HIPAA MRN Detection Without a Regex PhD
Your hospital's MRN format is not in any standard PII tool. Here is how to add it in five minutes. No code needed.
Healthcare IT teams face a HIPAA problem that other sectors do not have. The ID they most need to find — the Medical Record Number — is set by their own hospital. No national standard exists.
Every HIPAA de-ID project needs custom setup. Without it, MRNs slip through "de-identified" files undetected.
The Multi-Facility MRN Problem
Hospital networks built through mergers have legacy EHR systems. Each system has its own MRN format:
- Memorial Hospital (Epic): MRN:XXXXXXX — 7-digit number with prefix
- St. Mary's (Cerner): PT-YYYYY — 5-digit with patient prefix
- University Hospital (Meditech): UHN-XXXXXXXXXX — 10-character mix
- Clinic (standalone EMR): C\d{5} — letter C plus 5 digits
HIPAA Safe Harbor requires removing all 18 ID types. Category 8 is medical record numbers. A tool that does not know your format will miss them. The file looks clean. It is not.
The ServiceNow healthcare community has noted this exact issue. Standard tools catch SSNs and phone numbers. They miss facility MRNs every time.
The Regex Barrier
Adding custom rules to Microsoft Presidio — the open-source base for many HIPAA tools — takes real skill:
- You need to know the PatternRecognizer class
- You must write regex in Python syntax
- You must set up YAML config files
- You must tune confidence scores
- You must test and debug Python scripts
A compliance officer who knows the MRN format cannot do this alone. The fix ends up as an engineering ticket. It sits in queue for 6–8 weeks. The gap stays open.
AI-Assisted Pattern Generation
There is a faster way. Describe the pattern in plain words. Get a working regex back.
Steps:
- Open the custom entity builder
- Give examples: "Our MRNs look like this: MRN:1234567, MRN:9876543, MRN:0001234"
- AI builds the rule: MRN:\d{7}
- Test on 10 sample records
- All MRNs found? Save and deploy.
For a network with four MRN formats:
- Memorial Hospital → MRN:\d{7}
- St. Mary's → PT-\d{5}
- University Hospital → UHN-[A-Z0-9]{10}
- Clinic → C\d{5}
Make four custom entities. Group them into a preset. Run on all files. Time: one afternoon.
See custom MRN detection in HIPAA pipelines without code for a full how-to guide.
Validation for Safe Harbor
HIPAA Safe Harbor says the covered entity must have no "actual knowledge" the data could identify someone. (45 CFR §164.514(b))
Validation shows your custom rules cover all 18 ID types.
Step 1: Pull samples. Get 100 records from each site. Mix time periods and departments.
Step 2: Run detection. Process all 400 documents with your custom rules.
Step 3: Human check. Review 20 documents by hand (5% sample). Look for missed MRNs and false hits.
Step 4: Refine rules. Missed MRNs? Broaden the pattern. Too many false hits? Add word boundaries.
Step 5: Write it down. Log the rule, the sample size, the results, and the date. This log is your Safe Harbor record.
See explainable redaction and HIPAA audit trails for more on what to document.
Full Safe Harbor Coverage
After fixing MRN detection, check all 18 categories.
| Category | Standard Tools | Custom Needed? |
|---|---|---|
| 1. Names | NER model | No |
| 2. Geographic data | Location detection | No for state; Yes for site codes |
| 3. Dates | Date detection | No |
| 4. Phone numbers | Phone detection | No |
| 5. Fax numbers | Phone detection | No |
| 6. Email addresses | Email detection | No |
| 7. SSNs | SSN detection | No |
| 8. Medical record numbers | Not built in | Yes — site-specific |
| 9. Health plan member numbers | Partial | Often yes — payer-specific |
| 10. Account numbers | Partial | Often yes — billing format |
| 11. License numbers | Partial | Often yes — state-specific |
| 12. Vehicle IDs | Partial | Rare in clinical docs |
| 13. Device IDs | Partial | Yes if devices are in records |
| 14. Web URLs | URL detection | No |
| 15. IP addresses | IP detection | No |
| 16. Biometric IDs | Text context | Rare in discharge notes |
| 17. Photos | Image only | Out of scope for text |
| 18. Other unique IDs | Not built in | Yes — site-specific |
For clinical text, categories 8, 9, 10, and 18 most often need custom setup.
Clinical Document Context
Discharge notes, clinical notes, and op reports are the main files shared for research. They hold:
- MRNs in headers and footers
- Account numbers in billing sections
- Dates for all events — admit, procedure, lab, med
- Physician names and DEA numbers
- Referring doctor info
- Insurance member IDs
Custom rules for site-specific formats pair with built-in rules for standard formats. That pair gives you full Safe Harbor coverage.
Conclusion
HIPAA de-ID without custom rules is not Safe Harbor de-ID. Every hospital's MRN format is unique. Standard tools miss them. The compliance gap is real and it stays open until you close it.
AI pattern generation cuts the fix from 6–8 weeks of engineering to one afternoon of compliance work. Describe the format. Test it on real records. Deploy it. Done.