Help Center › Asset inventory & data map
Asset inventory & data map
Build the inventory of every system that touches patient data, and map how that data flows. This becomes a requirement under the proposed 2026 rule — and it drives the “Asset inventory & network/data map” mandate on the readiness meter.
1. Why this matters (2026 mandate G6)
The proposed 2026 HIPAA Security Rule (45 CFR 164.308(a)(7)(ii)(E)) makes it mandatory to keep a documented inventory of every system that creates, receives, maintains, or transmits ePHI, plus a map of how data flows between them. You can’t protect what you don’t know you have — this inventory is the foundation of the whole Security Rule.
The inventory you build here directly drives the “Asset inventory & network/data map” mandate (G6) on the 2026 Readiness tab, and it’s included in your audit binder as 08-asset-inventory.md.
2. Adding an asset
- Open the Asset Inventory tab.
- Click “+ Add asset.” A new row appears in the table.
- Fill in each field (see section 3). Changes save automatically.
- Repeat for every system. Click the ✕ at the end of a row to remove it.
At the top, a stats strip shows Assets inventoried, ePHI assets, and ePHI assets unencrypted so you can see coverage at a glance.
3. The fields explained
| Field | What to put |
|---|---|
| Asset / system | A name you’ll recognize — “EHR server,” “Front-desk PC,” “Dr. Lee’s laptop,” “AWS S3 backups.” |
| Type | Pick from the dropdown (see section 4). |
| Location | Where it physically or logically lives — “Front office,” “Server closet,” “AWS us-east-1,” a vendor name. |
| Holds ePHI | Yes or No. Does this system store, process, or transmit patient data? |
| Encrypted | Yes, No, or N/A. Is the ePHI on it encrypted (e.g. full-disk encryption, encrypted storage)? |
| Data flow / notes | Where this asset sends/receives ePHI — e.g. “Sends ePHI → clearinghouse,” “Receives lab results from LIS.” This is your data map. |
4. Asset types
The Type dropdown offers: Server, Workstation, Laptop, Mobile device, Cloud service / SaaS, Network device, Medical device, Backup / storage, and Other. Choosing a type helps you spot blind spots (e.g. “we listed no medical devices — do our connected devices touch ePHI?”).
5. Mapping data flows
The Data flow / notes field is how Ward captures the “network/data map” part of the 2026 requirement without forcing a drawing tool. For each asset, describe what it talks to and which direction ePHI moves. Read top-to-bottom, your rows form a written data map: where patient data is created, where it’s stored, and everywhere it travels (EHR → clearinghouse → payer; lab → EHR; backup → cloud).
6. The “unencrypted ePHI” warning
Encryption everywhere is the highest-severity 2026 mandate (G1). So whenever an asset is marked Holds ePHI = Yes but Encrypted ≠ Yes, Ward:
- Counts it in the “ePHI assets unencrypted” stat at the top.
- Shows a red callout: “N asset(s) hold ePHI but aren’t encrypted.”
Each of those is either something to encrypt or something where you must document a narrow, risk-justified exception. This is one of the fastest, highest-impact things you can fix before 2026.
7. Exporting the inventory
Click “⬇ Export asset inventory (CSV)” to download the table as a spreadsheet. The inventory is also rendered as Markdown (08-asset-inventory.md) inside the audit binder ZIP, and included when you export your assessment as JSON.
8. Tips for a complete inventory
- Start with the obvious: your EHR server, every workstation and laptop, phones/tablets used for work, and cloud services holding patient data.
- Don’t forget: backup drives, the practice-management/billing system, scanners/copiers that store images, connected medical devices, and any vendor portal where ePHI lives.
- Keep it current. Add new devices when you buy them and remove ones you retire (and confirm the retired media was wiped — see the Facility & Device/Media policy template).
- Match it to your vendors. Every cloud/SaaS asset that holds ePHI should also appear in the Vendors / BAAs tab with a signed BAA.