HIPAA requires you to know where protected health information lives. Your data inventory is the living record of every physical and digital location where PHI is stored, accessed, or processed.
What to document
Open Data Inventory from the Compliance section in the left sidebar. For each location where PHI exists, record:
- Name — A descriptive label (e.g., "Patient Billing Database", "Filing Cabinet Room 203").
- Location type — Physical or digital.
- Location details — Where it is (server address, office location, cloud service).
- Estimated records — How many patient records are stored there.
- Responsible person — Who owns or manages that data store.
Why it matters
Your data inventory feeds into your compliance score (the Inventory Mapping dimension, 10% weight) and appears in your compliance reports. It also helps Compliance Copilot give better answers about your data landscape — if it knows where your PHI lives, it can give more specific guidance about safeguards.
Inventory attestations
Once your inventory is documented, team members can attest to its accuracy. Attestations are logged with timestamps and become evidence in your compliance reports.