The PHI Inventory module helps you maintain a comprehensive register of all systems, applications, and repositories that create, receive, maintain, or transmit protected health information (PHI). This is a foundational requirement for HIPAA compliance under both the Privacy Rule and the Security Rule.
Why Maintain a PHI Inventory?
The Security Rule requires covered entities to conduct a risk analysis of ePHI across their environment (45 CFR 164.308(a)(1)). A complete and accurate PHI inventory is the starting point for:
- Identifying where PHI resides, flows, and is accessible
- Scoping your Security Rule risk analysis
- Applying the minimum necessary standard
- Determining which business associates have access to PHI
- Validating encryption and access control requirements
Adding Systems
To add a system to the PHI inventory:
- Navigate to HIPAA → PHI Inventory
- Click Add System
- Provide the system name, description, and owner
- Select the PHI categories stored or processed
- Indicate the data format (electronic, paper, or both)
- Set the encryption status and method
- Specify access controls and authorised users/roles
- Save the entry
PHI Categories
HIPAA defines 18 types of identifiers that, when combined with health information, constitute PHI. Track which categories each system handles:
| Names | Full name or last name and initial |
| Geographic data | Addresses, including street address, city, county, ZIP code |
| Dates | Birth date, admission date, discharge date, date of death, and all ages over 89 |
| Phone numbers | Telephone and fax numbers |
| Email addresses | Electronic mail addresses |
| SSN | Social Security numbers |
| Medical record numbers | Identifiers assigned by health care providers |
| Health plan beneficiary numbers | Insurance plan member IDs |
| Account numbers | Financial account numbers |
| Certificate/licence numbers | Professional licence or certificate identifiers |
| Vehicle identifiers | Vehicle serial numbers and licence plate numbers |
| Device identifiers | Medical device serial numbers and UDIs |
| Web URLs | Internet URLs associated with the individual |
| IP addresses | Internet Protocol addresses |
| Biometric identifiers | Fingerprints, retinal scans, voiceprints |
| Full-face photographs | Photographic images of the face |
| Other unique identifiers | Any other unique identifying number, characteristic, or code |
Encryption Status
For each system, record the encryption status of PHI at rest and in transit:
- Encrypted at rest — PHI is encrypted when stored (e.g., AES-256, database-level encryption)
- Encrypted in transit — PHI is encrypted during transmission (e.g., TLS 1.2+, VPN)
- Not encrypted — PHI is not encrypted (document the compensating controls or remediation plan)
Encryption is an addressable specification under the Security Rule (45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii)). If encryption is not implemented, you must document why it is not reasonable and appropriate and what equivalent alternative measure is used.
Minimum Necessary Standard
The Privacy Rule's minimum necessary standard (45 CFR 164.502(b)) requires covered entities to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose. Use the PHI Inventory to:
- Document which roles have access to each system
- Identify systems where access exceeds operational needs
- Track remediation actions to restrict unnecessary access
- Support your minimum necessary policies and procedures