HIPAA Beyond Names and SSNs: The 18 PHI Identifiers Your Anonymization Tool Needs to Detect
"The 18 HIPAA Identifiers Your PII Tool Is Probably Missing" — Hook: HIPAA lists 18 PHI identifiers. Your anonymization tool detects maybe 6 of them. He...
Feature: 260+ Entity Types · Region: US (HIPAA), EU (GDPR for healthcare data) · Source: anonym.community research
The Problem
Healthcare systems use Medical Record Numbers (MRNs) as primary patient identifiers, but MRN formats vary by institution — there is no standardized national format in the US. Hospital A uses "MRN: 7-digit number," Hospital B uses "PT-YYYYNNNN," Hospital C uses alphanumeric 8-character strings. Generic PII tools that look for SSNs, phone numbers, and emails miss MRNs entirely — even though MRNs are explicitly listed in HIPAA's 18 PHI identifiers (45 CFR 164.514). Health plans, DEA numbers, NPI (National Provider Identifier) numbers, and medical record system IDs have the same problem. Clinical research data shared between institutions systematically fails PHI de-identification because institution-specific identifiers are invisible to generic tools.
Key Data Points
- 45 CFR § 164.514 defines de-identification safe harbor standard under HIPAA
- 18 PHI identifiers must be removed for HIPAA Safe Harbor de-identification
- OCR guidance on de-identification updated 2024 to address AI-assisted re-identification risks
How anonymize.legal Addresses This
The 260+ entity types include NPI numbers, DEA numbers, Medicare IDs, and health plan identifiers. The Custom Entity Creation feature allows healthcare organizations to define their specific MRN format once and apply it consistently. The AI-assisted pattern helper generates the regex from examples, removing the technical barrier for clinical informatics teams without regex expertise.