Medical PII scrubber (HIPAA-aware)
Clinical text is some of the most sensitive data there is, and pasting it into an AI tool without de-identification is a HIPAA problem waiting to happen. This scrubber detects and redacts the structured HIPAA identifiers in clinical notes and records — locally, in your browser — so you can produce a de-identified version for AI analysis.
How it works
Paste a note and the tool runs a set of patterns aligned to the HIPAA Safe
Harbor identifier list: dates, medical record numbers, phone and fax numbers,
email addresses, Social Security numbers, URLs, IP addresses, ZIP codes, ages
over 89, and names following titles like “Patient”, “Mr”, or “Dr”. Each match is
replaced with a bracketed token such as [NAME] or [MRN], and you get a
per-category count of what was caught. Nothing leaves your browser.
The HIPAA Safe Harbor method and what it requires
HIPAA’s Privacy Rule defines two methods for de-identification. The more commonly used method — Safe Harbor — requires removing or generalising 18 specific categories of identifier so that the residual data cannot be used to identify an individual. The 18 categories include:
- Names
- Geographic data smaller than a state (addresses, city, ZIP codes — except first 3 digits of ZIP in certain conditions)
- All dates (birth, admission, discharge, death, and any date directly related to the individual), except year
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate and licence numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers
- Full-face photographs
- Any other unique identifying number or code
This tool detects the structured, pattern-matchable items from that list — categories 2 through 16. It does not catch free-text names scattered through clinical narrative (category 1), and it cannot recognise face photographs. Human review is not optional; it is part of Safe Harbor compliance.
Why everything runs locally
Protected health information (PHI) is legally regulated. Under HIPAA, transmitting PHI to a third-party service without a Business Associate Agreement creates a compliance exposure. Running de-identification entirely in the browser sidesteps that problem: the clinical text never leaves the machine, no server logs it, and no network request carries it. This is why the tool is structured to process client-side only, even though client-side pattern matching is less sophisticated than server-based NLP models.
For higher-volume or more sensitive use cases — such as de-identifying large EHR exports for research — purpose-built clinical NLP systems with formal HIPAA BAA coverage are the appropriate path.
Tips and notes
- Not a Safe Harbor guarantee. Patterns catch structured identifiers, but free-text names and locations need a human pass — Safe Harbor demands all 18.
- PHI never uploads here. Everything runs locally, which is the only way a browser tool should ever touch protected health information.
- Expect some over-redaction. A 5-digit number may be flagged as a ZIP; that is the safe direction, but check it did not mangle clinical values.
- Review every output. Treat the result as a strong first pass, then read it before it reaches any AI model.
- Document your process. If you are using de-identified data for research or quality improvement, record how the de-identification was performed, including the human review step, in your project notes.