To comply with both rules, CEs must understand and map their PHI data flow. In other words, they must know how and where PHI moves throughout their organization. Additionally, they must determine if PHI is being exchanged with outside entities such as business partners . Understanding the data flow is necessary if a CE is to choose and implement appropriate and reasonable PHI safeguards.