk analysis.

Step 2: Threat identification Each asset in the inventory is assessed for threats. A laptop with unencrypted ePHI faces different threats than a cloud EHR.

Step 3: Vulnerability assessment Each asset is assessed for vulnerabilities. The inventory's security controls column guides this assessment.

Step 4: Risk determination Likelihood and impact are assessed per asset. The inventory's ePHI type and access level inform impact ratings.

Without the inventory, the risk analysis is built on assumption. With it, the analysis is built on documented fact.

Template implementation

Spreadsheet format: Most practices use Excel or Google Sheets for the inventory. Organize with tabs for each category (Systems, Infrastructure, Endpoints, Locations, Transmission, Business Associates).

Access controls: The inventory itself is sensitive. It documents your security posture and gaps. Store with appropriate access controls.

Versioning: Date the inventory. Keep prior versions. An investigator may ask to see the inventory as it existed at a particular time.

Integration: Link the inventory to your risk analysis. Reference asset IDs in your risk register so risks trace back to specific systems.

Common inventory mistakes

Mistake 1: Vague system names "Email" should be "Google Workspace for Business, hosted by Google, with BAA executed."

Mistake 2: Omitting consumer services If staff use personal iCloud accounts that backup work photos, iCloud is in your inventory whether you approved it or not.

Mistake 3: Ignoring legacy systems The server from your old EHR, still powered on with patient data, is in scope even if you do not use it.

Mistake 4: Incomplete business associate agreement (BAA) tracking Knowing you have an EHR BAA is not enough. You need BAAs for backup, email, IT support, and every other vendor with access.

Mistake 5: Static inventory An inventory from 2022 does not describe your 2026 environment. Keep it current or acknowledge it is stale.

From inventory to analysis

The ePHI inventory is Step 1 of the risk analysis. With a complete inventory, you can:

  • Define accurate scope
  • Identify specific threats per asset
  • Assess vulnerabilities accurately
  • Rate impacts based on actual ePHI types
  • Prioritize risks based on real exposure

The CoreFolio HIPAA assessment includes guided ePHI inventory capture as the foundation of the risk analysis. The system prompts for each category, flags common omissions, and links inventory items directly to threat and risk assessment. This ensures the scope is complete before the analysis begins.

Sources