Rx Redactly
PHI never leaves your browser HIPAA Safe Harbor (45 CFR §164.514)

De-identify clinical text before you paste it into ChatGPT, Claude, or Gemini.

Paste a scenario. Get a Safe-Harbor-aligned redaction and a "what was removed" report — so you can use the consumer LLM you actually want, without sending PHI to a vendor you don't have a BAA with.

De-identifier

Everything below runs locally in your browser. Nothing is uploaded, logged, or stored.

Local-only processing. This page has no analytics and no third-party trackers, and your clinical text is never sent anywhere — all redaction happens in your browser. You can disconnect from the internet after loading the page and the de-identifier will still work. Open DevTools → Network tab to verify.
Free to use. De-identifying text and copying the redacted output is free, always. The prompt-wrapper export and the redaction-report export are PRO features — already a subscriber? Enter your key.
Get Pro

Clinical scenario (in)

Try a sample:

What was removed

Run the de-identifier to see a category-by-category report.

De-identified output

Output will appear here.
Important: Automated de-identification is a first-pass safety net, not a guarantee. Always review the output before pasting into any non-BAA tool. This tool targets the 18 Safe Harbor categories from 45 CFR §164.514(b)(2) using deterministic pattern matching; some identifiers — uncommon surnames, surname-only references, narrative locations not preceded by a location verb, unlabeled employer names, unusual identifier formats — will not be caught and must be redacted manually.

How it works

Three commitments. No exceptions.

1. Local-only.

Pattern matching runs in your browser using JavaScript. There is no server endpoint receiving your text. The only network requests are to load this page's own HTML, CSS, and JS, plus — if you activate Pro — a single license-key check. None of them carry your clinical text, and you can audit them all.

2. Safe Harbor coverage.

Detects names (titled and contextual), dates, ages ≥ 90, addresses, ZIPs, phone & fax, emails, URLs, IPs, SSNs, MRNs, account & license numbers, facility names, and VINs — the categories from §164.514(b)(2).

3. Receipts, not vibes.

Every redaction shows up in the report: what was matched, what category it was assigned, and what it was replaced with. Nothing happens silently.

Pricing

Free to use with no signup — de-identify and copy as much as you like. Pro unlocks the prompt-wrapper export and the redaction-report export.

Monthly

$7 / month

Billed monthly. Cancel anytime.

  • Prompt-wrapper export (with safety preamble)
  • Redaction-report export (Markdown)
  • Unlimited de-identifications, always free
  • Email support
Subscribe — $7/mo

No account system — no password, no profile. After checkout, Stripe gives you a unique license key that unlocks the Pro features in your browser. Keys are per-customer and revocable, so a shared key can be switched off without affecting anyone else.

FAQ

Is this HIPAA-compliant?

This tool helps you implement the Safe Harbor method (45 CFR §164.514(b)(2)) for de-identifying PHI before it leaves your control. It is not a Business Associate; using it does not make your prompts to a non-BAA LLM compliant by itself. You remain responsible for verifying the output before pasting it anywhere. Because processing happens in your browser, the tool itself never receives or stores PHI.

What about Expert Determination?

This tool implements Safe Harbor (the pattern-based method), not Expert Determination (the statistical method that requires a qualified expert). Safe Harbor is faster and more practical for one-off prompts; Expert Determination is what you'd use for a dataset.

Can I upload a PDF or image instead of pasting?

Yes — click "Choose PDF or image…" and select a file. Text-based PDFs (EHR exports, chart prints, lab reports) are parsed instantly using Mozilla's pdf.js. Scanned PDFs and images (PNG, JPG, WEBP, TIFF) trigger an offer to run OCR — open-source Tesseract.js running in WebAssembly. Both libraries run entirely in your browser; the file never leaves your device. The first OCR run downloads ~14MB of trained data (cached after); each page takes roughly 5–30 seconds depending on your laptop. OCR accuracy is ~90% on clean printed text and lower on faxes or handwriting — anything the OCR mis-reads also misses the de-identifier, so review the output carefully.

What document types does it handle?

Validated against six common clinical formats: ER admit notes, office visit notes, consult notes (e.g. cardiology, endocrine), lab reports (CMP, CBC, etc., including specimen and accession IDs and CLIA numbers), radiology reports (with accession numbers and comparison study dates), and discharge summaries. The engine handles both narrative prose and tabular/structured EHR exports — including "Lastname, Firstname M." style demographics blocks, multiple date formats, and labeled identifiers like MRN, Accession #, Specimen ID, Encounter ID, NPI, and DEA. Lab values, reference ranges, and clinical findings are preserved unchanged.

Can it miss something?

Yes. Pattern matching can't catch every name, every address, or every uncommon identifier. The "Worth a second look" section flags capitalized phrases that could be names but didn't match a rule — a prompt to review manually. Always read the output before sending.

Why no signup?

There's still nothing to sign up for — no password, no profile. After you subscribe, Stripe hands you a unique license key. Activating it makes one quick call to verify the key (your key only — never your clinical text), then it's remembered in your browser. Because keys are per-customer, a shared or leaked key can be revoked on its own without affecting anyone else.

Does it work offline?

Yes — the de-identifier has no runtime network dependencies, so once the page is loaded you can disconnect and keep redacting. The one exception is the first time you activate a Pro license key, which makes a single call to verify it (never your clinical text). After that, Pro stays unlocked offline too.

The "Export report" download contains the original PHI — is that intentional?

Yes. The report is meant for your own audit trail — showing exactly what was redacted and what it was replaced with — and it necessarily includes the original values. The download stays on your machine, but you should treat the file as PHI: don't paste it into a non-BAA tool, don't share it unencrypted, and delete it when you're done. The export button asks for confirmation before downloading, and the file itself starts with a warning header.

What gets replaced with what?

Each category is replaced with a bracketed token: [NAME], [DATE], [MEDICAL_RECORD_/_ACCOUNT_#], etc. Tokens are deterministic, so if the same value appears multiple times, it gets the same token. The report shows every replacement.

Who built this?

A clinician who got tired of seeing colleagues paste real patient charts into consumer AI products "just this once." If you've seen the PHI footer on my posts, that's me.