ICD-10 Cm

Detects ICD-10 Cm patterns. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type

regex

Engine

universal

Confidence

high

Confidence justification

High confidence: structurally constrained pattern with corroborative keyword support reduces false positive rates significantly. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Verified

Jurisdictions

global

Frameworks

ISO 27001, ISO 27701, SOC 2

Data categories

phi, healthcare

Scope

narrow

Risk rating

8

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible

Pattern

\b[A-TV-Z]\d[A-Z0-9](\.?[A-Z0-9]{0,4})?\b

Corroborative evidence keywords

MRN, medical record number, patient ID, NPI, DEA, medicare, medicaid, insurance ID, member ID, beneficiary, ICD-10, ICD-9, CPT, NDC, SNOMED, HCPCS, diagnosis code, procedure code, drug code, field (+28 more)

Proximity: 300 characters

Should match

• A01 — Cholera category code (3-char minimal)
• E11.65 — Type 2 diabetes with hyperglycemia
• S72.001A — Fracture of femur, initial encounter

Should not match

• U01 — Invalid first letter (U not in A-T, V-Z range)
• 123 — Starts with digit instead of letter
• A0 — Too short (only 2 characters)
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• Medical terminology in health education materials, research publications, clinical guidelines, or public health documents without patient-specific data. Mitigation: Require corroborative evidence keywords confirming patient context. Look for co-occurrence with patient identifiers such as medical record numbers or dates of birth.
• General wellness and fitness content using medical vocabulary without constituting protected health information. Mitigation: Layer with patient identifier patterns or healthcare-specific document structure detection to distinguish clinical records from general health content.

References

• International classification of diseases (ICD-10-CM) entity definition - Microsoft Learn

Collections

• US Healthcare Compliance