anonym.legal

By · Last updated 2026-05-29

Back to BlogHealthcare

HIPAA: Hospital-Specific MRN Detection

HIPAA Safe Harbor requires removing medical record numbers — but MRN formats are not standardized. Epic, Cerner, and Meditech all use different formats.

May 29, 20267 minute read
HIPAA Safe Harbormedical record numbersMRN detectionhealthcare compliancecustom PII patterns

Updated for 2026

HIPAA Safe Harbor De-Identification: Detecting Hospital-Specific MRN Formats Without Engineering

HIPAA Safe Harbor requires removing medical record numbers. This is one of 18 required ID types. It sounds simple. The problem is that MRN formats are not standardized.

Epic uses one format. Cerner uses a different one. Meditech uses another. Each hospital adds its own codes. Regional health groups create even more formats. A standard PII tool cannot know your format. It will miss your MRNs.

This is not a minor risk. Healthcare IT teams often find MRNs still in datasets that were meant to be de-identified. The tool was only set up for common PII types.

The MRN Format Problem

The US has no national standard for medical record numbers. Each hospital or EHR vendor defines its own format.

Common patterns observed:

  • Epic-style: 8–12 digit numeric (e.g., 123456789)
  • Cerner-style: Hospital code prefix + numeric (e.g., MGH-987654)
  • Regional networks: Facility code + year + sequence (e.g., HOSP-2023-456789)
  • Veterans Affairs: 9-digit with a check digit
  • Pediatric systems: Patient-type prefix + numeric (e.g., PED-12345678)

No single rule matches all of these. There is no universal MRN pattern.

What standard PII tools catch: Most HIPAA tools focus on fixed-format IDs. SSNs follow XXX-XX-XXXX. Phone numbers follow XXX-XXX-XXXX. Email addresses have a clear shape. These are easy to find.

MRNs, account numbers, and license numbers are HIPAA types 8, 10, and 11. These vary by hospital. They need custom setup. A generic tool will not catch them.

The Compliance Gap

A regional hospital wants to share patient data with a university research partner. Their EHR uses this MRN format: HOSP-YYYY-XXXXXX.

They run the data through their HIPAA tool. The tool strips names, dates, phone numbers, and SSNs. It does not remove MRNs. HOSP-2023-456789 matches no built-in rule.

The researcher gets the dataset. They join it against their own records. Those records include MRNs from past referrals at the same hospital. Many patients can now be re-identified. The hospital has a HIPAA breach.

This is a real failure mode. See also HIPAA Safe Harbor de-identification for healthcare research for more on where Safe Harbor breaks down.

The Fix: Custom Entity Creation

The fix is to define your MRN format as a custom entity. A compliance officer can do this. No engineer is needed.

Steps:

  1. Write out the format: "Starts with HOSP, then a dash, a 4-digit year, a dash, and a 6-digit number"

  2. Use an AI tool to build the regex: HOSP-\d{4}-\d{6}

  3. Test it on 20 discharge summaries. Confirm it catches all MRNs.

  4. Save it as a custom entity called "Hospital MRN"

  5. Add it to your HIPAA preset alongside the standard 17 ID types

This process takes a compliance officer about 3 days. Building custom code can take 3 months.

Example: 15-Facility Hospital Network

Organization: 15-facility regional hospital network

MRN format: HOSP-YYYY-XXXXXX (in thousands of discharge summary PDFs)

Goal: Share a research dataset with a university partner under a HIPAA data use agreement

Old approach: External de-identification vendor at $120,000 per year

Gap found: The vendor tool did not detect the institution-specific MRN format

New workflow:

  1. Compliance officer defines the MRN pattern — 20 minutes
  2. AI validates the regex — 5 minutes
  3. Test on 50 sample summaries — 30 minutes
  4. Confirm no MRNs remain, no false positives — 10 minutes
  5. Add the custom entity to the HIPAA preset
  6. Run the full 50,000-record dataset in batch

Total time to close the gap: one afternoon.

Multi-Facility Networks: Multiple MRN Formats

Hospital networks built through mergers often run several EHR systems. Each legacy system may use a different MRN format.

How to handle this:

Create a separate custom entity for each format:

  • "MRN Format A (Epic)" — 8-digit numeric
  • "MRN Format B (legacy Cerner)" — prefix + 7-digit numeric
  • "MRN Format C (acquired affiliate)" — state code + year + sequence

One preset holds all three custom entities plus the standard HIPAA ID types. Every document from every facility will have its MRNs removed.

See custom MRN detection in HIPAA pipelines without code for a step-by-step guide to this multi-format setup.

Beyond MRNs: Other Non-Standard Identifiers

The same approach works for other HIPAA Safe Harbor ID types.

Health plan member numbers (Category 9): Each insurer uses its own format. Aetna, Blue Cross, and United Healthcare all look different. A billing team needs a custom pattern for each payer.

Account numbers (Category 10): Hospital billing account numbers differ by hospital.

License numbers (Category 11): DEA numbers have a standard federal format. State medical license numbers do not. Each state board uses its own format.

Device identifiers (Category 14): Medical device serial numbers are set by each maker.

For each of these, a custom entity closes the gap. No engineers needed.

See custom PII identifiers for organizational anonymization for more on non-standard ID types.

Validation: Proving Safe Harbor Compliance

HIPAA Safe Harbor says the covered entity must have no "actual knowledge" the data could identify someone. (45 CFR §164.514(b)(1))

Custom entity validation proves all 18 ID types are covered.

Validation steps:

  1. Process 50–100 sample documents from the research dataset
  2. Review the output — does anything look like an ID?
  3. Run a second detection pass to catch any missed items
  4. Document what you did

Your custom entity setup, sample review, and processing logs form your Safe Harbor record.

Conclusion

Standard PII tools on default settings do not finish HIPAA Safe Harbor de-identification. Medical record numbers are hospital-specific. They need custom detection.

Custom entity creation closes this gap in hours. Compliance officers can define the pattern, test it, and process data. No engineering work is needed.

The gap between "we ran a HIPAA tool" and "we removed all 18 Safe Harbor identifiers" is often just one missing custom entity.

Sources

Related Articles

Healthcare

HIPAA OCR: 725 Breaches, 275M Records

HHS OCR reported 725 HIPAA breaches in 2024 affecting 275M records — the highest ever. $10.22M average healthcare breach cost.

Healthcare

Handwritten Form OCR & PII Detection

A mid-size hospital processes 50,000 handwritten intake forms per year. Manual PII redaction at this volume requires 0.5 FTE.

Healthcare

HHS 2025: AI Clinical Notes Need PHI

AI transcription systems can inadvertently put Patient A's PHI in Patient B's record. Here's why real-time PHI detection before EHR commit is the control.

Ready to protect your data?

Start anonymizing PII with 285+ entity types across 48 languages.

Start Free TrialView Features

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.