Back to all insights
HIPAAAsset InventoryNetwork MapHealthcare

Where Is Your ePHI? A Practical Guide to Asset Inventories and Network Maps

B Byzantine Technologies · · 8 min read

A Simple Question That’s Surprisingly Hard to Answer

Ask the average small practice a simple question — “Where, exactly, does your patient health information live?” — and the first answer is usually “in the EHR.” That answer is correct, but it is dangerously incomplete. ePHI almost never lives in just one place. It scatters across systems in ways that accumulate quietly over years, and most clinics significantly underestimate how many systems actually touch it.

This matters because you cannot protect what you have not identified. A security control applied only to the EHR leaves every other repository of ePHI exposed. And it matters for compliance: the current HIPAA Security Rule requires a risk analysis that necessarily depends on knowing where ePHI resides, and the HHS/OCR proposed updates published in early 2025 would make asset inventories and network maps explicit expected controls. Knowing where your ePHI lives is foundational to everything else.

This is one of the highest-value things a managed service provider does for a healthcare client, precisely because the answer is almost always more sprawling than the practice assumed.

The Many Places ePHI Actually Lives

When you trace ePHI honestly through a typical practice, it shows up in far more places than expected:

  • The EHR — the obvious one, but only the beginning.
  • Email — appointment details, attachments from referrals, scanned documents, conversations about patients. Years of ePHI can accumulate in mailboxes.
  • The billing and practice management system — often separate from the EHR, holding claims and patient data.
  • Imaging systems — digital X-ray, ultrasound, and other modalities that store images tied to patient identities.
  • Lab interfaces and results — data flowing in from outside labs and stored locally.
  • Backups — every backup contains a copy of whatever ePHI existed at the time, sometimes in places the live system no longer does.
  • Cloud storage — the shared drive or cloud folder where someone saved a spreadsheet of patients, a scanned form, or an export.
  • Local workstations and laptops — downloaded reports, saved attachments, exported files sitting in Downloads folders.
  • Mobile devices — phones and tablets with email access or clinical apps.
  • Networked printers and copiers — which cache documents, including PHI, in internal storage.
  • Vendor and payer portals — external systems that hold or transmit your patients’ data.

“The dangerous ePHI is rarely the data in the EHR — that’s the part everyone remembers to protect. The dangerous data is the export sitting in a Downloads folder, the spreadsheet on a shared drive, the years of attachments in an old mailbox. You can’t protect what you haven’t found.”

Building an Asset Inventory

An asset inventory is a current, documented list of the systems and devices in your environment, with enough detail to manage their risk. For a healthcare practice, a useful inventory captures, for each asset:

  • What it is — device or system type, name, and location.
  • What it runs — operating system and key software, with versions, so you can tell what is supported and patchable.
  • Who owns it — who is responsible for maintaining it.
  • Whether it touches ePHI — and if so, how (stores it, processes it, transmits it).
  • How it’s protected — encryption status, whether it has MFA, whether it’s monitored.

The inventory is not a one-time document. Devices come and go: a new workstation arrives, an old server is decommissioned, a laptop is lost, a new cloud service is adopted. An inventory that was accurate a year ago is probably wrong today. The discipline is to keep it current — ideally through tooling that discovers and tracks assets automatically, supplemented by a process for adding new systems as they’re introduced.

Building a Network Map

If the asset inventory answers “what do we have,” the network map answers “how is it connected and how does ePHI flow.” A network map documents your network’s structure — the segments, the connections between them, the path from the internet to your internal systems, and the routes that ePHI travels.

A good network map reveals things a list cannot. It shows that the guest Wi-Fi can reach the clinical network when it shouldn’t. It shows that the imaging server has an unexpected path to the internet. It shows where data crosses between segments and where the boundaries are. For a small practice, the map does not need to be elaborate — it needs to be accurate and current, showing the real topology rather than the idealized version someone drew years ago.

The network map and the asset inventory work together. The inventory tells you what exists; the map tells you how it connects and where the data goes. Together they make a real risk analysis possible, because you can finally see the whole environment instead of guessing at it.

Why Practices Underestimate Their ePHI Footprint

The sprawl happens for understandable reasons. ePHI accumulates through ordinary work: a staff member exports a report to verify something and never deletes it; a provider saves an attachment locally to read later; a new cloud tool gets adopted to solve a problem, and patient data flows into it without anyone formally deciding it should. None of these are malicious — they are the natural byproduct of a busy practice getting work done. But each one creates a new place where ePHI lives, often without any deliberate decision and without the protections applied to the EHR.

This is exactly why the inventory and map have to be the product of genuine discovery rather than memory. Asking people where the data lives produces the EHR-only answer. Examining the environment produces the real, sprawling truth.

A Practical Approach for a Small Practice

  1. Run genuine technical discovery to find every device, system, and cloud service — by inspection, not from a list someone remembers.
  2. Trace ePHI through all of it, flagging every place it is stored, processed, or transmitted.
  3. Document the asset inventory with the key details for each asset, and keep it current.
  4. Draw an accurate network map showing segments, connections, and data flows.
  5. Use both to drive your risk analysis — now you’re assessing the whole environment, not a fraction of it.
  6. Keep them living — update when systems change, ideally with automated discovery tooling.

The Byzantine Takeaway

“Where is your ePHI?” is a deceptively hard question, and the honest answer is almost always “in more places than you think.” A current asset inventory tells you what systems you have and which ones touch ePHI; a network map shows how everything connects and where the data flows. Together they are the foundation of a real risk analysis and an expected control under the proposed HIPAA Security Rule. Most clinics underestimate their ePHI footprint because the data sprawls through ordinary daily work. The fix is genuine discovery, documented honestly and kept current — and it is one of the most valuable things you can do to protect both your patients and your practice.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.
May 29, 2026·8 min read

Why Guest Wi-Fi Should Never Touch Your Clinical Network

A flat network is a quiet liability. Here is why network segmentation — keeping guest Wi-Fi, patient devices, IoT, and medical equipment away from clinical systems — is one of the most important architecture decisions a practice makes.
May 26, 2026·8 min read

Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security

Cyber insurers now expect MFA, EDR, tested backups, patching, incident response, and vendor oversight before they'll write a policy. The good news: those same controls map directly to HIPAA expectations.