You can’t safeguard what you can’t find
Do you know where all the personal health information (PHI) in your practice resides?
When you collect PHI, you are responsible to ensure the security, privacy, and confidentiality of that information. The first step is knowing where the PHI resides.
A data inventory is a foundational privacy and security tool. It is a detailed list of all the PHI that you collect, what data is included, where it is kept, and who has access to it.
A well-maintained data inventory supports informed decisions about budgeting, risk analysis, and incident response. If you don’t have a data inventory yet, use these tips to help you prepare one now. An annual review is an expected reasonable safeguard to protect PHI and stay compliant.
Why custodians need a complete picture of PHI locations
When a healthcare provider collects PHI, they take on an explicit responsibility to the individual who shared their information. Patients trust you with their sensitive data—and you must demonstrate that you will respect and protect it.
Reasonable safeguards are not just good practice—they are mandated by professional standards and provincial privacy legislation such as Alberta’s Health Information Act (HIA) and Ontario’s Personal Health Information Protection Act (PHIPA).
The healthcare provider (sometimes called a custodian) is ultimately responsible for the safekeeping of PHI. Their privacy officer often is responsible to ensure that privacy and security documentation is up to date and communicated throughout the organization.
PHI doesn’t only exist in your EMR. It lives in many places, such as:
- Electronic Medical Records (EMRs)
- Billing systems
- Email inboxes
- Paper records
- Third-party apps (e.g., transcription, booking tools)
- Staff smartphones (e.g., texts, voicemails, photos)
Remember: If you don’t know where it is, you. can’t protect it—and you certainly can’t include it in your breach response plan.
Your data inventory: The “no data left behind” checklist
A data inventory doesn’t have to be complicated. Include members of your care team and admin support as you build this list. Start with this simple framework:
A. Identify all systems and locations
List all the places where PHI is stored, whether short-term or long-term. For example,
- EMR or practice management system
- Billing submissions (e.g., provincial insurance, private insurance, patient payments)
- Medical devices (e.g., ECG machines, dental imaging)
- Scanners, fax machines, copiers
- Email systems
- Cloud storage (e.g., Google Drive, Dropbox)
- Staff’s personal devices (if BYOD)
- Third-party service providers
- Archived/off-site backups
- Paper charts and historical records
B. Track who has access
For each location, identify who has access:
- Internal staff (by role or function)
- IT support
- Contracted vendors (e.g., EMR vendors, managed service providers, billing services, transcriptionists)
- Consultants
- Software integrations
C. Review what kind of data is stored
Be detailed and include data elements for each category:
- Demographic data
- Clinical notes
- Referrals
- Lab results, diagnostic images
- Billing or insurance information
- Communication records (e.g., emails, messages, voicemails)
D. Record how long you need to keep it
Know your legal and professional patient records retention requirements:
- Generally: 10 years past the last contact, or 10 years after the patient reaches the age of majority.
- Be cautious: deleting data too soon or holding on to it too long can both carry risk.
Annual inventory review: Contracts and data access change
Things change—vendors go out of business, new platforms are introduced, and team members come and go. That’s why an annual review is essential.
Use this opportunity to:
- Update your list of active software and service providers
- Review and confirm that vendor contracts include proper privacy safeguards (e.g., Information Management Agreements)
- Remove access from former employees and terminated accounts
- Re-assess your data flow maps and user permissions
A current, complete inventory is also essential for PIAs (Privacy Impact Assessments), risk assessments, and effective breach response.
Bonus tip: Get your team involved
Your staff may know about data sources you’ve forgotten—like a temporary tool used during vacation coverage or a shared spreadsheet with legacy data.
Include your team in the conversation:
- Host a “Where is our data?” lunch-and-learn or team meeting
- Use privacy awareness week as a trigger to review and update your inventory
- Encourage a culture of shared responsibility for PHI protection
It’s time to create your data inventory
You can’t safeguard what you can’t see. Now is the perfect time to create—or update—your clinic’s data inventory.
Need help getting started? Join our Practice Management Success Membership for templates, training, and step-by-step guidance. You’ll gain access to practical tools that support your privacy compliance every day.
When we know better, we can do better…
Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information.
I’m Jean L. Eaton, your Practical Privacy Coach and Practice Management Mentor. I help healthcare providers and clinic managers implement privacy best practices, like pulling together the right forms and paperwork to use with their employees and patients and implementing privacy best practices.
Whether it’s improving privacy workflow, understanding the impact of breaches, working with privacy legislation, privacy impact assessment (PIA) consultation or mentoring privacy practices among staff, I make privacy in healthcare simple and straightforward.
I have found that when healthcare providers and clinic managers have a practice management mentor to help them stay on track,
- your privacy management program operates smoothly every month
- you avoid nasty privacy and security incidents
- your business operates more efficiently
When you focus on proper privacy and security practices, compliance falls into place. Compliance is there to prove your privacy and security program. It’s not just a bunch of paperwork.
If you would like to discuss how I can help your practice, just send me an email. I am here to help you.
Jean L. Eaton, BA Admin (Healthcare), CHIM
The views expressed in this article are the author’s alone and do not necessarily represent those of CharityVillage.com or any other individual or entity with whom the authors or website may be affiliated. CharityVillage.com is not liable for any content that may be considered offensive, inappropriate, defamatory, or inaccurate or in breach of third-party rights of privacy, copyright, or trademark.