Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

Data Flow Map

Knowing where PHI lives and how it moves is the foundation of a defensible risk analysis. The Data Flow Map keeps two linked inventories: the systems that hold PHI, and the flows that move it between them.

Data Flow Map is a Professional plan feature.

PHI assets

An asset is a system or platform — an EHR, billing system, imaging, lab, messaging, storage, device, or cloud service. Each records its type, a data classification (PHI, de-identified, administrative, public), the PHI types it holds (name, DOB, SSN, MRN, diagnosis, and so on), an optional custodian and location, and a retention period.

Data flows

A flow documents PHI moving from one place to another. Give it a label, a source and destination (pick from your assets or type a free-text endpoint), and a flow type (internal, external, third party, cloud, API, or manual). Flags record whether PHI is transmitted and whether it's encrypted in transit and at rest — the list highlights unencrypted PHI flows so you can see exposure at a glance.

Who can do what

Org admins add and edit assets and flows. Everyone else views them read-only. There are no due dates or recurrence here — the map is a living inventory you update as systems change.

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.