Most HIPAA risk analyses fail at step one — not because the team lacks effort, but because they never wrote down what they were supposed to be protecting.
You cannot assess risk to systems you have not enumerated. Yet a surprising number of healthcare organizations run a "risk assessment" that jumps straight to policies and questionnaires without ever building a defensible inventory of the assets and devices that create, receive, maintain, or transmit electronic protected health information (ePHI). That gap is exactly what OCR investigators tend to find first.
The regulatory throughline
The HIPAA Security Rule requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. "Accurate and thorough" is doing a lot of work in that sentence. You cannot be thorough about risk to a laptop, an infusion pump, a cloud bucket, or a personal phone syncing email if that thing is not on a list somewhere.
The proposed 2026 updates to the Security Rule — still a Notice of Proposed Rulemaking as of mid-2026, not a final rule — lean into this hard, contemplating an explicit written inventory of technology assets and a network map showing how ePHI moves through them. Whether or not the rule is finalized in its current form, the direction of travel is clear: inventory first, assess second.
What belongs in the inventory
An asset and device inventory for HIPAA purposes is broader than the IT asset list most organizations already have. It should capture:
- Endpoints — workstations, laptops, tablets, and any personal (BYOD) devices with access to ePHI.
- Medical and IoT devices — anything networked that touches patient data, including the ones no one thinks of as "computers."
- Servers and storage, on-prem and cloud, including SaaS applications and the vendors behind them.
- Data flows — where ePHI originates, where it travels, and where it comes to rest.
For each asset, you want to know who owns it, what ePHI it touches, what safeguards protect it, and — for anything vendor-hosted — whether a Business Associate Agreement is in place.
Why engineers specifically should care
If you build or run healthcare software, the inventory is where your architecture meets your compliance obligation. Shadow infrastructure, forgotten staging environments with real data, an S3 bucket spun up for a one-off migration — these are the assets that never make it onto the list and become the breach nobody saw coming. Treating the inventory as a living artifact, versioned and reviewed like code, is the difference between a paper exercise and a real control.
From inventory to risk analysis
Once the inventory exists, the risk analysis becomes tractable: for each asset and data flow, identify threats and vulnerabilities, evaluate likelihood and impact, and document the safeguards that reduce residual risk. That is the workflow Medcurity's guided HIPAA risk assessment is built around, and it is why the best HIPAA SRA software starts you with structured asset capture rather than a blank questionnaire. Medcurity's Security Risk Analysis is $499/yr.
The takeaway is simple. If your risk analysis does not begin with a complete, current inventory of assets and devices, it is not accurate and thorough — it is a guess. Start with the list.
Building an AI-ready, inventory-first HIPAA program? Talk to Medcurity.
Top comments (0)