Knowing where PHI lives and how it moves is the foundation of a defensible risk analysis. The Data Flow Map keeps two linked inventories: the systems that hold PHI, and the flows that move it between them.
Data Flow Map is a Professional plan feature.
An asset is a system or platform — an EHR, billing system, imaging, lab, messaging, storage, device, or cloud service. Each records its type, a data classification (PHI, de-identified, administrative, public), the PHI types it holds (name, DOB, SSN, MRN, diagnosis, and so on), an optional custodian and location, and a retention period.
A flow documents PHI moving from one place to another. Give it a label, a source and destination (pick from your assets or type a free-text endpoint), and a flow type (internal, external, third party, cloud, API, or manual). Flags record whether PHI is transmitted and whether it's encrypted in transit and at rest — the list highlights unencrypted PHI flows so you can see exposure at a glance.
Org admins add and edit assets and flows. Everyone else views them read-only. There are no due dates or recurrence here — the map is a living inventory you update as systems change.