PHI Inventory Step by Step: How to Identify, Map, and Document Protected Health Information

Understanding Protected Health Information

Protected Health Information (PHI) is any individually identifiable health information created, received, maintained, or transmitted by a Covered Entity or its Business Associates that relates to a person’s health, care, or payment. Under the HIPAA Privacy Rule, PHI can exist in any form—electronic (ePHI), paper, or oral.

To decide whether data is PHI, confirm three things: it identifies an individual (directly or indirectly), it pertains to past, present, or future health, care, or payment, and it is handled by a HIPAA-regulated organization. Data outside these conditions (for example, fully de-identified data) is not PHI.

PHI sits within a Designated Record Set (DRS), which includes medical and billing records used to make decisions about individuals. Knowing your DRS scope helps you answer access requests and build a precise PHI inventory from the start.

Identifying PHI Elements

Apply a quick PHI test

• Who holds it? A Covered Entity or Business Associate.
• What is it about? Health status, care delivered, or payment for care.
• Can it identify someone? Alone or when combined with other data.

Common PHI categories you will find

• Direct identifiers: names, addresses, contact details, Social Security numbers, medical record numbers.
• Quasi-identifiers: dates related to an individual, small-area geography, device and vehicle identifiers, IPs and URLs.
• Clinical content: diagnoses, medications, images, lab results, progress notes, care plans.
• Financial and operational: insurance details, account numbers, claims data, prior authorizations.
• Unstructured sources: scanned forms, photos, voicemails, chat transcripts, faxes, and attachments.

Remember what is not PHI: employment records held by an employer, education records covered by FERPA, and data that has undergone valid PHI de-identification. The complete list of Safe Harbor identifiers appears in the “De-identifying PHI” section below.

Mapping PHI Across Systems

Build an end-to-end data flow

• Catalog sources: EHR, practice management, billing, LIS, PACS, telehealth, patient portals, CRM, help desk, email, file shares, collaboration tools, and IoT/medical devices.
• Trace movement: intake and registration, clinical documentation, coding and billing, reporting and analytics, backups and archives, and disclosures to Business Associates.
• Note forms: ePHI, paper, and verbal exchanges; include screenshots, exports, and test data copied into non-production systems.

Record where PHI lives and who touches it

• Storage and locations: on-prem servers, cloud storage, endpoints, removable media, and third-party platforms.
• Access paths: roles, minimum-necessary scoping, API integrations, service accounts, and shared mailboxes.
• Retention and disposition: legal holds, archive tiers, backup cycles, and secure destruction processes.

Validate the map by walking a real patient record through intake to archive. Reconcile the results with contracts and Business Associate Agreements to ensure every data flow has a documented legal pathway.

Documenting PHI Inventory

Use a consistent template for every asset

• Asset/system name and owner, purpose, and business process.
• PHI elements captured (field-level where practical) and whether included in the DRS.
• Data sources and destinations, including all Business Associates and disclosures.
• Storage locations and formats, backup/restore methods, and retention periods.
• User roles, access methods, and authentication requirements.
• Administrative, Technical, and Physical Safeguards in place.
• Risk rating, compensating controls, and last review date.
• Regulatory references (e.g., HIPAA Privacy Rule uses/disclosures) and linked procedures.

Keep the inventory accurate

• Version-control the register and time-stamp each change.
• Require updates at project gates: procurement, integration, go-live, and decommission.
• Spot-check against logs, data exports, and vendor statements of work.

A clear, field-level PHI inventory accelerates patient access requests, breach investigations, and audits, while focusing your safeguard investments where risk is highest.

Implementing Safeguards

Administrative Safeguards

• Assign privacy and security officers; complete and document risk analysis and risk management.
• Adopt minimum-necessary policies, workforce training, sanctions, and contingency plans.
• Manage Business Associates with BAAs, due diligence, and ongoing oversight.
• Establish incident response, breach assessment, and reporting workflows.

Technical Safeguards

• Access controls: unique IDs, role-based access, least privilege, and session timeouts.
• Transmission and storage security: encryption in transit and at rest, key management, and TLS enforcement.
• Integrity and monitoring: audit logs, SIEM alerting, file integrity monitoring, and anomaly detection.
• Endpoint and network protection: MFA, patching, EDR, email security, DLP, and network segmentation.

Physical Safeguards

• Facility access controls, visitor management, locks, and surveillance where appropriate.
• Workstation security: privacy screens, auto-lock, and clean-desk practices.
• Device/media controls: secure storage, chain of custody, and documented disposal.

Connect safeguards to specific assets in your PHI inventory. Doing so reveals control gaps at a glance and supports evidence gathering for audits.

Managing PHI Compliance

Operationalize governance

• Maintain policies for uses/disclosures, right of access, amendments, and accounting of disclosures.
• Run periodic HIPAA training tailored to roles and measure completion and effectiveness.
• Schedule internal audits and ongoing monitoring aligned to your risk profile.

Adapt as your environment changes

• Embed privacy and security reviews in change management and vendor onboarding.
• Track state privacy requirements and apply the more stringent standard when needed.
• Use metrics—access turnaround times, incident rates, and remediation cycles—to drive improvements.

Your PHI inventory becomes the backbone of compliance, guiding your Breach Notification assessments, BA oversight, and continuous risk management.

De-identifying PHI

Two HIPAA-approved methods

• Safe Harbor: remove specific identifiers and have no actual knowledge that remaining data can identify an individual.
• Expert Determination: a qualified expert documents that the risk of re-identification is very small, given controls.

The Safe Harbor identifiers

• Names.
• Geographic subdivisions smaller than a state, except initial three digits of ZIP codes meeting criteria.
• All elements of dates (except year) related to an individual; ages over 89 aggregated to 90+.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers.
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Limited Data Sets and research

A Limited Data Set permits certain fields (for example, city, state, ZIP, and some dates) for treatment, payment, operations, or research with a Data Use Agreement. It is not fully de-identified, so treat it with appropriate safeguards.

PHI de-identification best practices

• Combine removal, generalization, and perturbation (for example, date-shifting, binning ages) to reduce linkage risk.
• Use salted hashes or tokenization for re-linking when needed; store keys separately with strict access controls.
• Prevent small-cell disclosure in reports; set minimum thresholds and suppress rare combinations.
• Remember: encryption alone does not equal PHI de-identification if a key exists.

Conclusion

A durable PHI inventory starts with clear definitions, precise identification of data elements, and a faithful map of systems and flows. Document each asset, align the right Administrative, Technical, and Physical Safeguards, and run compliance as an ongoing program. When sharing data, use rigorous PHI de-identification methods to minimize risk while preserving utility.

FAQs

What is protected health information?

Protected health information is individually identifiable health information handled by a Covered Entity or Business Associate that relates to a person’s health, care, or payment. It includes identifiers and clinical or billing details in any medium and is governed by the HIPAA Privacy Rule.

How do you identify PHI in records?

Ask three questions: does the data identify someone, does it concern health, care, or payment, and is it held by a HIPAA-regulated organization? If yes to all, it is PHI. Look for both structured fields and unstructured content such as notes, images, and attachments.

What are the steps to create a PHI inventory?

Define your scope and DRS, list all systems and vendors, map each data flow end-to-end, record locations and access, document PHI elements and safeguards per asset, rate risks, and establish review triggers. Maintain versioned updates through change management and vendor lifecycle events.

How is PHI de-identified?

Use HIPAA’s Safe Harbor by removing specified identifiers with no actual knowledge of re-identification risk, or apply Expert Determination where a qualified expert documents a very small risk. Complement with practical controls like tokenization, date-shifting, and small-cell suppression.