Hook: HIPAA lists 18 PHI identifiers. Your anonymization tool detects maybe 6 of them. Here's what complete PHI de-identification actually looks like.
The Challenge
Healthcare systems use Medical Record Numbers (MRNs) as primary patient identifiers, but MRN formats vary by institution — there is no standardized national format in the US. Hospital A uses "MRN: 7-digit number," Hospital B uses "PT-YYYYNNNN," Hospital C uses alphanumeric 8-character strings. Generic PII tools that look for SSNs, phone numbers, and emails miss MRNs entirely — even though MRNs are explicitly listed in HIPAA's 18 PHI identifiers (45 CFR 164.514). Health plans, DEA numbers, NPI (National Provider Identifier) numbers, and medical record system IDs have the same problem. Clinical research data shared between institutions systematically fails PHI de-identification because institution-specific identifiers are invisible to generic tools.
By the Numbers
- 45 CFR § 164.514 defines de-identification safe harbor standard under HIPAA
- 18 PHI identifiers must be removed for HIPAA Safe Harbor de-identification
- OCR guidance on de-identification updated 2024 to address AI-assisted re-identification risks
Technical Approach
The 260+ entity types include NPI numbers, DEA numbers, Medicare IDs, and health plan identifiers. The Custom Entity Creation feature allows healthcare organizations to define their specific MRN format once and apply it consistently. The AI-assisted pattern helper generates the regex from examples, removing the technical barrier for clinical informatics teams without regex expertise.
Comments (0)