It is a documented analysis of where your electronic patient data lives and what threatens it, and yes, HIPAA requires one, and regulators ask for it first after any incident. Our HIPAA compliance services make it a routine exercise rather than a scramble.