An OCR investigation does not start at the breach. It starts at the data request. The first thing the investigator asks for is your asset inventory.
For readers who have not been through one: when the Office for Civil Rights opens an investigation under its Risk Analysis Initiative, the first document request is the most recent HIPAA risk analysis, the asset inventory the analysis was based on, and the methodology for keeping that inventory current. The resolution agreements published since 2024 read like a critique of the inventory more often than a critique of the analysis itself. The investigator is looking for one of two things: an inventory that holds up to inspection, or evidence that the methodology to keep it current was real and not aspirational. We supply both.
What an OCR document request typically asks for.
The most recent §164.308(a)(1)(ii)(A) risk analysis.
That HIPAA section requires "an accurate and thorough" risk analysis. The investigator looks at the date the analysis was performed, the methodology used, and the scope statement. The scope statement is where failures hide: an inventory whose scope is "the corporate Active Directory" is not a scope covering ePHI broadly.
The asset inventory the analysis was based on.
The investigator compares the asset count in the inventory against publicly visible footprints, against the count of biomedical devices in your CMMS (computerized maintenance management system, the system Clinical Engineering uses for device tracking), and against what a third-party visibility tool would have surfaced. The math has to be internally consistent.
The risk-management plan that followed.
This is the §164.308(a)(1)(ii)(B) part. The risk management plan depends on the analysis. The analysis depends on the inventory. The dependency tree is what the Risk Analysis Initiative keeps working from the bottom up.
Evidence of §164.312(b) audit controls.
This section requires "mechanisms that record and examine activity" in systems holding electronic protected health information. The change feed from a continuous identity platform — every new device, every moved device, every device that left the network — is one of the cleaner answers to this prompt. We produce that feed as a side effect of normal operation.
What CybrIQ supplies, mapped to the document request.
Inventory as a continuous output, not an annual snapshot.
The inventory updates as the network changes. The investigator sees a timestamped change record, not a spreadsheet last updated for the audit.
Scope that covers ePHI-adjacent devices, not just IT endpoints.
Biomedical VLANs, imaging modalities, pharmacy automation, building systems with quiet network access. The scope statement matches what is actually on the wire.
A methodology paragraph that survives scrutiny.
"The covered entity's asset inventory is produced by a device-identity platform that connects to network switches via read-only SNMP and identifies each connected device from the switch-supplied signal set. The inventory updates continuously and is reconciled against the CMMS quarterly. Identity changes are logged with timestamps and switchport context for §164.312(b) audit purposes." That paragraph is one an assessor accepts.
A live walk-through and a conversation about your most recent audit.
Bring the data request from your last cycle, or the gap-analysis your assessor flagged. We answer in your context.
Book a demo30-day pilot, no fee.